CNCERT: Risk Warning Regarding the "Black Cat" Gang's Use of Search Engines to Spread Counterfeit Notepad++ Download Remote Control Backdoors

Jan. 9, 2026, 10:36 a.m.

Description

CNCERT and Microstep Online jointly detected a cyberattack campaign launched by the "Black Cat" criminal gang. This gang uses search engine SEO (Search Engine Optimization) techniques to push meticulously crafted phishing websites to the top of search engine keyword results. After visiting these high-ranking phishing pages, users are lured by carefully designed download pages, attempting to download software installation packages bundled with malicious programs. Once installed, the program implants a backdoor Trojan without the user's knowledge, leading to the theft of sensitive data from their host computer by attackers.

External References

https://otx.alienvault.com/pulse/6960d767ed2466fdb23d97e5
https://mp.weixin.qq.com/s?__biz=MzI4NDY2MDMwMw==&mid=2247515424&idx=2&sn=d07dc41546fd6db93f14582cea697821&poc_token=HBbUYGmjLdzE8PzYB1HZIktn2NWeikZ8-3GAIevy
Tags
backdoor
phishing
seo
2026-01-09
notepad

Date

  • Created: Jan. 9, 2026, 10:24 a.m.
  • Published: Jan. 9, 2026, 10:24 a.m.
  • Modified: Jan. 9, 2026, 10:36 a.m.

Indicators

  • 9868a6e020f35b8e55f6e2366feea72e617648ab7ebad1972d093642f3058f70
  • 087ce894e139f281bd9ebd4b78d4451e458357cef38807e5b4b98ef3ba2fd35c
  • 267f5bcedb5b1ebaa855b9b041351892868d0b4a9153517178ef02a55a6f17bd
  • b94c54290015ed751c84d0a9bfa6e63481c72c0d7528b4b65a2816f72ea5c994
  • 46c9e9e2003f92ea1aa06984b02d4827deae71631c5ecf2bed5e4f7f8d5d16c8
  • 3fe9868b56cfbb4de67f65afece0ac95a16267e44d2f555c25263fd641ed7374
  • c4c1b6d2608b9dd09cddc2f4a040043c590301d3b6ce9bf479c4803b1f679bd5
  • b0fcdb33e486ddbc0553f201cf6b9255ec22a12cb85dc9d12ebceb9c7308e51d
  • aa8e535d8576f0471a98865eb44e5e5ae3c3a279f15807e9a8317adb80bf8c9d
  • 8c6e135ea743c82d6f36facd293f5ddc01973ab0c5c52f42ed70e2885e838c4c
  • 27.50.54.144
  • 137.220.252.82
  • 38.55.16.61
  • 223.26.63.103
  • 27.50.63.118
  • 206.119.64.108
  • 154.213.190.46
Download all indicators here!

Attack Patterns

  • Black Cat

Additional Informations

  • duooi.com
  • olabb.com
  • alonesad.com
  • github.zh-cns.top
  • clash.ac.cn
  • kimhate.com
  • cdn-ccdown.com
  • taokur.com
  • clash.net.cn
  • lovemeb.com
  • cn-notepadplusplus.com
  • hiluxo.com
  • vlumu.com
  • jiaweo.com
  • theaigaming.com
  • zh-clash.com
  • sbido.com
  • sadliu.com
  • titamic.com
  • notepadplusplus.cn
  • jouloi.com
  • clashforwindows.org.cn
  • jokewick.com
  • golomee.com