Two separate and sophisticated malware campaigns are targeting Chinese-speaking users by using search engine optimization (SEO) poisoning to trick them into downloading malicious software. The campaigns, recently documented by Fortinet and Zscaler, show a significant evolution in cyberattack tactics.
The Fortinet Report
A campaign discovered by Fortinet FortiGuard Labs in August 2025 has been using fake software sites to distribute malware families like HiddenGh0st and Winos (also known as ValleyRAT). According to researchers, the attackers manipulated search rankings and registered lookalike domains that closely mimicked legitimate software sites. By using convincing language and small character substitutions, they tricked users into visiting these spoofed pages and downloading trojanized installers.
The attack chain begins when a user searches for a common tool like Google Chrome or WhatsApp. They are redirected to a fake site where a multi-step script controls the malware delivery. The installer contains both the legitimate application and a malicious payload. The malware performs several anti-analysis checks, including extracting a DLL to slow down analysis tools and checking for specific antivirus software. If the malware is not detected, it establishes persistence and begins its primary functions: communicating with a remote server, collecting system and user data, and monitoring for user activity. The malware can also download additional plugins to log keystrokes, steal clipboard data, and even hijack cryptocurrency wallets.
The Zscaler Report
Separately, Zscaler ThreatLabz has flagged another campaign that is also targeting Chinese-speaking users with a previously undocumented malware called kkRAT. This campaign also uses fake installer pages that are hosted on GitHub Pages to deliver three different trojans: kkRAT, Winos, and FatalRAT.
The installer for this campaign is highly sophisticated. It first checks to see if it is running in a sandbox or a virtual machine and then requests administrator privileges. If granted, it uses a "Bring Your Own Vulnerable Driver" (BYOVD) technique to disarm antivirus software and disable all active network adapters. The malware specifically targets five common antivirus programs to ensure its persistence. Once the antivirus software is disabled, the malware re-enables network connectivity and proceeds to download its final payload in stages.
The kkRAT malware itself has a wide range of features. It shares code similarities with Gh0st RAT and can perform functions like capturing the screen, logging keystrokes and clipboard data, and facilitating remote command execution. It can even act as a "clipper" by replacing cryptocurrency wallet addresses copied to the clipboard with the attacker’s own. These campaigns underscore the importance of carefully inspecting domain names before downloading software, even from highly ranked search results.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
