A sophisticated SEO poisoning campaign is making waves in China. How has the tactic evolved?
In August, our partners at Fortinet uncovered a large-scale SEO poisoning campaign across China that targeted Windows users. Attackers used lookalike domains and fake software sites to trick people into downloading malware. On the surface the sites looked polished and professional, but the downloads carried malicious payloads like Hiddengh0st and Winos. What’s more, the malware could tell if it was being observed in a sandbox and lie dormant until it landed in a real environment.
This discovery is the perfect time to revisit SEO poisoning. We’ll look at what it is, how it works, why the latest campaign stands out, and what businesses can learn from it.
SEO poisoning has been around for years. Criminals abuse keyword stuffing, typosquatting and link networks to push malicious pages up search rankings. The tricks aren’t new, but the execution keeps evolving.
This campaign showed how effective SEO poisoning can still be. Attackers scaled up their efforts, focusing on Chinese-language searches for popular software like Chrome, Signal and WhatsApp. Even cautious users who thought they were downloading legitimate apps were caught out. The installers often bundled the real application alongside the malware so people believed everything had worked as normal.
AI is part of the modern picture. Attackers use it to generate convincing websites and churn out content that looks credible and localised. They also capitalise on demand for AI tools themselves, baiting users searching for downloads of popular AI apps. On the defensive side, AI is helping to spot poisoned results and block them before they reach users.
What starts in one region rarely stays there. Campaigns that first appear in China or other markets can quickly pivot to English-language lures with minimal rework. This one even used GitHub Pages to host content, a platform that developers worldwide trust without thinking twice. Watching these developments overseas gives us a head start before they spread.
The malware linked to this campaign wasn’t basic. It came with anti-analysis checks that could detect if it was running in a sandbox or virtual machine. If it thought it was under observation, it stayed inert. Once in a real environment, it deployed persistence, data theft and monitoring tools.
1. Attackers manipulated search results with keywords, domains and SEO plugins.
2. Victims landed on polished fake sites designed to mimic the real thing.
3. Downloads bundled the genuine app with malicious loaders and DLLs.
4. Malware performed environment checks before activating.
5. Persistence was set up using registry changes and startup shortcuts.
6. A connection to command-and-control servers was established.
7. The malware carried out data theft, keylogging and remote monitoring.
• A top search result isn’t a guarantee of safety.
• Trojanised installers hide in plain sight.
• Attackers now test their work against defensive tools, just like legitimate developers do.
• Hosting on trusted platforms is being abused.
• Route software installs through an internal catalogue or IT service desk, not public search.
• Enforce application control and use DNS filtering to block suspicious domains.
• Harden browsers with safe browsing tools and strip executable downloads from unknown sites.
• Monitor for signs of DLL side-loading, registry changes and odd process chains.
• Train staff to spot fake download pages and avoid “just Googling” installers.
• Tune detections to catch anti-analysis behaviour such as VM checks and tampering with security tools.
• Keep an eye on campaigns abroad as early warning signs.
Bottom line: SEO poisoning still works because it exploits human trust in search engines. The latest campaign shows how criminals blend strong SEO tactics with advanced malware that adapts to its environment. By tightening software controls, monitoring for side-loads and raising awareness among users, businesses can stay ahead of the threat.