Malicious Ads Targeting Chinese Users with Fake Notepad++ and VNote Installers
Mar 15, 2024
Malvertising / Threat Intelligence
Chinese users looking for legitimate software such as Notepad++ and VNote on search engines like Baidu are being targeted with malicious ads and bogus links to distribute trojanized versions of the software and ultimately deploy Geacon , a Golang-based implementation of Cobalt Strike. "The malicious site found in the notepad++ search is distributed through an advertisement block," Kaspersky researcher Sergey Puzan said . "Opening it, an attentive user will immediately notice an amusing inconsistency: the website address contains the line vnote, the title offers a download of Notepad‐‐ (an analog of Notepad++, also distributed as open-source software), while the image proudly shows Notepad++. In fact, the packages downloaded from here contain Notepad‐‐." The website, named vnote.fuwenkeji[.]cn, contains download links to Windows, Linux, and macOS versions of the software, with the link to the Windows variant pointing to the official Gitee repository containing the Notepad-- ins