Black Cat hackers drugged SEO release malware

Black Cat group hackers drugging SEO deceiving people searching for fake web ringing apps to release malware

SEO or Search Engine Optimization is a website management strategy used by marketers to make the website top when searching with a defined set of words, but it's another way that hackers like to use to spread malware.

According to a report by the website, The Hacker News mentioned the detection of a malware distribution campaign by SEO (or ThreatBook) by a group of hackers from China called Black Cat, a cybersecurity organization from China, the National Computer Network Emergency Response Technical Team / Coordination Center of China (CNCERT / CC) and Beijing Weibu Online (or ThreatBook), came forward to reveal the campaign. The hackers will use SEO methods to push websites that claim to be a source of downloading famous applications such as Google Chrome, Notepad + +, QQ International and iTools to high levels. On a popular Search Engine like Bing to trick victims into entering websites in such groups with the aim of downloading fake applications and installing malware.

After the victim has successfully entered the site in such a group, the site will use various techniques to retrieve the victim to the fake application download page. If the victim downloads the application, when the installation is complete, it will lead to the installation of a malware type that opens the back door of the system or the backdoor (the source does not name the malware) without the victim's knowledge, ultimately leading to the loss of important information.

Black Cat hackers have not started this year, but since 2022, using the same technique to spread malware of the remote access trojan, and in 2023, the group released a malware application disguised as a Krypto Curren C application called AICoin that could steal more than US $160,000 (4,963,200).

And in this latest campaign, it is deceiving victims to download fake Notepad + + text management applications through a website that is so disguised as the original website with the domain name "cn-notepadplusplus [.] com." In addition to the aforementioned domain, hackers have also written down other domains, such as "cn-obsidian [.] com," "cn-winscp [.] com," and "notepadplusplus [.] cn" on the domain, it is a clear intention that they intend to head a group of Chinese users or Chinese users in particular by the Download button on these sites. If the victim presses the website, it is Redirect the victim will change the target of the victim to another fake website disguised as a repo or repository. Github, whose domain name is "github.zh-cns." The file downloaded by the victim is a compressed file in the .Zip genus with a fake installation file. After installation, a shortcut will be created on the desktop screen. This file will download the malware file in the DLL file format.

The malware, after embedding itself on the machine, contacts a C2 or Command and Control server with the domain name "sbido [.] com: 2869." The domain is embedded as a constant in the malware code. The malware has the ability to steal data, including data on Clipboard, web browsers, keyboard printing, and important data on the machine. After stealing the data, the malware sends the data to this server.

According to a cybersecurity assessment, there have already been more than 277,800 victims of such hackers in China just in a few days between December 7 and 20, 2025. The number of victims per day has peaked at 62,167 within a single day. Therefore, users need to be very careful to find the software they need and regularly observe the name of the website not to enter the wrong website to ensure safety.

# Trending # lemon 8 diary # seo # freedomhack # hackers