Black Cat Group Associated With Software Search-Targeting SEO Poisoning Campaign -

Post Views: 23

Black Cat Group Associated With Software Search-Targeting SEO Poisoning Campaign

A concerted campaign in which malicious URLs came to the top of search results, subtly directing users into a backdoor intended for data theft and monitoring, was concealed by what appeared to be regular searches for well-known software tools.

According to a joint assessment by Chinese cybersecurity officials and private experts, a cybercrime gang known as Black Cat was connected to a massive search engine manipulation effort that took advantage of customers’ faith in well-known software firms. The operation depended more on meticulous mimicry—convincing websites, recognizable download buttons, and search results designed to look authentic—than on technical exploits.

The effort, which was described by ThreatBook and the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), shows how search activity itself has turned into an attack surface, especially when paired with specific regional cues and popular program names.

A Backdoor Concealed in Well-Known Downloads

The activity revolves around a backdoor Trojan that connects to the hard-coded remote server “sbido[.]com:2869.” Once installed, the virus can grab clipboard contents, log keystrokes, gather online browser data, and exfiltrate other private data from an infected computer.

According to investigators, overtly suspicious files are not usually used to deliver the dangerous malware. Rather, it comes packaged in software installation packages that seem normal to users. Instead of causing an instant disruption, the objective is persistence and quiet data collecting, enabling infected systems to continue being remotely controlled without overt indications of infection.

Search Results as the Entry Point

The infections can be linked to an SEO poisoning tactic used to elevate phony websites to the top of search results on platforms like Microsoft Bing. When users searched for common programs, such as Notepad++, Google Chrome, QQ International, and iTools, they were sent to high-ranking sites that looked a lot like official download pages.

In one recent wave, Notepad++ searches directed users to “cn-notepadplusplus[.]com,” a phishing domain posing as a related website. The campaign was also associated with the domains “cn-obsidian[.]com,” “cn-winscp[.]com,” and “notepadplusplus[.]cn. Researchers claimed that the domain names’ frequent use of “cn” was a purposeful indication to Chinese users looking in their native tongue or area.

When victims clicked a download button on these websites, they were led once more, this time to a page that looked like GitHub and was hosted at “github.zh-cns[.]top.” From there, they could download a ZIP file.

Side-Loading and Silent Installation

Investigators discovered an installation that made a desktop shortcut inside the ZIP file. The backdoor Trojan was initiated by side-loading a malicious DLL through that shortcut. Because it didn’t rely on taking advantage of software flaws and required no technical expertise from the user, it was challenging to identify using conventional warning indicators.

The download pages were meticulously designed to mimic authentic software distribution portals, according to CNCERT/CC and ThreatBook. After the software was installed, the backdoor silently stole data from the host machine without the user’s knowledge.

Scale, Targeting, and a Longer Pattern

The campaign had a wide audience. Black Cat is estimated to have compromised about 277,800 hosts in China between December 7 and 20, 2025, with the largest single-day total of 62,167 infected workstations. Instead of focusing on single events, the numbers suggest a large, automated distribution scheme.

According to researchers, the gang has been active since at least 2022 and has frequently employed SEO poisoning to spread malware that targets remote access and data theft. Black Cat was connected to the theft of at least $160,000 in cryptocurrencies in a prior operation in 2023 by posing as the virtual currency trading website AICoin.

When downloading software, CNCERT/CC urged consumers to use reputable, official channels rather than clicking on links from unidentified sources.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

The Critical n8n Vulnerability (CVSS 10.0) Gives Unauthenticated Attackers Complete Control