Tag: seo poisoning

21 Attack Reports | 0 Vulnerabilities

Attack reports

WEBJACK: Evolving IIS Hijacking Campaign Abuses SEO for Fraud and Monetization

A malware campaign called WEBJACK is compromising Microsoft IIS servers to deploy BadIIS malware modules for SEO poisoning and fraud. The attackers hijack high-profile targets, including government and educational institutions, to redirect users to gambling websites. The campaign uses various tools…
seo poisoning
cobalt strike
chinese threat actor
latin america
southeast asia
badiis
iis modules
2025-11-19
xlanyloader
iis hijacking
m0yv
gambling redirection
Published: November 19, 2025
Downloadable IOCs: 34

Gootloader Returns: What Goodies Did They Bring?

Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses…
obfuscation
ransomware
seo poisoning
blackcat
alphv
javascript
gootloader
lateral movement
noberus
rhysida
2025-11-06
vanilla tempest
quantum locker
wordpress exploitation
zeppelin
supper socks5 backdoor
Published: November 6, 2025
Downloadable IOCs: 136

Threat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers

A new campaign is distributing the Oyster (Broomstick) backdoor through trojanized Microsoft Teams installers. Threat actors are using SEO poisoning and malvertising to trick users into downloading fake installers from spoofed websites. The malicious installers deploy a persistent backdoor that ena…
malvertising
seo poisoning
persistence
dll sideloading
microsoft teams
c2 communication
oyster
broomstick
2025-10-02
oyster backdoor
trojanized installer
Published: October 2, 2025
Downloadable IOCs: 15

Potentially Unwanted Applications (PUAs) weaponized for covert delivery

A malware distribution campaign leveraging digitally signed binaries, deceptive packaging, and browser hijackers has been uncovered. The campaign centers around two malicious applications, ImageLooker.exe and Calendaromatic.exe, delivered via self-extracting 7-Zip archives. These artifacts align wi…
malvertising
seo-poisoning
CVE-2025-0411
7-zip
neutralinojs
2025-09-29
pua
imagelooker
digital-signing
trojanized-productivity-tools
code-signing-abuse
calendaromatic
browser-hijacker
Published: September 29, 2025
Linked vulnerabilities : CVE-2025-0411 (CVSS 7.0)
Downloadable IOCs: 6

Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign

A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to re…
seo poisoning
vietnam
iis module
dragonrank
chinese threat actor
badiis
chinese-speaking
web shells
2025-09-23
operation rewrite
iis modules
group 9
2025-09-25
Published: September 25, 2025
Downloadable IOCs: 71

August 2025 Infostealer Trend Report

This analysis examines Infostealer trends in August 2025, focusing on distribution volume, methods, and disguises. AhnLab's automated systems collect and analyze malware, providing real-time IOC services. Infostealers, often disguised as cracks, are distributed through SEO poisoning. Notable varian…
lummac2
rhadamanthys
infostealer
seo poisoning
dll-sideloading
acrstealer
slack
2025-09-16
domain masquerading
Published: September 16, 2025
Downloadable IOCs: 0

GenAI Used to Impersonate Brazil's Government Websites

Threat actors are leveraging generative AI tools like DeepSite AI and BlackBox AI to create phishing templates that closely mimic official Brazilian government websites, such as the State Department of Traffic and Ministry of Education. These malicious replicas are boosted in search results using S…
phishing
seo poisoning
brazil
government impersonation
2025-08-08
deepsite ai
blackbox ai
pix payment
generative ai
Published: August 8, 2025
Downloadable IOCs: 7

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

A sophisticated cyber attack campaign leveraged SEO poisoning to compromise organizations through trojanized IT management tool installers. The attack began when users searching for ManageEngine OpManager were directed to a malicious website, downloading a compromised MSI file that installed Bumble…
ransomware
seo poisoning
credential theft
lateral movement
data exfiltration
akira
bumblebee
2025-08-07
rustdesk
it management tools
adaptixc2
Published: August 7, 2025
Downloadable IOCs: 0

Bumblebee Malware SEO Poisoning Campaign Leads to Akira Ransomware Deployment

A coordinated threat campaign has been identified leveraging SEO poisoning to distribute Bumblebee malware via trojanized installers of IT management tools. The campaign targets users searching for legitimate software like ManageEngine OpManager. Upon execution, Bumblebee establishes initial access…
seo poisoning
lateral movement
data exfiltration
akira
credential dumping
bumblebee
initial access
akira ransomware
trojanized installers
2025-08-05
Published: August 5, 2025
Downloadable IOCs: 19

June 2025 Infostealer Trend Report

This analysis provides insights into Infostealer malware trends observed in June 2025. The data, collected through various automated systems, reveals changes in distribution methods and malware types. While LummaC2 has been dominant, June saw increased activity from Rhadamanthys, ACRStealer, Vidar,…
lummac2
rhadamanthys
infostealer
seo poisoning
vidar
stealc
dll-sideloading
2025-07-16
acrstealer
anti-analysis techniques
Published: July 16, 2025
Downloadable IOCs: 0

Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors

A sophisticated piece of malware was discovered embedded in a WordPress site's core files, specifically in wp-settings.php. The malware uses a ZIP archive to hide malicious code and perform search engine poisoning and unauthorized content injection. It employs dynamic Command and Control server sel…
seo poisoning
wordpress
2025-07-14
Published: July 14, 2025
Downloadable IOCs: 3

May 2025 Infostealer Trend Report

This analysis examines the distribution trends of Infostealer malware in May 2025. It highlights the use of SEO poisoning to distribute malware disguised as cracks and keygens. LummaC2, Vidar, StealC, Rhadamanthys, and Amadey were the main Infostealers observed. Distribution methods included posts …
lummac2
rhadamanthys
infostealer
seo poisoning
amadey
bat script
vidar
stealc
dll-sideloading
2025-06-18
keygens
wormhole
unicode passwords
cracks
Published: June 18, 2025
Downloadable IOCs: 3

Cybercriminals camouflaging threats as AI tool installers

Cybercriminals are exploiting the popularity of AI by distributing malware disguised as AI solution installers. Three threats have been identified: CyberLock ransomware, Lucky_Gh0$t ransomware, and a newly discovered destructive malware called Numero. CyberLock, developed using PowerShell, encrypts…
ransomware
powershell
seo poisoning
ai
yashma
chaos
seo manipulation
2025-05-29
cyberlock
technology sector
b2b sales
ai tools
lucky_gh0$t
marketing sector
fake installers
numero
2025-06-05
Published: June 5, 2025
Downloadable IOCs: 20

Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign

A new Gootloader variant has been discovered using search engine optimization (SEO) poisoning to target Australian Bengal cat enthusiasts. The campaign uses Google search results for 'Are Bengal Cats legal in Australia?' to deliver malicious payloads. When users click on compromised links, a zip fi…
powershell
seo poisoning
javascript
gootloader
scheduled task
initial access
2024-11-06
gootkit
Published: November 6, 2024
Downloadable IOCs: 14

Threat Intelligence Alert: Phish 'n' Ships Fakes Online Shops to Steal Money and Credit Card Information

A sophisticated fraud scheme dubbed 'Phish 'n' Ships' has been uncovered, involving fake web shops that exploit digital payment providers to steal consumers' money and credit card information. The operation, traced back to 2019, has infected over 1,000 websites, created 121 fake web stores, and res…
phishing
seo poisoning
2024-10-31
chinese threat actors
credit card theft
fake web stores
payment processor abuse
search engine manipulation
e-commerce fraud
Published: October 31, 2024
Downloadable IOCs: 22

LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

LUNAR SPIDER, a Russian-speaking financially motivated threat group, has resumed operations following law enforcement disruptions. They've shifted from using IcedID to leveraging Latrodectus and Brute Ratel C4 malware, targeting financial services through SEO poisoning malvertising campaigns. The g…
ransomware
malvertising
seo poisoning
icedid
latrodectus
2024-10-31
brute ratel c4
financial sector
infrastructure sharing
Published: October 31, 2024
Downloadable IOCs: 0

Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis

Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
backdoor
ransomware
seo poisoning
extortion
multi-tiered
infrastructure
2024-10-10
rhysida
chrgetpdsi
portstarter
cleanuploader
early detection
Published: October 10, 2024
Downloadable IOCs: 106

SIEM agent being used in SilentCryptoMiner attacks

A global malware campaign targeting mainly Russian-speaking users has been distributing cryptocurrency mining malware through fake software download sites, Telegram channels, and YouTube videos. The multi-stage infection chain uses unusual techniques for persistence and evasion, including hiding ma…
seo poisoning
persistence
autoit
cryptomining
defense evasion
2024-10-07
silentcryptominer
siem
Published: October 7, 2024
Downloadable IOCs: 8

Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant

A variant of WikiLoader loader for rent, also known as WailingCrab, is being delivered via SEO poisoning and spoofing of GlobalProtect VPN software. The campaign primarily affects U.S. higher education and transportation sectors. The infection chain involves multiple stages, including DLL sideloadi…
globalprotect
seo poisoning
dll sideloading
2024-09-02
wikiloader
wailingcrab
loader-for-rent
Published: September 2, 2024
Downloadable IOCs: 46

Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework

Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
malware
backdoor
social-engineering
2024-06-19
winos
chinese
seo-poisoning
Published: June 19, 2024
Linked vulnerabilities : CVE-2024-21412
Downloadable IOCs: 46

Gootloader walkthrough

The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
social engineering
powershell
seo poisoning
javascript
2024-05-24
gootloader
Published: May 24, 2024
Downloadable IOCs: 12
Click here to see more Attack Reports