Full Report
A cybercrime gang known as Black Cat has been attributed to a search engine optimization (SEO) poisoning campaign that employs fraudulent sites advertising popular software to trick users into downloading a backdoor capable of stealing sensitive data. According to a report published by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and
Analysis Summary
# Threat Actor: Black Cat
## Attribution & Identity
Attributed to a cybercrime gang known as **Black Cat**. Analysis was conducted by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and Beijing Weibu Online (ThreatBook).
## Activity Summary
Black Cat is assessed to be active since at least **2022**. The primary activity described is a **Search Engine Optimization (SEO) poisoning campaign** used to distribute malware.
Historical activities include:
* Orchestrating attacks focused on **data theft and remote control**.
* In 2023, the group stole at least **$160,000 worth of cryptocurrency** by impersonating **AICoin**, a virtual currency trading platform.
* Recent operations specifically involve tricking users searching for popular software into downloading a backdoor.
* Between January 7 and 20, 2025, Black Cat allegedly compromised about **277,800 hosts across China**, reaching a peak of 62,167 compromised machines in a single day during that period.
## Tactics, Techniques & Procedures
- **Initial Access (Phishing/SEO Poisoning):** Employing SEO poisoning to push fraudulent sites (disguised as legitimate software download pages) to the top of search engine results (e.g., Microsoft Bing) for popular software.
- **Social Engineering:** Luring users via convincing, high-ranking phishing pages that mimic official software vendor designs.
- **Execution:** Directing users to download software installation packages *bundled* with malicious programs.
- **Persistence/Execution Chain:** The installer creates a desktop shortcut, which is used as the entry point to **side-load a malicious DLL** that launches the primary backdoor Trojan.
- **Exfiltration:** Stealing sensitive data from the compromised host computer.
- **Data Staging/Collection:** Stealing web browser data, logging keystrokes, and extracting clipboard contents.
## Targeting
- **Sectors:** Not explicitly stated beyond targeting general software users, but operations appear financially motivated (cryptocurrency theft).
- **Geography:** Specifically targeting **Chinese users** based on domain naming conventions (e.g., use of "cn" in domain names).
- **Victims:** Users searching for specific software, including **Google Chrome, Notepad++, QQ International, and iTools**.
## Tools & Infrastructure
- **Malware Families Used:** An undisclosed **backdoor Trojan**.
- **Infrastructure:**
- **Fraudulent Domains:** `cn-notepadplusplus[.]com`, `cn-obsidian[.]com`, `cn-winscp[.]com`, `notepadplusplus[.]cn`.
- **Redirection URL (mimicking GitHub):** `github.zh-cns[.]top`
- **Command and Control (C2):** Hard-coded remote server at `sbido[.]com:2869`.
## Implications
Black Cat poses a significant threat through its sophisticated use of SEO poisoning, allowing them to leverage high organic search visibility to distribute malware at scale directly to end-users actively seeking specific tools. The deployment of a complex execution chain involving side-loading via DLLs suggests a degree of technical proficiency. The massive number of compromised hosts in a short period highlights the effectiveness and rapid spread potential of this technique. The operation is clearly financially driven, evidenced by past cryptocurrency theft.
## Mitigations
- Users should **refrain from clicking on links from unknown sources** found in search engine results.
- Users must **stick to trusted, official sources** for downloading software applications.
- Organizations should monitor for signs of backdoors, keystroke logging, and unusual data exfiltration, particularly on endpoints connected to users who frequently search for and download third-party utilities.