New SEO poisoning campaign exposed! FortiGuard Labs reveals how attackers trick users with fake websites to deliver Hiddengh0st and Winos malware.
A new cyberattack campaign is preying on Chinese-speaking Windows users by manipulating search engine results. Fortinet’s research division, FortiGuard Labs, has just released its latest research blog revealing how attackers used a technique called SEO poisoning (manipulating malicious websites to appear at the top of search engine results) to trick people into downloading harmful software.
According to FortiGuard Lab’s blog post, the campaign was discovered in August 2025, in which attackers created fraudulent websites that looked almost identical to legitimate software providers and used special plugins to artificially boost these fake sites to the top of search rankings.
A visitor, thinking they were on a trusted site, would download what appeared to be a real application. However, “the installers contained both the legitimate application and the malicious payload, making it difficult for users to notice the infection,” researchers noted.
Once a user ran the installer, the malware launched a file that performed a series of checks. It was designed to be sneaky and would look for signs that it was being run in a research or sandbox environment rather than on a real person’s computer. If it detected it was in a lab setting, it would simply stop running immediately to avoid being discovered. This is a crucial detail for understanding the attackers’ methods.
These fake installers were designed to secretly install two types of malware: Hiddengh0st and Winos. Hiddengh0st is a tool that allows an attacker to remotely control a computer, while Winos is known for stealing valuable information. This stolen data can then be used for future cyberattacks. The severity of this campaign is classified as high due to the potential impact on victims.
The attackers’ use of lookalike domains and small character substitutions (for example, replacing a letter “o” with the number “0”) was a key part of their deception. To ensure the malware stayed on the computer, it would modify system files and create new ones to launch automatically every time the computer was turned on. A previous example using fake websites in such an attack is: Google.com, not ɢoogle.com.
The research further revealed that the malware could steal a wide range of personal information, including data from cryptocurrency wallets like those for Tether and Ethereum. It was also observed to be capable of logging keystrokes and capturing what was copied to the clipboard. The attackers could then issue commands remotely, allowing them to fully control the infected computer.
FortiGuard Labs shared this research with Hackread.com, highlighting how quickly threats are evolving in the digital world. It’s always a good practice to be careful online and to always inspect a domain name carefully before downloading any software.
