Chinese-speaking users are the target of search engine optimization (SEO) addiction campaigns that use fake software sites to distribute malware.
“The attackers manipulated search rankings with domains for registered looks that closely mimic SEO plugins and legitimate software sites,” said Pei Han Liao, a researcher at Fortinet Fortiguard Labs. “By using persuasive language and small character alternatives, they tricked the victim into visiting spoofed pages and downloading the malware.”
The activity, discovered by cybersecurity companies in August 2025, leads to the deployment of malware families such as HiddenGh0st and Winos (also known as Valleyrat). Both are variations of the remote access Trojan called the Gh0st rat.
It is worth noting that the use of Winos is attributed to a cybercrime group known as Silver Fox. This is also tracked as Swimsnake, the great thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. It is believed to be active since at least 2022.
In the latest attack chain documented by Fortinet, users searching for tools like Google’s Deepl Translate, Google Chrome, Signal, Telegram, WhatsApp, WPS Office, and more will be redirected to fake sites to trigger malware delivery using Trojanized Installers.
“A script named Nice.js controls the malware delivery process at these sites,” Fortinet explained. “The script follows a multi-step chain. First, it calls a download link that returns JSON data that contains the secondary link. That secondary link points to another JSON response that contains the link that is redirected to the final URL of the malicious installer.”
The malicious dlls (“enumw.dll”) exist in the installer. This makes sidestep detection to avoid some anti-analytic checks, such as extracting another dll (“vstdlib.dll”), by inflated memory usage and slowing performance.
The second DLL is designed to unpack and launch the main payload, but not before checking for the presence of 360 total security antivirus software on the compromised host. If present, the malware uses a technique called Typelib com hijacking to set up persistence and eventually launches a Windows executable (“Insalivation.exe”)
If no antivirus software is installed on the host, persistence is achieved by creating a Windows shortcut pointing to the same executable file. The ultimate goal of infection is to sideload a DLL (“aide.dll”) that starts three core functions –
Command and Control (C2), establish communication and exchange data with remote servers in encrypted format heartbeat, collect system and victim data, enumerate execution processes against hardcoded lists of security product monitors, assess victim environment, verify persistence, track user activity, and confirm beacons for C2 servers
The C2 module also supports additional plugins, log keystrokes, clipboard data, and even commands to download hijacking cryptocurrency wallets related to Ethereum and Tether. Some of the identified plugins can maintain tabs on the victim’s screen and have been previously identified as part of the Winos framework.
“The installer contains both legitimate applications and malicious payloads, making it difficult for users to notice infections,” Fortinet said. “Even highly ranked search results are weaponized in this way, underscoring the importance of carefully inspecting domain names before downloading software.”
Chinese speakers targeted by the new KKRAT-containing malware Trifecta
The development has been flagged another campaign by Zscaler Threatlabz, targeting Chinese-speaking users as well, including previously undocumented malware called Kkrat since early May 2025, Winos and Fatalrat.
kkrat “shares the code similarity with both the GH0st rat and the Big Bad Wolf, a rat that is generally leveraged by cybercriminals based in China,” said Muhammed Irfan Va, a researcher at Zscaler.
“KKRAT employs a network communications protocol similar to Ghost Rats, with an additional encryption layer added after data compression. The rat’s functions include clipboard operations that replace cryptocurrency addresses and deployment of remote monitoring tools (i.e. Sunlogin, gotohttp).”
Similar to the activity mentioned above, the attack campaign uses a fake installer page that mimics popular software like DingTalk to deliver three Trojan horses. The phishing site is hosted on GitHub pages, allowing bad actors to abuse the trust associated with legal platforms for malware distribution. The GitHub account used to deploy the page is no longer available.
Once launched by a victim, the installer hosted on the site performs a series of checks to identify the sandbox environment and virtual machines (VMs) and bypass the security software. It also requires administrator privileges. This allows you to enumerate all active network adapters, temporarily disable them, and effectively interfere with the regular functionality of your antivirus program, if granted.
Another notable aspect of malware is the use of Bring’s own Vulnerable Driver (BYOVD) technique to disarm antivirus software installed on the host by reusing code from the RealBlindingEdr Open-Source project. Malware specifically searches for the following five programs –
360 Internet Security Suite 360 Total Security HeroBravo System Diagnostics Suite Kingsoft Internet Security QQ
Once the associated antivirus-related processes have been completed, the malware takes steps to create scheduled tasks that run with system privileges to ensure that they are automatically killed each time a user logs in to the machine.
Additionally, it modifies the Windows registry entry for 360 total security, along with the goals that may be targeted to disable network checks. After all these actions have been performed, the malware will re-direct to a valid network adapter to restore the system’s network connection.
The main responsibility of the installer is to launch the shellcode. The shellcode launches another obfuscated shellcode file named “2025.bin” from the hardcoded URL. This newly acquired shellcode acts as a downloader for artifacts (“output.log”) and then reaches two different URLs to get two ZIP archives.
TRX38.ZIP, containing a malicious DLL launched using DLL sideload p.zip containing a legitimate executable and a file named Longlq.cl that holds an encrypted final payload
“The malware creates a shortcut for a legitimate executable extracted from TRX38.zip, adds this shortcut to the startup folder for persistence, and runs a legitimate executable and sideloads the malicious DLL,” says Zscaler. “The malicious dll decrypts and runs the final payload from the file longlq.cl. The final payload of the campaign depends on the second ZIP archive that was downloaded.”
Attack chain for malware campaigns that provide multiple mice
One of the three payloads is Kkrat. After establishing a socket connection with the C2 server, the malware profiles the victim machine and retrieves various plugins to perform a wide range of data collection tasks –
Capture and simulation of user input capture such as keyboard and mouse actions Enable remote desktop features such as launching a web browser or closing the shell interface Get and modify clipboard data Easy to execute remote commands via the shell interface via active processes. Uninstall a specific one that enumerates and retrieves a list of values stored in the Autorun registry key that acts as a proxy for routing data between clients and servers using the socks5 protocol
In addition to these plugins, KKRAT supports a long list of commands to invoke plugins. It acts as a clipper by exchanging cryptocurrency wallet addresses copied to the clipboard. Sets persistence. Expand gotohttp and sunlogin. Clear data associated with 360 Speed Browser, Google Chrome, Internet Explorer, Mozilla Firefox, QQ Browser, Sogou Explorer, Skye, and Telegram.
“KKRAT commands and plugins enable features such as clipboard hijacking to replace cryptocurrency wallet addresses, install RMM tools such as Sunlogin and GotoHTTP, and relay network traffic that can be used to bypass firewalls and VPNs,” Zscaler said.
Source link
