SEO poisoning | Breaking Cybersecurity News | The Hacker News

Threat hunters have detailed an ongoing campaign that leverages a malware loader called MintsLoader to distribute secondary payloads such as the StealC information stealer and a legitimate open-source network computing platform called BOINC . "MintsLoader is a PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file," cybersecurity firm eSentire said in an analysis. The campaign has targeted electricity, oil and gas, and the legal services sectors in the United States and Europe, per the company, which detected the activity in early January 2025. The development comes amid a spike in malicious campaigns that are abusing fake CAPTCHA verification prompts to trick users into copying and executing PowerShell scripts to get around the checks, a technique that has come to be known ClickFix and KongTuke. "KongTuke involves an injected script that currently causes associated websites to displa...

Cybersecurity researchers have flagged a new malware called PLAYFULGHOST that comes with a wide range of information-gathering features like keylogging, screen capture, audio capture, remote shell, and file transfer/execution. The backdoor, according to Google's Mandiant Managed Defense team, shares functional overlaps with a known remote administration tool referred to as Gh0st RAT , which had its source code publicly leaked in 2008. PLAYFULGHOST's initial access pathways include the use of phishing emails bearing code of conduct-related lures or search engine optimization (SEO) poisoning techniques to distribute trojanized versions of legitimate VPN apps like LetsVPN. "In one phishing case, the infection begins by tricking the victim into opening a malicious RAR archive disguised as an image file by using a .jpg extension," the company said . "When extracted and executed by the victim, the archive drops a malicious Windows executable, which eventually dow...

A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season. "The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products as phishing lures to deceive victims into providing their Cardholder Data (CHD) and Sensitive Authentication Data (SAD) and Personally Identifiable Information (PII)," EclecticIQ said . The activity, first observed in early October 2024, has been attributed with high confidence to a Chinese financially motivated threat actor codenamed SilkSpecter. Some of the impersonated brands include IKEA, L.L.Bean, North Face, and Wayfare. The phishing domains have been found to use top-level domains (TLDs) such as .top, .shop, .store, and .vip, often typosquatting legitimate e-commerce organi...

In an unusually specific campaign, users searching about the legality of Bengal Cats in Australia are being targeted with the GootLoader malware. "In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: 'Are Bengal Cats legal in Australia?,'" Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher said in a report published last week. GootLoader , as the name implies, is a malware loader that's typically distributed using search engine optimization (SEO) poisoning tactics for initial access. Specifically, the malware is deployed onto victim machines when searching for certain terms like legal documents and agreements on search engines like Google surface booby-trapped links pointing to compromised websites that host a ZIP archive containing a JavaScript payload. Once installed, it makes way for a second-stage malware, often an...

A new malware campaign is spoofing Palo Alto Networks' GlobalProtect VPN software to deliver a variant of the WikiLoader (aka WailingCrab) loader by means of a search engine optimization (SEO) campaign. The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers Mark Lim and Tom Marsden said . WikiLoader, first documented by Proofpoint in August 2023, has been attributed to a threat actor known as TA544, with the email attacks leveraging the malware to deploy Danabot and Ursnif. Then earlier this April, South Korean cybersecurity company AhnLab detailed an attack campaign that leveraged a trojanized version of a Notepad++ plugin as the distribution vector. That said, the loader for rent is suspected to be used by at least two initial access brokers (IABs), per Unit 42, stating the attack chains are characterized by tactics that allow it to e...

The malware known as GootLoader continues to be in active use by threat actors looking to deliver additional payloads to compromised hosts. "Updates to the GootLoader payload have resulted in several versions of GootLoader, with GootLoader 3 currently in active use," cybersecurity firm Cybereason said in an analysis published last week. "While some of the particulars of GootLoader payloads have changed over time, infection strategies and overall functionality remain similar to the malware's resurgence in 2020." GootLoader, a malware loader part of the Gootkit banking trojan, is linked to a threat actor named Hive0127 (aka UNC2565). It abuses JavaScript to download post-exploitation tools and is distributed via search engine optimization (SEO) poisoning tactics. It typically serves as a conduit for delivering various payloads such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC. In recent months, the threat actors behind GootLoader have...

The loader-as-a-service (LaaS) known as FakeBat has become one of the most widespread loader malware families distributed using the drive-by download technique this year, findings from Sekoia reveal. "FakeBat primarily aims to download and execute the next-stage payload, such as IcedID , Lumma , RedLine , SmokeLoader , SectopRAT , and Ursnif ," the company said in a Tuesday analysis. Drive-by attacks entail the use of methods like search engine optimization (SEO) poisoning, malvertising, and nefarious code injections into compromised sites to entice users into downloading bogus software installers or browser updates. The use of malware loaders over the past few years dovetails with the growing use of landing pages impersonating legitimate software websites by passing them off as legitimate installers. This ties into the larger aspect that phishing and social engineering remain one of the threat actors' main ways to acquire initial access. FakeBat , also known as Eu...

Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices. "Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber attacks," Trellix security researcher Gurumoorthi Ramanathan  said . The list of websites is below - avast-securedownload[.]com, which is used to deliver the  SpyNote trojan  in the form of an Android package file ("Avast.apk") that, once installed, requests for intrusive permissions to read SMS messages and call logs, install and delete apps, take screenshot, track location, and even mine cryptocurrency bitdefender-app[.]com, which is used to deliver a ZIP archive file ("setup-win-x86-x64.exe.zip") that deploys the  Lumma  information stealer malw...

A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro. "The presence of multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks," Recorded Future's Insikt Group  said  in a report. The cybersecurity firm, which is tracking the activity under the moniker GitCaught, said the campaign not only highlights the misuse of authentic internet services to orchestrate cyber attacks, but also the reliance on multiple malware variants targeting Android, macOS, and Windows to increase the success rate. Attack chains entail the use of fake profile...

The macOS information stealer known as Atomic is now being delivered to target via a bogus web browser update chain tracked as ClearFake. "This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes' Jérôme Segura  said  in a Tuesday analysis. Atomic Stealer (aka AMOS),  first documented  in April 2023, is a commercial stealer malware family that's sold on a subscription basis for $1,000 per month. It comes with capabilities to siphon data from web browsers and cryptocurrency wallets. Then in September 2023, Malwarebytes  detailed  an Atomic Stealer campaign that took advantage of malicious Google ads, tricking macOS users searching for a financial charting platform known as TradingView into downloading the malware. ClearFake, on the other hand, is a nascent malware distribution operation that employs comp...

Threat actors associated with the  BlackCat ransomware  have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application. "Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers  said  in an analysis published last week. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer." Malvertising   refers  to the use of  SEO poisoning techniques  to spread malware via online advertising. It typically involves hijacking a chosen set of keywords (e.g., "WinSCP Download") to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages. The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains...

In yet another instance of how threat actors are abusing Google Ads to serve malware, a threat actor has been observed leveraging the technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOT . "LOBSHOT continues to collect victims while staying under the radar," Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week. "One of LOBSHOT's core capabilities is around its hVNC (Hidden Virtual Network Computing) component. These kinds of modules allow for direct and unobserved access to the machine." The American-Dutch company attributed the malware strain to a threat actor known as  TA505  based on infrastructure historically connected to the group. TA505 is a financially motivated e-crime syndicate that overlaps with  activity clusters  tracked under the names Evil Corp, FIN11, and Indrik Spider. The latest development is significant because it's a sign that TA505, which is associate...

Portuguese users are being targeted by a new malware codenamed  CryptoClippy  that's capable of stealing cryptocurrency as part of a malvertising campaign. The activity leverages SEO poisoning techniques to entice users searching for "WhatsApp web" to rogue domains hosting the malware, Palo Alto Networks Unit 42  said  in a new report published today.  CryptoClippy, a C-based executable, is a type of  cryware  known as  clipper   malware  that monitors a victim's clipboard for content matching cryptocurrency addresses and substituting them with a wallet address under the threat actor's control. "The clipper malware uses regular expressions (regexes) to identify what type of cryptocurrency the address pertains to," Unit 42 researchers said. "It then replaces the clipboard entry with a visually similar but adversary-controlled wallet address for the appropriate cryptocurrency. Later, when the victim pastes the address from the clipbo...

Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing  GootLoader  and  FakeUpdates  (aka SocGholish) malware strains. GootLoader , active since late 2020, is a first-stage downloader that's capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware. It notably  employs  search engine optimization (SEO) poisoning to funnel victims searching for business-related documents toward drive-by download sites that drop the JavaScript malware. In the  campaign  detailed by cybersecurity company eSentire, the threat actors are said to have compromised legitimate, but vulnerable, WordPress websites and added new blog posts without the owners' knowledge. "When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader," eSentire researcher K...

A new malicious campaign has compromised  over 15,000 WordPress websites  in an attempt to redirect visitors to bogus Q&A portals. "These malicious redirects appear to be designed to increase the authority of the attacker's sites for search engines," Sucuri researcher Ben Martin  said  in a report published last week, calling it a "clever black hat SEO trick." The search engine poisoning technique is designed to promote a "handful of fake low quality Q&A sites" that share similar website-building templates and are operated by the same threat actor. A notable aspect of the campaign is the ability of the hackers to modify over 100 files per website on average, an approach that contrasts dramatically from other attacks of this kind wherein only a limited number of files are tampered with to reduce footprint and escape detection. Some of the most commonly infected pages consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php...

A new malware capable of controlling social media accounts is being distributed through Microsoft's official app store in the form of trojanized gaming apps, infecting more than 5,000 Windows machines in Sweden, Bulgaria, Russia, Bermuda, and Spain. Israeli cybersecurity company Check Point dubbed the malware "Electron Bot," in reference to a command-and-control (C2) domain used in recent campaigns. The identity of the attackers is not known, but evidence suggests that they could be based out of Bulgaria. "Electron Bot is a modular SEO poisoning malware, which is used for social media promotion and click fraud," Check Point's Moshe Marelus  said  in a report published this week. "It is mainly distributed via the Microsoft store platform and dropped from dozens of infected applications, mostly games, which are constantly uploaded by the attackers." The first sign of malicious activity commenced as an ad clicker campaign that was discovered in O...