Date: 09/15/2025
Severity: High
Summary
In August 2025, Labs uncovered an SEO poisoning campaign targeting Chinese-speaking users. The attackers boosted the search rankings of malicious sites using SEO plugins and registered deceptive domains that closely resembled legitimate software websites. By subtly altering characters and using persuasive language, they lured victims into visiting spoofed pages and unknowingly downloading malware. Multiple fake websites were created to impersonate well-known software providers, distributing various malware families—most notably Hiddengh0st and variants of Winos. These threats were identified during our analysis of domains linked to monitored IP addresses. As SEO poisoning was the primary method used to deliver the malware, our article focuses specifically on that attack vector for clarity and brevity.
Indicators of Compromise (IOC) List
Domains\URLs : | deepl-fanyi.com aisizhushou.com telegramni.com wps1.com wws.c4p11.shop bucket00716.s3.ap-southeast-2.amazonaws.com znrce3z.oss-ap-southeast-1.aliyuncs.com xiazai1.aisizhushou.io xiazai2.aisizhushou.io |
IP Address : | 137.220.152.99 43.248.172.13 202.95.8.47 27.124.13.32 |
Hash : | 251f24e8c7e4fbe2868492b86972f24ac65e393affc63f82443303be3a2dbbb1
9b707db4247effdbb5f7c58a0dc00ebb2fddb56e92f987e47654590b54f6f3a6
182c79c6abd5e98d407bb1e6a7b2e633bd659c29ae539b80ceeb07b9db711b6a
a32d14f28c44ec6f9b4ad961b2eb4f778077613bdf206327a2afa92a7307d31a
ea59f20b418c9aa4551ac35f8398810e58735041d1625e77d13e369a701e273c
b15b642930f8903f7e8c4d8955347575afd2f2abee2ee2d612ba381442026bfd
02ef393076d293b8ba0cb1019a5a4fd27bc006466e295ad58c9850e93283bca4
2a1ae074a0406de514b3ab03c1747fd43813d8bad9c164f390103a0480f9a6aa
c3afd8224cea7a743a3dea8437ff7ed6f89a62cd8f6787c4f27593faec9fc4cb
66787d80ec42a289030bb080fa1ad596e60bd0db92dc6e1e9d66921ea23ccd0e
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | domainname like "xiazai1.aisizhushou.io" or url like "xiazai1.aisizhushou.io" or siteurl like "xiazai1.aisizhushou.io" or domainname like "znrce3z.oss-ap-southeast-1.aliyuncs.com" or url like "znrce3z.oss-ap-southeast-1.aliyuncs.com" or siteurl like "znrce3z.oss-ap-southeast-1.aliyuncs.com" or domainname like "wps1.com" or url like "wps1.com" or siteurl like "wps1.com" or domainname like "deepl-fanyi.com" or url like "deepl-fanyi.com" or siteurl like "deepl-fanyi.com" or domainname like "bucket00716.s3.ap-southeast-2.amazonaws.com" or url like "bucket00716.s3.ap-southeast-2.amazonaws.com" or siteurl like "bucket00716.s3.ap-southeast-2.amazonaws.com" or domainname like "telegramni.com" or url like "telegramni.com" or siteurl like "telegramni.com" or domainname like "wws.c4p11.shop" or url like "wws.c4p11.shop" or siteurl like "wws.c4p11.shop" or domainname like "aisizhushou.com" or url like "aisizhushou.com" or siteurl like "aisizhushou.com" or domainname like "xiazai2.aisizhushou.io" or url like "xiazai2.aisizhushou.io" or siteurl like "xiazai2.aisizhushou.io" |
IP Address : | dstipaddress IN ("43.248.172.13","27.124.13.32","202.95.8.47","137.220.152.99") or srcipaddress IN ("43.248.172.13","27.124.13.32","202.95.8.47","137.220.152.99") |
Hash : | sha256hash IN ("ea59f20b418c9aa4551ac35f8398810e58735041d1625e77d13e369a701e273c","251f24e8c7e4fbe2868492b86972f24ac65e393affc63f82443303be3a2dbbb1","9b707db4247effdbb5f7c58a0dc00ebb2fddb56e92f987e47654590b54f6f3a6","182c79c6abd5e98d407bb1e6a7b2e633bd659c29ae539b80ceeb07b9db711b6a","a32d14f28c44ec6f9b4ad961b2eb4f778077613bdf206327a2afa92a7307d31a","b15b642930f8903f7e8c4d8955347575afd2f2abee2ee2d612ba381442026bfd","02ef393076d293b8ba0cb1019a5a4fd27bc006466e295ad58c9850e93283bca4","2a1ae074a0406de514b3ab03c1747fd43813d8bad9c164f390103a0480f9a6aa","c3afd8224cea7a743a3dea8437ff7ed6f89a62cd8f6787c4f27593faec9fc4cb","66787d80ec42a289030bb080fa1ad596e60bd0db92dc6e1e9d66921ea23ccd0e")
|
Reference:
https://www.fortinet.com/blog/threat-research/seo-poisoning-attack-targets-chinese-speaking-users-with-fake-software-sites