In recent cybersecurity developments, Chinese-speaking users have become the focal point of advanced malware campaigns that exploit search engine optimization (SEO) techniques and trusted platforms like GitHub Pages to distribute malicious software. These campaigns have led to the deployment of various malware families, including HiddenGh0st, Winos (also known as ValleyRAT), and a newly identified remote access trojan (RAT) named kkRAT.
SEO Poisoning and Malware Distribution
Cybersecurity firm Fortinet FortiGuard Labs uncovered a campaign in August 2025 where attackers manipulated search engine rankings using SEO plugins and registered domains that closely resembled legitimate software websites. By employing subtle character substitutions and persuasive language, they deceived users into visiting these counterfeit sites and downloading malware-laden installers.
The malware families deployed in this campaign, such as HiddenGh0st and Winos, are variants of the Gh0st RAT, a well-known remote access trojan. Notably, Winos has been linked to a cybercriminal group known as Silver Fox, also tracked under aliases like SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne. This group has been active since at least 2022.
Attack Methodology
The attack chain begins when users search for popular tools like DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office. They are redirected to fraudulent websites that prompt the download of trojanized installers. A script named nice.js orchestrates the malware delivery process on these sites. This script initiates a multi-step chain: it first calls a download link that returns JSON data containing a secondary link, which then points to another JSON response with the final URL of the malicious installer.
The installer includes a malicious DLL (EnumW.dll) that performs several anti-analysis checks to evade detection. It extracts another DLL (vstdlib.dll) designed to overwhelm analysis tools by inflating memory usage and degrading performance. This second DLL unpacks and launches the main payload after verifying the presence of 360 Total Security antivirus software on the compromised system. If the antivirus is detected, the malware employs a technique called TypeLib COM hijacking to establish persistence and ultimately launch a Windows executable (insalivation.exe).
If the antivirus software is absent, persistence is achieved by creating a Windows shortcut that points to the same executable. The infection’s objective is to sideload a DLL (AIDE.dll) that initiates three core functions:
1. Command-and-Control (C2): Establishes communication with a remote server and exchanges data in an encrypted format.
2. Heartbeat: Collects system and victim data, enumerates running processes against a hard-coded list of security products.
3. Monitor: Evaluates the victim’s environment to confirm persistence, tracks user activity, and beacons to the C2 server.
The C2 module also supports commands to download additional plugins, log keystrokes and clipboard data, and hijack cryptocurrency wallets associated with Ethereum and Tether. Some identified plugins can monitor the victim’s screen and have been previously associated with the Winos framework.
Fortinet emphasized that the installers contained both the legitimate application and the malicious payload, making it challenging for users to detect the infection. Even highly ranked search results were weaponized, underscoring the importance of carefully inspecting domain names before downloading software.
Emergence of kkRAT and Additional Threats
In a separate campaign, Zscaler ThreatLabz identified a previously undocumented malware called kkRAT targeting Chinese-speaking users since early May 2025, alongside Winos and FatalRAT. kkRAT shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.
kkRAT employs a network communication protocol similar to Gh0st RAT, with an added encryption layer after data compression. Its features include clipboard manipulation to replace cryptocurrency addresses and the deployment of remote monitoring tools like Sunlogin and GotoHTTP.
This campaign uses fake installer pages mimicking popular software like DingTalk to deliver the three trojans. The phishing sites are hosted on GitHub Pages, allowing attackers to exploit the trust associated with a legitimate platform for malware distribution. The GitHub account used to deploy these pages is no longer available.
Attack Chain and Techniques
Once a victim launches the installer from these sites, it performs a series of checks to identify sandbox environments and virtual machines, as well as bypass security software. It requests administrator privileges, which, if granted, enable it to enumerate and temporarily disable all active network adapters, effectively interfering with the regular functioning of antivirus programs.
The malware employs the Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus software by reusing code from the RealBlindingEDR open-source project. It specifically targets the following programs:
– 360 Internet Security suite
– 360 Total Security
– HeroBravo System Diagnostics suite
– Kingsoft Internet Security
– QQ电脑管家
After terminating these antivirus-related processes, the malware creates a scheduled task with SYSTEM privileges to execute a batch script, ensuring they are automatically killed every time a user logs in. It also modifies Windows Registry entries for 360 Total Security, likely aiming to disable network checks. Once these actions are completed, the malware re-enables network adapters to restore the system’s network connectivity.
The installer launches shellcode that retrieves another obfuscated shellcode file named 2025.bin from a hard-coded URL. This shellcode serves as a downloader for an artifact (output.log) that fetches two ZIP archives:
1. trx38.zip: Contains a legitimate executable file and a malicious DLL launched using DLL side-loading.
2. p.zip: Contains a file named longlq.cl, which holds the encrypted final payload.
The malware creates a shortcut for the legitimate executable extracted from trx38.zip, adds this shortcut to the startup folder for persistence, and executes the legitimate executable to sideload the malicious DLL. The malicious DLL decrypts and executes the final payload from longlq.cl. The final payload varies based on the second ZIP archive downloaded.
Capabilities of kkRAT
One of the payloads is kkRAT. After establishing a socket connection with the C2 server, kkRAT profiles the victim machine and obtains various plugins to perform a wide range of data-gathering tasks:
– Screen capturing and simulating user inputs such as keyboard and mouse actions.
– Retrieving and modifying clipboard data.
– Enabling remote desktop features, such as launching web browsers and terminating active processes.
– Facilitating remote command execution via a shell interface.
– Enabling Windows management on the screen.
– Providing process management features, such as listing active processes and terminating them as required.
– Generating a list of active network connections.
– Providing application management features, such as listing installed software and uninstalling specific ones.
– Enumerating and retrieving the list of values stored in the autorun Registry key.
– Acting as a proxy to route data between a client and server using the SOCKS5 protocol.
In addition to these plugins, kkRAT supports commands to invoke the plugins; function as a clipper by replacing cryptocurrency wallet addresses copied to the clipboard; set up persistence; deploy GotoHTTP and Sunlogin; and clear data associated with browsers and messaging applications like 360 Speed Browser, Google Chrome, Internet Explorer, Mozilla Firefox, QQ Browser, Sogou Explorer, Skype, and Telegram.
Zscaler noted that kkRAT’s commands and plugins enable features such as clipboard hijacking to replace cryptocurrency wallet addresses, installing remote monitoring tools like Sunlogin and GotoHTTP, and relaying network traffic that can be used to bypass firewalls and VPNs.
Conclusion
These sophisticated malware campaigns highlight the evolving tactics of cybercriminals targeting Chinese-speaking users. By exploiting SEO techniques and trusted platforms like GitHub Pages, attackers can effectively distribute malware while evading detection. Users are advised to exercise caution when downloading software, especially from search engine results, and to verify the authenticity of websites before proceeding with downloads.
