A cybercrime gang known as Black Cat has been attributed to a search engine optimization (SEO) poisoning campaign that employs fraudulent sites advertising popular software to trick users into downloading a backdoor capable of stealing sensitive data.
According to a report published by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and Beijing Weibu Online (aka ThreatBook), the activity is designed to strategically push bogus sites to the top of search results on search engines like Microsoft Bing, specifically targeting users looking for programs like Google Chrome, Notepad++, QQ International, and iTools.
"After visiting these high-ranking phishing pages, users are lured by carefully constructed download pages, attempting to download software installation packages bundled with malicious programs," CNCERT/CC and ThreatBook said. "Once installed, the program implants a backdoor Trojan without the user's knowledge, leading to the theft of sensitive data from the host computer by attackers."
Black Cat is assessed to be active since at least 2022, orchestrating a series of attacks designed for data theft and remote control using malware distributed via SEO poisoning campaigns. In 2023, the group is said to have stolen at least $160,000 worth of cryptocurrency by impersonating AICoin, a popular virtual currency trading platform.
In the latest set of attacks, users searching for Notepad++ are served links to a convincing phishing site masquerading as associated with the software program ("cn-notepadplusplus[.]com"). Other domains registered by Black Cat include "cn-obsidian[.]com," "cn-winscp[.]com," and "notepadplusplus[.]cn."
The inclusion of "cn" in the domain names indicates that the threat actors are specifically going after Chinese users who may be looking for such tools via search engines.
Should unsuspecting users end up clicking the "download" button on the fake website, they are redirected to another URL that mimics GitHub ("github.zh-cns[.]top") from where a ZIP archive can be downloaded. Present within the ZIP file is an installer that creates a shortcut on the user's desktop. The shortcut acts as the entry point for side-loading a malicious DLL that, in turn, launches the backdoor.
The malware establishes contact with a hard-coded remote server ("sbido[.]com:2869"), allowing it to steal web browser data, log keystrokes, extract clipboard contents, and other valuable information from the compromised host.
CNCERT/CC and ThreatBook noted that the Black Cat cybercrime syndicate has compromised about 277,800 hosts across China between December 7 and 20, 2025, with the highest daily number of compromised machines within the country scaling a high of 62,167.
To mitigate the risk, users are advised to refrain from clicking on links from unknown sources and stick to trusted sources for downloading software.
