Black Cat Cybercrime Group Exploits SEO to Distribute Malware via Fake Software Downloads
A sophisticated cybercrime group known as Black Cat has been identified as the orchestrator behind a malicious campaign that leverages search engine optimization (SEO) poisoning to distribute malware. This operation involves creating fraudulent websites that mimic legitimate software download pages, deceiving users into installing harmful programs capable of stealing sensitive information.
According to a report by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and Beijing Weibu Online (ThreatBook), Black Cat’s strategy involves manipulating search engine results, particularly on platforms like Microsoft Bing. The group targets users searching for popular software applications such as Google Chrome, Notepad++, QQ International, and iTools.
Upon visiting these high-ranking deceptive pages, users are presented with convincingly designed download interfaces. When they attempt to download the software, they inadvertently install packages bundled with malicious programs. Once executed, these programs implant a backdoor Trojan without the user’s knowledge, enabling attackers to steal sensitive data from the compromised computer.
Active since at least 2022, Black Cat has been involved in various cyberattacks aimed at data theft and remote control through malware distributed via SEO poisoning campaigns. In 2023, the group reportedly stole approximately $160,000 worth of cryptocurrency by impersonating AICoin, a well-known virtual currency trading platform.
In their latest series of attacks, users searching for Notepad++ are directed to a phishing site that closely resembles the official software page, hosted at cn-notepadplusplus[.]com. Other domains registered by Black Cat include cn-obsidian[.]com, cn-winscp[.]com, and notepadplusplus[.]cn. The use of cn in these domain names suggests a deliberate focus on Chinese users seeking such tools through search engines.
When unsuspecting users click the download button on these counterfeit websites, they are redirected to another URL designed to mimic GitHub (github.zh-cns[.]top), from which a ZIP archive can be downloaded. This archive contains an installer that creates a desktop shortcut. This shortcut serves as the entry point for side-loading a malicious DLL, which subsequently activates the backdoor.
The malware then establishes communication with a hard-coded remote server (sbido[.]com:2869), enabling it to steal web browser data, log keystrokes, extract clipboard contents, and gather other valuable information from the infected host.
CNCERT/CC and ThreatBook reported that between December 7 and 20, 2025, the Black Cat cybercrime syndicate compromised approximately 277,800 hosts across China. The peak daily number of compromised machines within the country reached 62,167.
To mitigate the risk of such attacks, users are advised to avoid clicking on links from unknown sources and to rely solely on trusted sources for downloading software.
