Full Report
FortiGuard Labs uncovered an SEO poisoning campaign targeting Chinese users with fake software sites delivering Hiddengh0st and Winos malware.
Analysis Summary
# Incident Report: SEO Poisoning Campaign Delivering Hiddengh0st and Winos
## Executive Summary
In August 2025, FortiGuard Labs uncovered a large-scale SEO poisoning campaign predominantly targeting Chinese-speaking Microsoft Windows users. Attackers used manipulated search engine rankings and lookalike domains to trick victims into downloading legitimate software installers bundled with the Hiddengh0st and Winos malware families. The immediate impact involves potential system compromise, data theft, and the deployment of complex, heavily obfuscated malware designed to evade dynamic analysis.
## Incident Details
- Discovery Date: August 2025
- Incident Date: August 2025 (Ongoing campaign identified)
- Affected Organization: Not disclosed (Campaign targets end-users)
- Sector: General software users
- Geography: Targeted at Chinese-speaking users globally
## Timeline of Events
### Initial Access
- **Date/Time:** August 2025
- **Vector:** SEO Poisoning leading to malicious software download (Masquerading)
- **Details:** Attackers registered lookalike domains mimicking trusted software providers (e.g., DeepL). They manipulated search engine rankings using SEO plugins to ensure these fraudulent sites appeared highly in search results. Victims visited these sites believing they were downloading legitimate software installers.
### Lateral Movement
- **Details:** The provided analysis focuses primarily on the initial delivery and execution mechanism. Subsequent actions after malware execution (like lateral movement specific to Hiddengh0st/Winos) were not detailed, though elevation to administrator privileges during initial setup suggests components are capable of further system control.
### Data Exfiltration/Impact
- **Details:** The core impact involves the installation and execution of Hiddengh0st and Winos malware variants. The stolen information from prior campaigns can be used for future attacks, indicating data theft is a primary consequence.
### Detection & Response
- **Details:** FortiGuard Labs identified the campaign during a review of domains associated with tracked malicious IP addresses. Response actions involve publishing detailed IOCs and an analysis of the delivery chain to aid in broader defense.
## Attack Methodology
- **Initial Access:** SEO poisoning via lookalike domains and high search ranking manipulation.
- **Persistence:** Not explicitly detailed, but known malware families (Hiddengh0st, Winos) typically establish persistence mechanisms post-installation.
- **Privilege Escalation:** The MSI installer process self-elevates to **administrator privileges** upon launch.
- **Defense Evasion:** The injected DLL (`EnumW.dll`) performs multiple anti-analysis checks, including:
* **Parent Process Validation:** Exits if the parent process is not `msiexec.exe`.
* **Sleep Integrity Check:** Sends HTTP queries to `www[.]baidu[.]com` 5 seconds apart; terminates if the elapsed time is less than 4 seconds (bypassing automated sleep analysis).
* **ACPI Table Inspection:** Queries ACPI firmware tables; terminates if the High Precision Event Timer (HPET) table is missing or if ACPI table count is below eight (indicators of virtualization/sandbox).
- **Credential Access:** Not explicitly detailed, but implied by the use of established malware families like Hiddengh0st.
- **Discovery:** Malware execution begins by reconstructing and decompressing `emoji.dat` after anti-analysis checks pass.
- **Lateral Movement:** Not explicitly described in the provided text.
- **Collection:** The malware reconstructs `emoji.dat` from dropped file fragments, which is then decompressed.
- **Exfiltration:** Implied by the malware's purpose, utilizing stolen information for future attacks.
- **Impact:** Installation of complex malware (Hiddengh0st/Winos) resulting in potential data theft and remote access capabilities.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Type of data stolen is not specified, other than confirming stolen information is used for future attacks.
- **Operational:** Not specified, though execution of high-severity malware implies system operational risk.
- **Reputational:** Minimal direct reputational impact on an organization, as the campaign targets end-users via public search engines.
## Indicators of Compromise
- **Domain Indicators (Defanged):**
* `deepl-fanyi[.]com`
* `aisizhushou[.]com`
* `telegramni[.]com`
* `wps1[.]com`
* `wws[.]c4p11[.]shop`
* Malicious cloud storage paths targeting `s3[.]ap-southeast-2[.]amazonaws[.]com` and `oss-ap-southeast-1[.]aliyuncs[.]com`.
* `xiazai1[.]aisizhushou[.]io`
* `xiazai2[.]aisizhushou[.]io`
- **IP Indicators (Defanged):**
* `137[.]220[.]152[.]99`
* `43[.]248[.]172[.]13`
* `202[.]95[.]8[.]47`
* `27[.]124[.]13[.]32`
- **File Indicators (Sha256):**
* **ZIP:** `251f24e8c7e4fbe2868492b86972f24ac65e393affc63f82443303be3a2dbbb1`, `9b707db4247effdbb5f7c58a0dc00ebb2fddb56e92f987e47654590b54f6f3a6`, `182c79c6abd5e98d407bb1e6a7b2e633bd659c29ae539b80ceeb07b9db711b6a`
* **DLL:** `a32d14f28c44ec6f9b4ad961b2eb4f778077613bdf206327a2afa92a7307d31a`, `ea59f20b418c9aa4551ac35f8398810e58735041d1625e77d13e369a701e273c`, `b15b642930f8903f7e8c4d8955347575afd2f2abee2ee2d612ba381442026bfd`
* **Payload:** `02ef393076d293b8ba0cb1019a5a4fd27bc006466e295ad58c9850e93283bca4`
## Response Actions
- **Containment Measures:** Not specified for affected general users; Fortinet recommends utilizing FortiGuard IP Reputation and Anti-Botnet services to proactively block related infrastructure.
- **Eradication Steps:** Not specified for end-users; Fortinet suggested using Content Disarm and Reconstruction (CDR) on documents if applicable to related threats.
- **Recovery Actions:** Not specified; users are encouraged to contact Fortinet support if affected.
## Lessons Learned
- **Key Takeaways:** SEO poisoning remains a highly effective technique to drive targeted user traffic to malware distribution points, exploiting user trust in search engine results and branded software. Malware authors are incorporating sophisticated anti-analysis checks directly into initial execution stages (DLLs) to hamper automated reverse engineering efforts.
- **What could have been done better:** Users failed to verify the authenticity of the download source despite the sites being lookalikes.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement advanced threat intelligence services (IP Reputation/Anti-Botnet) to block known malicious infrastructure upfront.
2. Utilize Content Disarm and Reconstruction (CDR) services to neutralize potential embedded threats in handled files.
3. Conduct mandatory security awareness training, like the FCF module, emphasizing social engineering tactics such as domain lookalikes and high search ranking manipulation.
4. Users should always download software directly from official publisher websites rather than relying solely on search engine results.