Black Cat SEO poisoning campaign targeting Chinese software searchers
Campaign
Summary
Hide ▲
Show ▼
Black Cat is using SEO poisoning to push fake software download pages into search results, steering Chinese users toward a backdoor Trojan. The lure pages abuse Microsoft Bing visibility and redirect victims through a GitHub lookalike that delivers a ZIP archive and malicious installer. The payload uses DLL sideloading to contact sbido[.]com:2869 and steal browser data, keystrokes, and clipboard contents. CNCERT/CC and ThreatBook say the activity has been active since at least 2022 and that 277,800 hosts across China were compromised in January 2025.
Related Happenings
CL Suite Chrome extension stealing Meta Business data
Malware Activity
First: 13.02.2026 13:25
Last: 13.02.2026 13:25
Sources 1
About this happening:
The **CL Suite** Chrome extension is exfiltrating **TOTP seeds**, **current 2FA codes**, and **Meta Business** data from **Meta Business Suite** and **Facebook Business Manager**...
CL Suite Chrome extension stealing Meta Business data
Malware ActivityAbout this happening: The **CL Suite** Chrome extension is exfiltrating **TOTP seeds**, **current 2FA codes**, and **Meta Business** data from **Meta Business Suite** and **Facebook Business Manager**...
OpenClaw public-facing RCE exposure with public exploit code remote code execution flaw
Vulnerability
First: 09.02.2026 11:30
Last: 09.02.2026 11:30
Sources 1
About this happening:
**OpenClaw** deployments exposed to the public internet face **RCE risk**, with **12,812 instances** reportedly exploitable and **public exploit code** available. SecurityScorecar...
OpenClaw public-facing RCE exposure with public exploit code remote code execution flaw
VulnerabilityAbout this happening: **OpenClaw** deployments exposed to the public internet face **RCE risk**, with **12,812 instances** reportedly exploitable and **public exploit code** available. SecurityScorecar...
Malicious Chrome extensions hijack affiliate links and steal ChatGPT tokens
Malware Activity
First: 30.01.2026 15:42
Last: 30.01.2026 15:42
Sources 1
About this happening:
A cluster of **malicious Google Chrome extensions** is being used to **hijack affiliate links**, **scrape product data**, and steal **OpenAI ChatGPT authentication tokens**, creat...
Malicious Chrome extensions hijack affiliate links and steal ChatGPT tokens
Malware ActivityAbout this happening: A cluster of **malicious Google Chrome extensions** is being used to **hijack affiliate links**, **scrape product data**, and steal **OpenAI ChatGPT authentication tokens**, creat...
FBI seizure of RAMP cybercrime forum
Law Enforcement
First: 28.01.2026 19:38
Last: 28.01.2026 19:38
Sources 1
About this happening:
The **FBI** seized the **RAMP** cybercrime forum, taking down a **ransomware**-focused marketplace that had been used to advertise **malware**, **hacking services**, and related c...
FBI seizure of RAMP cybercrime forum
Law EnforcementAbout this happening: The **FBI** seized the **RAMP** cybercrime forum, taking down a **ransomware**-focused marketplace that had been used to advertise **malware**, **hacking services**, and related c...
Mustang Panda multi-country espionage campaign against government and telecom targets
Campaign
First: 28.01.2026 13:40
Last: 28.01.2026 13:40
Sources 1
About this happening:
A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Mustang Panda multi-country espionage campaign against government and telecom targets
CampaignAbout this happening: A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Timeline
-
07.01.2026 19:09 3 articles · 4mo ago
Black Cat SEO poisoning campaign exposes fake software download sites
Initial DisclosureCNCERT/CC and ThreatBook report that Black Cat is using SEO poisoning to push fraudulent download pages for popular software such as Google Chrome, Notepad++, QQ International, and iTools toward Chinese users. The delivery chain sends victims from a fake download page to github.zh-cns[.]top, then a ZIP archive that drops an installer, creates a desktop shortcut, sideloads a malicious DLL, and launches a backdoor that connects to sbido[.]com:2869 to steal browser data, keystrokes, and clipboard contents. The same campaign is described as active since at least 2022, and the group is said to have compromised about 277,800 hosts across China between 7 and 20, 2025.
Show sources
- Black Cat Behind SEO Poisoning Malware Campaign Targeting Popular Software Searches — thehackernews.com — 07.01.2026 19:09
- Black Cat Behind SEO Poisoning Malware Campaign Targeting Popular Software Searches — thehackernews.com — 07.01.2026 19:09
- Notepad++ Update Hijacking Linked to Hosting Provider Compromise — www.infosecurity-magazine.com — 02.02.2026 17:15