Black Cat Infects 278,000 Hosts in China via SEO Poisoning

A cybercrime group tracked as Black Cat has infected nearly 278,000 hosts across China using SEO poisoning tactics, according to analysis from CNCERT/CC and ThreatBook. The campaign, active between December 7-20 of last year, peaked at 62,167 machines compromised in a single day.

The operation exploits users searching for popular software—Google Chrome, Notepad++, QQ International, and iTools—on Microsoft Bing. Fraudulent websites ranking high in search results redirect victims to fake download pages that deploy data-stealing malware.

How the Attack Works

When users search for legitimate software, Black Cat's SEO-poisoned domains appear near the top of results. Domains like "cn-notepadplusplus[.]com" and "cn-obsidian[.]com" mimic official sites closely enough to fool casual users.

Clicking the download button redirects victims to a fake GitHub page ("github.zh-cns[.]top") where a ZIP archive contains what appears to be the requested installer. The archive creates a desktop shortcut that side-loads a malicious DLL, which then launches the backdoor.

Once active, the malware phones home to the command-and-control server at "sbido[.]com:2869" and begins harvesting:

• Web browser data including saved passwords
• Keystroke logs
• Clipboard contents
• Other sensitive host information

Black Cat's History

This isn't a new operation. Black Cat has been active since at least 2022, with previous campaigns including a 2023 operation that stole $160,000 in cryptocurrency by impersonating the AICoin trading platform.

The group has consistently targeted Chinese users through search engine manipulation, adapting its lures to match whatever software is trending. The December campaign represents their largest documented infection wave to date.

Indicators of Compromise

Malicious domains:

• cn-notepadplusplus[.]com
• cn-obsidian[.]com
• cn-winscp[.]com
• notepadplusplus[.]cn
• github.zh-cns[.]top

C2 Server: sbido[.]com:2869

Defensive Measures

1. Download from official sources only - Navigate directly to vendor websites rather than clicking search results
2. Verify domain names carefully - The fake domains use subtle variations that look legitimate at a glance
3. Block known IOCs - Add the domains and C2 server to blocklists
4. Monitor for DLL side-loading - The attack relies on executing malicious DLLs through legitimate-looking installers

For organizations, this campaign reinforces the need for application allowlisting and download controls. Users searching for free software represent a persistent attack surface that criminals continue to exploit.

The Broader Pattern

SEO poisoning has become a reliable initial access vector. We've covered similar malvertising operations, including TamperedChef's fake PDF editor campaign that targeted users searching for document tools.

The technique works because it meets users where they already are—searching for software they genuinely need. Unlike phishing emails that arrive unsolicited, poisoned search results feel organic. Victims believe they're making an informed choice by selecting a top-ranked result.

For security teams, this means browser-based threats deserve the same attention as email security. Monitoring for unusual DNS queries to recently registered domains and flagging executables downloaded from suspicious URLs can catch these campaigns before the malware activates.