When Search Engines Turn Into Poison: SEO‑Based Malware Targeting Chinese Users

As a security engineer dealing daily with malicious code, you may not expect a simple software search to compromise your system. FortiGuard Labs recently exposed an SEO poisoning attack that specifically targets Chinese Windows users by masquerading malicious payloads as legitimate software installers.

Attack Origin: SEO as an Invisible Killer

Attackers use search‑engine‑optimization techniques to push counterfeit sites to the top of Baidu or Google results. The fake sites mimic official pages, often swapping characters in the domain name and reproducing the visual design. When users click the top result—e.g., a “DeepL translation software download”—they are redirected through a multi‑step chain to a malicious script called nice.js, which then serves a blended package of legitimate software and hidden malicious components (Hiddengh0st and Winos variants).

Malicious Payload Dissection: From Installation to Persistence

The counterfeit DeepL installer contains a malicious DLL named EnumW.dll alongside other disguised file fragments. Although the installation appears normal, the payload activates hidden behaviors:

Process verification: EnumW.dll checks whether it was launched by Windows Installer; otherwise it exits.

Time and hardware checks: The malware runs delay tests and hardware integrity verification to evade virtual environments.

Behavior adaptation: If it detects security products such as 360 Total Security, it reduces activity to avoid detection.

Once on a real system, the malware reconstructs hidden files, spreads to system directories, and proceeds with further infection steps.

Persistence mechanisms:

Registry modification: Creates forged entries that appear as legitimate system keys.

Shortcut hijacking: Redirects launch paths to ensure auto‑start on boot.

TypeLib hijacking: Alters library references via malicious XML files.

Final Payload: Data Theft and Monitoring Modules

After successful infection, the malware enters a “harvest” phase. The payload includes several modules:

Monitoring: Keylogging, clipboard surveillance, screen capture.

Data collection: System information, configuration updates, and even hijacking cryptocurrency wallets.

C2 communication: Interaction with command‑and‑control servers for remote task execution.

Plugin extension: Intercepts Telegram activity, indicating interest in social‑media data.

FortiGuard classifies these variants under the Hiddengh0st and Winos families. Stolen data can be reused for identity theft, ransomware, or other follow‑up attacks, posing a high‑severity threat to enterprises.

Defense Guide: Practical Countermeasures for Security Professionals

Multilingual security awareness training: Emphasize verification of software sources for Chinese users; discourage reliance on search‑engine rankings.

DNS filtering and browser hardening: Deploy DNS sinkholes and use extensions like uBlock Origin to block redirection chains.

Software download policy: Enforce whitelist‑based installation controls and monitor installations with MDM tools in enterprise environments.

Endpoint protection upgrades: Adopt EDR solutions that support behavior analytics (e.g., FortiEDR, CrowdStrike) to detect anti‑analysis tricks.

Regular audits: Simulate SEO poisoning scenarios in penetration tests to assess response capabilities.

These low‑cost measures can significantly reduce risk, shifting defense from reactive to proactive.