A technical analysis published by CNCERT/CC and ThreatBook said a cybercrime gang known as Black Cat used search engine optimization poisoning to push fake software download sites in China in December 2025, compromising about 277,800 hosts between December 7 and 20 and peaking at 62,167 compromised machines in one day.
KEY FACTS
- Incident SEO poisoning campaign distributing a backdoor
- Affected hosts about 277,800 compromised in China Dec 7–20, 2025
- Technique fake download sites promoted in search results for popular software
- Malware steals browser data, logs keystrokes and copies clipboard contents
- Command server hard-coded contact to sbido[.]com:2869
Search results for programs such as Notepad++, Google Chrome, QQ International and iTools were seeded with high-ranking phishing pages that led users to counterfeit download pages.
Visitors who clicked a download button were redirected to a site that mimicked GitHub and provided a ZIP archive. The archive contained an installer that created a desktop shortcut used to side-load a malicious DLL and launch the backdoor.
Domains used in the campaign include cn-notepadplusplus[.]com, cn-obsidian[.]com, cn-winscp[.]com and notepadplusplus[.]cn, indicating a focus on users seeking Chinese language downloads.
The backdoor establishes contact with a hard-coded server and can exfiltrate web browser data, record keystrokes and capture clipboard contents. See VirusTotal domain details for the domain referenced in the campaign.
Earlier activity attributed to the group includes a 2023 campaign that stole at least $160,000 in cryptocurrency by impersonating a virtual currency trading platform. Users are advised to avoid links from unknown sources and to download software only from official vendor sites or trusted repositories.
WHY IT MATTERS
Search engine manipulation can push malicious installers to many users and lead to large scale data theft and remote access when downloads are accepted. Enterprises and individual users should verify download sources and monitor for signs of credential and browser data theft.