Chinese-speaking users are currently facing a sophisticated search engine optimization (SEO) poisoning campaign, which employs counterfeit software sites to disseminate malware. According to Pei Han Liao, a researcher at Fortinet FortiGuard Labs, the attackers have adeptly manipulated search rankings through SEO plugins and registered domains that closely resemble legitimate software sites. “By utilizing persuasive language and subtle character substitutions, they have successfully deceived victims into visiting these spoofed pages and downloading malware,” Liao explained.
This alarming activity, uncovered by Fortinet in August 2025, has resulted in the deployment of various malware families, including HiddenGh0st and Winos, both of which are variants of a remote access trojan known as Gh0st RAT. Notably, the use of Winos has been linked to a cybercrime group identified as Silver Fox, which has been active since at least 2022 and is also referred to as SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne.
Malware Delivery Mechanism
In the latest documented attack chain by Fortinet, users searching for popular tools such as DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office on Google are redirected to fraudulent sites. This redirection triggers the delivery of malware through trojanized installers. “A script named nice.js orchestrates the malware delivery process on these sites,” Fortinet noted. The script follows a multi-step chain, initially calling a download link that returns JSON data, which then leads to a secondary link pointing to another JSON response that ultimately redirects to the malicious installer.
Embedded within the installer is a malicious DLL, “EnumW.dll,” designed to execute several anti-analysis checks to evade detection. This includes extracting another DLL, “vstdlib.dll,” which is engineered to inflate memory usage and slow down analysis tools. The second DLL is responsible for unpacking and launching the main payload, while also checking for the presence of 360 Total Security antivirus software on the compromised host. If detected, the malware employs TypeLib COM hijacking to establish persistence and subsequently launch a Windows executable named “insalivation.exe.” In the absence of antivirus software, persistence is achieved by creating a Windows shortcut that points to the same executable.
The ultimate objective of this infection is to sideload a DLL, “AIDE.dll,” which initiates three core functions:
- Command-and-Control (C2): Establishes communication with a remote server and exchanges data in an encrypted format.
- Heartbeat: Collects system and victim data, enumerating running processes against a hard-coded list of security products.
- Monitor: Evaluates the victim’s environment to confirm persistence, track user activity, and beacon to the C2 server.
The C2 module also supports commands to download additional plugins, log keystrokes and clipboard data, and even hijack cryptocurrency wallets associated with Ethereum and Tether. Some identified plugins are capable of monitoring the victim’s screen and have been previously linked to the Winos framework. “The installers contained both the legitimate application and the malicious payload, making it difficult for users to notice the infection,” Fortinet remarked, emphasizing the importance of scrutinizing domain names before downloading software.
Emergence of kkRAT
In a related development, Zscaler ThreatLabz has flagged a separate campaign targeting Chinese-speaking users, featuring a previously undocumented malware known as kkRAT since early May 2025, alongside Winos and FatalRAT. According to Zscaler researcher Muhammed Irfan V A, kkRAT shares code similarities with both Gh0st RAT and Big Bad Wolf, a RAT typically used by cybercriminals based in China.
kkRAT employs a network communication protocol akin to Ghost RAT, enhanced with an added encryption layer following data compression. Its features include clipboard manipulation to replace cryptocurrency addresses and the deployment of remote monitoring tools such as Sunlogin and GotoHTTP. Similar to the aforementioned activities, this attack campaign utilizes fake installer pages that mimic popular software like DingTalk to deliver the three trojans. The phishing sites are hosted on GitHub pages, allowing malicious actors to exploit the trust associated with a legitimate platform for malware distribution. The GitHub account used for these pages has since been removed.
Once executed by the victim, the installer hosted on these sites conducts a series of checks to identify sandbox environments and virtual machines, as well as bypass security software. It requests administrator privileges, which, if granted, enables it to enumerate and temporarily disable all active network adapters, effectively disrupting the normal functioning of antivirus programs. Notably, the malware employs the Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize antivirus software installed on the host by reusing code from the RealBlindingEDR open-source project. The malware specifically targets the following antivirus programs:
- 360 Internet Security suite
- 360 Total Security
- HeroBravo System Diagnostics suite
- Kingsoft Internet Security
- QQ电脑管家
Upon terminating the relevant antivirus processes, the malware creates a scheduled task that runs with SYSTEM privileges to execute a batch script, ensuring that these processes are automatically killed each time a user logs into the machine. Furthermore, it modifies Windows Registry entries for 360 Total Security, likely aiming to disable network checks. Following these actions, the malware restores network connectivity by re-enabling network adapters.
The primary function of the installer is to launch shellcode, which subsequently retrieves another obfuscated shellcode file named “2025.bin” from a hard-coded URL. This newly acquired shellcode acts as a downloader for an artifact named “output.log,” which reaches out to two different URLs to fetch two ZIP archives:
- trx38.zip: Contains a legitimate executable file and a malicious DLL launched using DLL side-loading.
- p.zip: Contains a file named longlq.cl, which holds the encrypted final payload.
According to Zscaler, “The malware then creates a shortcut for the legitimate executable extracted from trx38.zip, adds this shortcut to the startup folder for persistence, and executes the legitimate executable to sideload the malicious DLL.” The malicious DLL decrypts and executes the final payload from the file longlq.cl, with the specific payload varying based on the second ZIP archive downloaded.
One of the three payloads is kkRAT. After establishing a socket connection with the C2 server, the malware profiles the victim machine and acquires various plugins to perform a wide array of data-gathering tasks:
- Screen capturing and simulating user inputs, such as keyboard and mouse actions.
- Retrieving and modifying clipboard data.
- Enabling remote desktop features, including launching web browsers and terminating active processes.
- Facilitating remote command execution via a shell interface.
- Enabling Windows management on the screen.
- Providing process management features, such as listing active processes and terminating them as needed.
- Generating a list of active network connections.
- Offering application management features, including listing installed software and uninstalling specific applications.
- Enumerating and retrieving values stored in the autorun Registry key.
- Acting as a proxy to route data between a client and server using the SOCKS5 protocol.
In addition to these plugins, kkRAT supports a comprehensive array of commands to invoke the plugins, function as a clipper to replace cryptocurrency wallet addresses copied to the clipboard, establish persistence, deploy GotoHTTP and Sunlogin, and clear data associated with various web browsers.
