In August, FortiGuard Labs uncovered a campaign using SEO poisoning to target Chinese-speaking users. Attackers manipulated search rankings with plugins, pushing fraudulent domains designed to mimic trusted software providers.
The ruse was subtle. Small character swaps in domain names. Familiar branding. Language that looked legitimate. Once victims clicked, they landed on spoofed pages offering software installers, tainted with malware.
The investigation centered on a site impersonating DeepL. The installer contained the real application but also embedded malicious files. Among them, a DLL named EnumW.dll, which ran a series of anti-analysis checks before triggering its payload. These checks helped the malware dodge sandboxes, evade virtual machines, and slip past researchers.
From there, the infection chain unfolded. Fragments stored on disk were reconstructed into files like emoji.dat and vstdlib.dll. Persistence was established through registry keys, XML scripts, and shortcuts, different methods depending on whether security software such as 360 Total Security was detected. Each tactic was designed to blend in, stay hidden, and keep the malware alive.
At its core, the malware ran three modules: Heartbeat, Monitor, and Command-and-Control. Together, they collected victim data, tracked system activity, and maintained a live link to the attacker’s infrastructure. The modules were capable of keystroke logging, clipboard monitoring, plugin execution, and even crypto wallet hijacking. Variants of known malware families, including Winos, were identified.
The sophistication lay not in a single exploit but in the layering: legitimate software bundled with malicious code, installer files carrying hidden DLLs, and plugins masquerading as extensions but built to steal, all delivered through search results that appeared safe.
It’s clear that search rankings are no guarantee of trust. Bad actors know how to game the system, and users scanning for downloads remain vulnerable to poisoned results. Verifying domains and relying on official sources is not just best practice, it’s survival.
FortiGuard Labs continues to track this campaign and update defenses. But the next exploit may be only a search away.
Ensuring Maximum Infection
Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit, says this SEO poisoning campaign is interesting as it targets Chinese-speaking users alone through manipulated search rankings and lookalike domains masquerading trusted software sites like DeepL.
“These spoofed sites were “boosted” using SEO techniques to rank highly in search results, ensuring infection as users trust top-ranking results. The end result as always is installation of malware, in this case – Hiddengh0st and Winos malware variants by including legitimate application to confuse security solutions.”
Dani advises organizations to:
- Implement multilingual security awareness training for staff who may encounter Chinese-language social engineering attempts. End users are the first level of protection. This can be further cemented by conducting regular tabletop exercises simulating SEO poisoning scenarios.
- Deploy DNS filtering solutions to block known malicious domains associated with SEO poisoning.
- Implement organization-wide browser security mechanisms to detect suspicious redirections.
- Establish secure software download policies requiring downloads only from verified vendor websites.
Sending Users to Malware-Laden Sites
Chad Cragle, CISO at Deepwatch adds that SEO poisoning takes advantage and further enables some of the most successful malicious user attack techniques in play – phishing and smishing. “It is effectively working to send end users to malware-laden sites where their systems can be compromised. This isn’t new at all. SEO poisoning just lets the attackers perform these actions at scale much more easily.”
Cragle adds that malefactors are employing increasingly sophisticated scams these days. “I expect that tactics like SEO poisoning, AI-driven phishing, and multi-stage malware will continue evolving, fueling financial fraud and social engineering year-round.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.