Chinese-speaking users are the target of a search engine optimization (SEO) poisoning campaign that uses fake software sites to distribute malware.
“The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites,” Fortinet FortiGuard Labs researcher Pei Han Liao said. “By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware.”
The activity, which was discovered by the cybersecurity company in August 2025, leads to the deployment of malware families like HiddenGh0st and Winos (aka ValleyRAT), both of which are variants of a remote access trojan called Gh0st RAT.
It’s worth noting that the use of Winos has been attributed to a cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. It’s believed to be active at least since 2022.
In the latest attack chain documented by Fortinet, users searching for tools like DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office on Google are redirected to bogus sites to trigger the delivery of the malware using trojanized installers.
“A script named nice.js controls the malware delivery process on these sites,” Fortinet explained. “The script follows a multi-step chain: it first calls a download link that returns JSON data, which includes a secondary link. That secondary link then points to another JSON response containing a link that redirects to the final URL of the malicious installer.”
Present within the installer is a malicious DLL (“EnumW.dll”) that carries out several anti-analysis checks to sidestep detection, including extracting another DLL (“vstdlib.dll”) to overwhelm analysis tools by inflating memory usage and slowing their performance.
The second DLL is also engineered to unpack and launch the main payload, but not before ascertaining the presence of 360 Total Security antivirus software on the compromised host. If present, the malware uses a technique called TypeLib COM hijacking to set up persistence and ultimately launch a Windows executable (“insalivation.exe”)
In the event the antivirus software is not installed on the host, persistence is achieved by creating a Windows shortcut that points to the same executable. The end goal of the infection is to sideload a DLL (“AIDE.dll”) that initiates three core functions –
- Command-and-Control (C2), to establish communication with a remote server and exchange data in an encrypted format
- Heartbeat, to collect system and victim data and enumerate running processes against a hard-coded list of security products
- Monitor, to evaluate the victim’s environment to confirm persistence, track user activity, and beacon to the C2 server
The C2 module also supports commands to download additional plugins, log keystrokes and clipboard data, and even hijack cryptocurrency wallets associated with Ethereum and Tether. Some of the identified plugins are capable of keeping tabs on the victim’s screen and have been previously identified as part of the Winos framework.
“The installers contained both the legitimate application and the malicious payload, making it difficult for users to notice the infection,” Fortinet said. “Even highly ranked search results were weaponized in this way, underscoring the importance of carefully inspecting domain names before downloading software.”
Chinese Speakers Targeted by Malware Trifecta, Including New kkRAT
The development comes as Zscaler ThreatLabz flagged a separate campaign, also targeting Chinese-speaking users, with a previously undocumented malware called kkRAT since early May 2025, along with Winos and FatalRAT.
kkRAT “shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals,” Zscaler researcher Muhammed Irfan V A said.
“kkRAT employs a network communication protocol similar to Ghost RAT, with an added encryption layer after data compression. The RAT’s features include clipboard manipulation to replace cryptocurrency addresses and the deployment of remote monitoring tools (i.e. Sunlogin, GotoHTTP).”
Like the aforementioned activity, the attack campaign uses fake installer pages mimicking popular software like DingTalk to deliver the three trojans. The phishing sites are hosted on GitHub pages, allowing the bad actors to abuse the trust associated with a legitimate platform for malware distribution. The GitHub account used to deploy the pages is no longer available.
Once launched by the victim, the installer hosted on the sites runs a series of checks to identify sandbox environments and virtual machines (VMs), as well as bypass security software. It also requests for administrator privileges, which, if granted, enables it to enumerate and temporarily disable all active network adapters, effectively interfering with the regular functioning of antivirus programs.
Another notable aspect of the malware is its use of the Bring Your Own Vulnerable Driver (BYOVD) technique to disarm antivirus software installed on the host by reusing code from the RealBlindingEDR open-source project. The malware specifically searches for the following five programs –
- 360 Internet Security suite
- 360 Total Security
- HeroBravo System Diagnostics suite
- Kingsoft Internet Security
- QQ电脑管家
Once the relevant antivirus-related processes have been terminated, the malware takes steps to create a scheduled task that’s run with SYSTEM privileges to execute a batch script to ensure that they are automatically killed every time after a user logs in to the machine.
Furthermore, it modifies Windows Registry entries for 360 Total Security with the likely goal of disabling network checks. After all these actions are carried out, the malware proceeds to re-enable network adapters to restore the system’s network connectivity.
The primary responsibility of the installer is to launch shellcode, which, in turn, launches another obfuscated shellcode file named “2025.bin” from a hard-coded URL. This newly retrieved shellcode serves as a downloader for an artifact (“output.log”) that subsequently reaches out to two different URLs to fetch two ZIP archives –
- trx38.zip, containing a legitimate executable file and a malicious DLL that’s launched using DLL side-loading
- p.zip, containing a file named longlq.cl, which holds the encrypted final payload
“The malware then will create a shortcut for the legitimate executable extracted from trx38.zip, add this shortcut to the startup folder for persistence, and execute the legitimate executable to sideload the malicious DLL,” Zscaler said. “The malicious DLL decrypts and executes the final payload from the file longlq.cl. The final payload of the campaign varies based on the second ZIP archive that is downloaded.”
 |
| Attack chain for a malware campaign delivering several RATs |
One of the three payloads is kkRAT. After establishing a socket connection with the C2 server, the malware profiles the victim machine and obtains various plugins to perform a wide range of data gathering tasks –
- Screen capturing and simulating user inputs such as keyboard and mouse actions
- Retrieving and modifying clipboard data
- Enabling remote desktop features, such as launching web browsers and terminating active processes
- Facilitating remote command execution via a shell interface
- Enabling Windows management on the screen
- Proving process management features, such as listing active processes and terminating them as and when required
- Generating a list of active network connections
- Providing application management features, such as listing installed software and uninstalling specific ones
- Enumerating and retrieving the list of values stored in the autorun Registry key
- Acting as a proxy to route data between a client and server using the SOCKS5 protocol
In addition to these plugins, kkRAT offers support for a long list of commands to invoke the plugins; function as a clipper by replacing cryptocurrency wallet addresses copied to the clipboard; set up persistence; deploy GotoHTTP and Sunlogin; and clear data associated with 360 Speed Browser, Google Chrome, Internet Explorer, Mozilla Firefox, QQ Browser, Sogou Explorer, Skye, Telegram.
“kkRAT’s commands and plugins enable features such as clipboard hijacking to replace cryptocurrency wallet addresses, installing RMM tools like Sunlogin and GotoHTTP, and relaying network traffic that can be used to bypass firewalls and VPNs,” Zscaler said.
