Many security issues on the internet stem from avoidable mistakes based on an assumption of safety or legitimacy, often supported by implicitly understood “trust signals.” Users online are primed to have confidence in search engines, believing that search results are inherently reliable and secure, especially if they are popular enough to turn up on the first page of a major search engine.
In a fast-moving era of constant digital access, users increasingly rely on search results to find and download software, rather than solely going through the official sites of software developers. Unfortunately, attackers can exploit that trust to deliver malicious payloads through SEO poisoning attacks.
FortiGuard Labs Findings
Fortinet’s FortiGuard Labs identified an SEO poisoning campaign in August 2025 targeting Chinese-speaking users. This campaign used a variety of malicious tactics in combination to deliver malicious payloads to target devices. The attackers used convincing language and mimicked legitimate software providers with subtle character swaps to deceive victims into visiting spoofed versions of software pages and downloading malware.
By leveraging SEO plugins, the attackers managed to boost their spoofed domains to the top of search results. This technique takes advantage of weaknesses in ostensibly legitimate technologies while also relying on social engineering aspects by exploiting the target’s trust in search engine results.
Delivery Method: Malware Hidden in Plain Sight
The malware was delivered via sites disguised as official software download pages. These pages, targeted at Chinese-speaking users of search engines including Google, offered installers that bundled legitimate applications with malware. The malware infections were thus masked by the fact that the user could see the expected software being downloaded and run.
The primary payloads of this campaign are identified as Hiddengh0st and Winos malware variants. Hiddengh0st is a malware tool that enables attackers to remotely access and control targeted devices, and Winos is a malware variant known for stealing valuable data. The ability to remotely control infected computers and the data delivered by information stealers can empower further attacks with potentially catastrophic consequences.
Expert Commentary and Broader Implications
This campaign demonstrates that SEO poisoning attacks can expand beyond phishing and push into other malicious areas like software distribution. It highlights the fragility of “trust signals” online, like relying on high search rankings to deliver secure and official results.
The discovery of this campaign emphasizes the need for layered defenses against such attacks. Organizations are encouraged to “implement multilingual security awareness training for staff who may encounter Chinese-language social engineering attempts,” according to Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit. “End users are the first level of protection. This can be further cemented by conducting regular tabletop exercises simulating SEO poisoning scenarios.” It is also suggested that organizations utilize effective defenses, including DNS security and content inspection.
The Takeaway: Search Can’t Be Taken at Face Value
This SEO poisoning campaign is not an isolated incident, but an indicator of several trends in the threat landscape that are likely to continue. “Cybercriminals are employing increasingly sophisticated scams these days,” says Chad Cragle, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform. “I expect that tactics like SEO poisoning, AI-driven phishing, and multi-stage malware will continue evolving, fueling financial fraud and social engineering year-round.”
It is important to see this campaign as a wake-up call, not to assume trustworthiness online. Users must shift their mindsets from relying on trust signals to looking for legitimate indicators of official sites and leveraging effective security measures. Organizations that develop and provide software should monitor online for domain spoofing attacks targeting their brand. Search engines also need to take attacks like this seriously as a sign to implement stronger protections against manipulation.
