Chinese Users Targeted by Malware Campaigns via Spoofed Downloads and SEO Poisoning Cybersecurity researchers from Fortinet FortiGuard Labs and Zscaler ThreatLabz have uncovered malware campaigns targeting Chinese users seeking popular software downloads. Attackers are leveraging typosquatted domains, SEO poisoning, and GitHub Pages to distribute remote access trojans (RATs), including new and sophisticated variants. ### Key Campaigns and Tactics 1. SEO Poisoning & Trojanized Installers - Threat actors created fake download pages for widely used applications, including Google Chrome, Signal, Telegram, WhatsApp, WPS Office, and DeepL Translate. - Using SEO manipulation, they tricked users into visiting malicious sites, where trojanized installers delivered HiddenGh0st and Winos both variants of the notorious Gh0st RAT. 2. kkRAT: A New and Evasive Threat - Zscaler identified kkRAT, a previously unknown trojan with Gh0st RAT and Big Bad Wolf code similarities, active since May 2024. - Features include: - Clipboard hijacking to replace cryptocurrency wallet addresses. - Remote monitoring via tools like Sunlogin and GotoHTTP. - Antivirus evasion by disabling security software, including 360 Internet Security, 360 Total Security, and HeroBravo System Diagnostics. - The malware uses encrypted network communication to avoid detection. 3. GitHub Pages Exploited for Phishing - Unlike the typosquatted domains in Fortinet’s findings, the kkRAT campaign abused GitHub Pages to host phishing sites, exploiting the platform’s trusted reputation. - The malicious GitHub account has since been terminated. ### Impact These campaigns highlight a growing trend of social engineering and supply-chain deception, where attackers exploit trust in legitimate platforms and software to deploy malware. The use of advanced RATs with antivirus evasion and cryptocurrency theft capabilities underscores the evolving sophistication of cyber threats targeting Chinese users.