Date: 04/16/2026
Severity: Medium
Summary
Users searching for “TestDisk” are redirected via SEO poisoning to a malicious site (testdisk[.]dev). The site uses JavaScript to generate one-time URLs that deliver a fake “PhotoRec” installer. Victims download a ZIP and run testdisk-7.3.exe, which is actually a renamed Microsoft Setup binary. The binary side-loads a malicious autorun.dll from a hidden folder, triggering the attack chain. An MSI payload installs both legitimate TestDisk and a trojanized ScreenConnect client with persistence mechanisms. The malware connects to a remote server, giving attackers full system access and control.
Indicators of Compromise (IOC) List
Domains/URLs : | directdownload.icu direct-download.gleeze.com testdisk.dev https://www.testdisk.dev/download.html |
IP Address : | 193.42.11.108 |
Hash : | 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "direct-download.gleeze.com" or url like "direct-download.gleeze.com" or siteurl like "direct-download.gleeze.com" or domainname like "directdownload.icu" or url like "directdownload.icu" or siteurl like "directdownload.icu" or domainname like "testdisk.dev" or url like "testdisk.dev" or siteurl like "testdisk.dev" or domainname like "https://www.testdisk.dev/download.html" or url like "https://www.testdisk.dev/download.html" or siteurl like "https://www.testdisk.dev/download.html" |
Detection Query 2 : | dstipaddress IN ("193.42.11.108") or srcipaddress IN ("193.42.11.108") |
Detection Query 3 : | sha256hash IN ("1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5")
|
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-04-15-SEO-Poisoning.txt