Hackers are using SEO poisoning to spread malware through fake apps disguised as Signal, WhatsApp, Chrome, and others. FortiGuard Labs reports that trojanised installers contain both real applications and malicious payloads, enabling data theft, surveillance, and control. The campaign, targeting Chinese-speaking users, delivers malware like Hiddengh0st and Winos, underscoring the risks of downloading software via search results.
Cybersecurity researchers are warning about a new wave of malware campaigns in which attackers disguise malicious applications as trusted platforms, including Signal, WhatsApp, and Google Chrome.
According to FortiGuard Labs, threat actors manipulate search engine algorithms using SEO plugins and lookalike domains to lure users into downloading trojanised installers. Victims are redirected to fraudulent websites that appear legitimate and are then offered versions of popular software, such as:
- Signal
- Deepl
- Chrome
- Telegram
- Line
- VPN provider
- WPS Office
These installer packages contain both the legitimate application and a hidden malicious payload, making the infection difficult for users to detect.
Once executed, the installer drops malicious DLL files into concealed directories, escalates privileges to administrator level, and performs functions that are designed to evade detection.
Malware families involved
The campaign delivers multiple malware families, including Hiddengh0st and a new variant of Winos. Once active, the malware enables attackers to:
- Gather detailed system and user information
- Identify antivirus and security tools
- Record keystrokes and clipboard activity
- Capture foreground window titles and screen content
- Load additional plugins for surveillance and extended control
Researchers note that some plugins could also allow the attackers to intercept Telegram communications.
The rise of SEO poisoning
This campaign highlights the growing risk of SEO poisoning, a tactic in which cybercriminals manipulate search engines to push malicious websites into highly ranked results. Even users who rely on trusted search rankings could fall victim.
FortiGuard Labs researchers write:
“The installers contained both the legitimate application and the malicious payload, making it difficult for users to notice the infection. Even highly ranked search results were weaponised in this way, underscoring the importance of carefully inspecting domain names before downloading software.”
The report also confirms that the primary targets of this campaign are Chinese-speaking users.
Broader threat landscape
SEO poisoning is not a new tactic. Previous research by Cisco Talos has identified several campaigns in which attackers used popular AI platforms such as ChatGPT or InVideo to lure users. Other large-scale fraud operations have impersonated major brands including PayPal, Apple, Bank of America, Netflix, and Microsoft.
In some cases, cybercriminals have even purchased sponsored Google ads to present themselves as legitimate companies, directing unsuspecting victims to fake websites where they are prompted to download malware.
Himani Verma is a seasoned content writer and SEO expert, with experience in digital media. She has held various senior writing positions at enterprises like CloudTDMS (Synthetic Data Factory), Barrownz Group, and ATZA. Himani has also been Editorial Writer at Hindustan Time, a leading Indian English language news platform. She excels in content creation, proofreading, and editing, ensuring that every piece is polished and impactful. Her expertise in crafting SEO-friendly content for multiple verticals of businesses, including technology, healthcare, finance, sports, innovation, and more.
