SEO-poisoning fake software site campaign targeting Chinese-speaking users
Campaign
Summary
Hide ▲
Show ▼
The SEO-poisoning campaign is steering Chinese-speaking users searching for software downloads toward fake software sites, raising the risk of malware infection. It uses lookalike domains and manipulated search rankings to push victims into spoofed pages. The resulting installers can drop HiddenGh0st and Winos (ValleyRAT). The operation matters because even high-ranked search results are being weaponized to deliver trojanized software.
Related Happenings
Vercel v0.dev phishing campaign using GenAI-built lure pages
Campaign
First: 07.05.2026 11:30
Last: 07.05.2026 11:30
Sources 1
About this happening:
A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
Vercel v0.dev phishing campaign using GenAI-built lure pages
CampaignAbout this happening: A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Mirax social media ad campaign targeting Spanish-speaking users
Campaign
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax social media ad campaign targeting Spanish-speaking users
CampaignAbout this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Claude Code leak GitHub Vidar lure campaign
Campaign
First: 02.04.2026 23:30
Last: 02.04.2026 23:30
Sources 1
About this happening:
A **malicious GitHub repository campaign** is abusing the **Claude Code leak** to deliver **Vidar** to users searching for leaked code. The lure uses a **fake leak**, **search-eng...
Claude Code leak GitHub Vidar lure campaign
CampaignAbout this happening: A **malicious GitHub repository campaign** is abusing the **Claude Code leak** to deliver **Vidar** to users searching for leaked code. The lure uses a **fake leak**, **search-eng...
Timeline
-
15.09.2025 08:47 2 articles · 8mo ago
Chinese-speaking users targeted by SEO-poisoning malware delivery
Initial DisclosureFortinet and Zscaler described malware campaigns targeting Chinese-speaking users who search for software downloads, using manipulated search rankings, lookalike domains, fake installer pages, and GitHub Pages hosting to deliver trojanized software that drops HiddenGh0st, Winos (ValleyRAT), FatalRAT, and kkRAT. The installers can bundle legitimate applications with malicious payloads, making the infection harder to notice, and some chains support anti-analysis checks, persistence, clipboard theft, keystroke logging, and cryptocurrency wallet hijacking.
Show sources
- HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47
- HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks — thehackernews.com — 15.09.2025 08:47