SEO Poisoning Campaign Targeting Chinese Users with HiddenGh0st, Winos, and kkRAT

Timeline

1. 15.09.2025 08:47 📰 1 articles · ⏱ 14h ago

   SEO Poisoning Campaign Targeting Chinese Users with HiddenGh0st, Winos, and kkRAT

   A search engine optimization (SEO) poisoning campaign targets Chinese-speaking users to distribute malware. The campaign uses fake software sites and lookalike domains to trick users into downloading malware, including HiddenGh0st, Winos, and a new remote access trojan (RAT) called kkRAT. The malware is delivered through trojanized installers that include both legitimate and malicious payloads, making detection difficult. The campaign exploits popular software search queries and uses GitHub Pages for hosting malicious sites. The malware employs various techniques to evade detection and achieve persistence, including anti-analysis checks, TypeLib COM hijacking, and the Bring Your Own Vulnerable Driver (BYOVD) technique. The malware can perform command-and-control (C2) communication, system monitoring, and data exfiltration. The campaign has been active since at least May 2025 and involves multiple malware families.

   Show sources

   • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

   Open in new tab

Information Snippets

• The campaign targets Chinese-speaking users by manipulating search rankings with SEO plugins and lookalike domains.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• The malware families involved include HiddenGh0st, Winos, and kkRAT.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• Winos is associated with the cybercrime group Silver Fox, active since at least 2022.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• The malware is delivered through trojanized installers that include both legitimate and malicious payloads.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• The campaign exploits popular software search queries and uses GitHub Pages for hosting malicious sites.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• The malware employs anti-analysis checks, TypeLib COM hijacking, and the BYOVD technique to evade detection.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• The malware can perform C2 communication, system monitoring, and data exfiltration.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• The campaign has been active since at least May 2025 and involves multiple malware families.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• kkRAT shares code similarities with Gh0st RAT and Big Bad Wolf, typically used by China-based cybercriminals.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• kkRAT employs a network communication protocol similar to Ghost RAT, with an added encryption layer.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• The malware uses shellcode to download and execute additional payloads from hard-coded URLs.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• The malware can perform a wide range of data gathering tasks, including screen capturing, clipboard manipulation, and remote command execution.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• The malware can act as a proxy to route data between a client and server using the SOCKS5 protocol.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47

• The malware can clear data associated with various web browsers and messaging apps.

  First reported: 15.09.2025 08:47
  📰 1 source, 1 article
  Show sources

  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47