Black Hat SEO Poisoning Search Engine Results For AI to Distribute Malware

June 27, 2025, 7:08 a.m.

Description

Threat actors are exploiting the popularity of AI tools by using Black Hat SEO techniques to poison search engine rankings for AI-related keywords. These malicious websites redirect users through multiple layers to deliver malware such as Vidar, Lumma, and Legion Loader. The attackers employ sophisticated JavaScript to collect browser data, perform fingerprinting, and evade detection. The malware payloads are often packaged in large installer files to bypass sandboxes. The campaign uses trusted platforms like WordPress and AWS CloudFront to appear legitimate. Victims are lured through high-ranking search results for AI topics, leading to infection chains involving stealer malware and cryptocurrency-stealing browser extensions.

External References

https://www.zscaler.com/blogs/security-research/black-hat-seo-poisoning-search-engine-results-ai-distribute-malware
https://otx.alienvault.com/pulse/685d8317b97608a23bed71ee
Tags
vidar
lumma
search engine poisoning
stealer malware
2025-06-26
legion loader
browser fingerprinting

Date

  • Created: June 26, 2025, 5:27 p.m.
  • Published: June 26, 2025, 5:27 p.m.
  • Modified: June 27, 2025, 7:08 a.m.

Indicators

  • 5b2a382a496d4ed0a79b96968da25b00a6a6a6312152ab273bec121af96eb554
  • s.p.formaxprime.co.uk
  • y.p.formaxprime.co.uk
  • t.p.formaxprime.co.uk
  • r.p.formaxprime.co.uk
  • p.p.formaxprime.co.uk
  • h.p.formaxprime.co.uk
  • e.x.formaxprime.co.uk
  • d.p.formaxprime.co.uk
  • e.p.formaxprime.co.uk
  • luma-ai.com
  • llama-2.com
  • krea-ai.com
  • guildish.com
  • gettrunkhomuto.info
  • chat-gpt-5.ai
  • 2fchat-gpt-5.ai
  • targett.top
  • starcloc.bet
  • spacedbv.world
  • navstarx.shop
  • ironloxp.live
  • advennture.top
Download all indicators here!

Attack Patterns

  • Legion Loader
  • Lumma
  • Vidar

Additional Informations

  • metalsyo.digital