EXECUTIVE SUMMARY
Researchers have attributed an ongoing SEO poisoning campaign to a known threat actor that abuses popular software searches to distribute a stealthy backdoor. The operation relies on promoting fraudulent websites that closely imitate legitimate download pages for widely used applications, allowing them to rank highly in search engine results. By doing so, the attackers take advantage of user trust in familiar software names and reputable-looking pages. Visitors are presented with polished interfaces that closely resemble official sources, reducing suspicion and increasing the likelihood of downloads. Once users interact with these pages, the attack quickly transitions from deception to compromise without obvious warning signs. The campaign is primarily focused on silent data theft and persistent access rather than immediate disruption. Researchers note that this activity has been ongoing for a considerable period, with past operations linked to credential harvesting and financial theft through impersonation tactics.
The infection chain begins when users search for well-known software and click on links that appear legitimate but lead to phishing domains designed to mimic official project sites. These domains are carefully crafted to look regionally relevant and trustworthy. After reaching the fake site, users are prompted to download an installer, which redirects them to another page that imitates a popular code hosting platform. The downloaded archive contains an installer that drops additional files and creates a desktop shortcut. This shortcut is used to side-load a malicious DLL, allowing the backdoor to execute while appearing to be part of a normal application. Once active, the malware connects to a remote server controlled by the attackers. Through this connection, it can steal browser data, log keystrokes, monitor clipboard activity, and collect other sensitive information.
This campaign highlights how effective search result manipulation has become as a malware delivery method. By exploiting trust in search engines and widely recognized software, the attackers can bypass many of the check–s users rely on when downloading programs. The use of convincing web design, familiar branding, and simple but reliable techniques such as DLL side-loading helps the malware blend into normal system activity. The scale of observed infections shows how damaging such campaigns can be when combined with automation and popular search terms. Beyond immediate data theft, the backdoor provides ongoing access that can support further malicious activity over time. This approach emphasizes distribution efficiency and user deception over technically complex exploitation. As users continue to rely on search engines for software discovery, similar SEO poisoning campaigns are likely to remain a persistent threat, reinforcing the importance of understanding how routine online behavior can be abused at scale.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1189 | Drive-by Compromise | – |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1204.002 | User Execution | Malicious File |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1547.009 | Boot or Logon Autostart Execution | Shortcut Modification |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Credential Access | T1056.001 | Input Capture | Keylogging |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1115 | Clipboard Data | – |
| Collection | T1005 | Data from Local System | – |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
|---|---|---|
| Execution | E1204 | User Execution |
| Defense Evasion | F0015 | Hijack Execution Flow |
| Command and Control | B0030 | C2 Communication |
| Credential Access | F0002 | Keylogging |
| Collection | E1056 | Input Capture |
| Discovery | E1082 | System Information Discovery |
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2026/01/black-cat-behind-seo-poisoning-malware.html