- Black Cat used SEO poisoning to place fake software download pages high in search results for Chinese users.
- Malicious installers side-load a DLL to deploy a backdoor that steals browser data, keystrokes, and clipboard contents.
- Researchers report about 277,800 compromised hosts in China during the campaign, with a peak day of 62,167 infections.
Black Cat, active since at least 2022, deployed an SEO poisoning campaign in China that pushed fake download sites for popular tools to the top of search results. According to a report by CNCERT/CC and ThreatBook, victims searching for programs such as Notepad++, Google Chrome, QQ International, and iTools were directed to convincing phishing sites.
"After visiting these high-ranking phishing pages, users are lured by carefully constructed download pages, attempting to download software installation packages bundled with malicious programs," the report stated. "Once installed, the program implants a backdoor Trojan without the user’s knowledge, leading to the theft of sensitive data from the host computer by attackers."
The attackers registered domains including cn-notepadplusplus[.]com, cn-obsidian[.]com, cn-winscp[.]com, and notepadplusplus[.]cn to target Chinese users. A fake download flow redirects victims to a GitHub-mimicking host (github.zh-cns[.]top) that serves a ZIP file. The ZIP contains an installer that places a desktop shortcut; that shortcut side-loads a malicious DLL which launches the backdoor.
The deployed backdoor contacts a hard-coded command server at sbido[.]com:2869. Once connected, the Malware can steal web browser data, capture keystrokes, and read clipboard contents.
The campaign has had wide impact in China. CNCERT/CC and ThreatBook reported roughly 277,800 compromised hosts between January 7 and January 20, 2025, with a single-day high of 62,167 machines. In 2023, the group also impersonated a cryptocurrency platform and stole about $160,000 in digital assets.
Users are advised to avoid links from unknown sources and download software only from trusted, official sites.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Caterpillar, NVIDIA Team Up to Add AI to Machines, Factories
- Premier League crypto sponsors drop to 13 amid FCA warnings.
- JPM Coin Moves to Canton Network for Near-Instant Use Today!
- Radix Consultation Live: Vote on Season 1 End & Vesting ASAP
- Prosecutors Appeal Judge’s Acquittal of Mango Exploiter Case
