1. Forum
  2. FidoNet
  3. CONSPRCY

  • Chinese malware is floodi

    From Mike Powell@1:2320/105 to All on Tue Sep 16 10:35:13 2025
    Chinese malware is flooding GitHub pages - HiddenGh0st, Winos and kkRAT hit devs via SEO poisoning

    Date:
    Mon, 15 Sep 2025 21:00:00 +0000

    Description:
    Users searching for different programs are at risk from at least five
    different RATs.

    FULL STORY

    Chinese users looking to download popular browsers and communications
    software are being targeted by different malware variants , granting
    attackers remote access capabilities. This is according to multiple cybersecurity organizations, including Fortinet FortiGuard Labs, and Zscaler ThreatLabz.

    The former discovered an SEO poisoning campaign to deliver two Remote Access Trojans (RAT) - HiddenGh0st, and Winos - both variants of the infamous Gh0st RAT.

    In the campaign, the threat actors created spoofed download pages for
    programs such as DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office, on typosquatted domains.

    Stealing crypto and disabling AV

    They then manipulated search rankings using different SEO plugins to trick people searching for these programs into visiting the wrong sites. The
    download seemingly deploys the wanted program, but the installer is
    trojanized, also serving one of the above-mentioned trojans.

    At the same time, researchers from Zscaler observed a previously unknown trojan, called kkRAT, being disseminated. This campaign started in May this year and also includes Winos and FatalRAT.

    kkRATs code is similar to that of Gh0st RAT and Big Bad Wolf, Zscaler explained: kkRAT employs a network communication protocol similar to Ghost
    RAT, with an added encryption layer after data compression. The RAT's
    features include clipboard manipulation to replace cryptocurrency addresses
    and the deployment of remote monitoring tools (i.e. Sunlogin, GotoHTTP)."

    It is also capable of killing antivirus software before running any malicious activity, to better hide its presence. Among the AV solutions targeted by the trojan are 360 Internet Security suite, 360 Total Security, HeroBravo System Diagnostics suite, and others.

    Unlike Fortinets discovery, in this campaign the phishing sites are hosted on GitHub pages, leaning into the trust that the platform enjoys with its community to distribute the trojans. The GitHub account used in this campaign has since been terminated.

    Via The Hacker News

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/chinese-malware-is-flooding-github-page s-hiddengh0st-winos-and-kkrat-hit-devs-via-seo-poisoning

    $$
    --- SBBSecho 3.28-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)