SEO Poisoning Attack Targets Chinese-Speaking Users with Fake Software Sites

FortiGuard Labs identified an SEO poisoning campaign targeting Chinese-speaking users that used manipulated search rankings and lookalike domains to distribute malware, notably Hiddengh0st and Winos variants. The campaign delivered malicious MSI installers (impersonating DeepL) that included EnumW.dll and vstdlib.dll, used extensive anti-analysis checks, persistence via TypeLib hijacking or Startup redirection, and a C2-capable payload for data theft and plugins. #Hiddengh0st #Winos

Keypoints

Attackers used SEO plugins and lookalike domains to elevate spoofed download pages in search results, targeting Chinese-speaking users.
Fraudulent sites hosted malicious MSI installers combining legitimate DeepL software with malicious components (EnumW.dll, temp_data_1–55 fragments, etc.).
EnumW.dll performs multiple anti-analysis checks (parent process, sleep timing via www.baidu.com, ACPI/HPET inspection) before reconstructing emoji.dat and extracting payloads.
vstdlib.dll establishes persistence via TypeLib hijacking (d.s Jscript + registry TypeLib key) or Startup redirection with GooglUpdata.lnk and creates registry values under SoftwareDeepSer.
Payload implements Heartbeat, Monitor, and C2 modules: collects system/AV info, prepares encrypted DAT packets keyed to system time, and supports many C2 commands including plugins and crypto-wallet hijack.
Input logger writes DisplaySessionContainers.log and plugins (DifferentScreen.bin, HighSpeedScreen.bin, tg永久消盾.bin, Telegram.bin) indicate Winos-related functionality and Telegram proxy removal.
Fortinet detections and protections listed; organizations urged to keep protections updated and contact FortiGuard Incident Response if affected.

MITRE Techniques

[T1190] Exploit Public-Facing Application – SEO poisoning and lookalike domains manipulated search results to trick users into downloading malware installers (“attackers manipulated search rankings with SEO plugins and registered lookalike domains”).
[T1204.002] User Execution: Malicious File – Victims were tricked into running MSI installers that combined legitimate software with malicious DLLs (“installers contained both the legitimate DeepL software and malicious components, including a DLL file (EnumW.dll)”).
[T1055] Process Injection – Shellcode and final payload are mapped into process memory and executed to avoid dropping files (“payload is then mapped directly into process memory and executed to avoid dropping a file”).
[T1543.003] Create or Modify System Process: Windows Service – Malware creates registry values and persistence entries (OpenAi_Service, MyData) under SoftwareDeepSer to maintain execution (“Value name: OpenAi_Service Value: C:Users{User name}AppDataRoamingNxonq1284_QUCinsalivation.exe”).
[T1547.001] Registry Run Keys/Start Folder – Malware modifies Startup registry and creates GooglUpdata.lnk in C:ProgramDataVenlnk to persist (“creates a shortcut file GooglUpdata.lnk in C:ProgramDataVenlnk … modifies the SOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersStartup registry key”).
[T1574.001] DLL Search Order Hijacking/Side-Loading – 749ju.exe side-loads vstdlib.dll to continue the infection chain (“This helps the DLL find 749ju.exe, which side-loads vstdlib.dll to continue the infection chain”).
[T1218.010] Signed Binary Proxy Execution: Msiexec – EnumW.dll expects msiexec.exe as parent and exits otherwise, indicating use of msiexec to execute installer components (“If the parent process is not msiexec.exe—the expected Windows Installer process—EnumW.dll … immediately exits”).
[T1497.001] Virtualization/Sandbox Evasion: Time-based Evasion – Sleep integrity check uses HTTP date queries to detect accelerated time in analysis environments (“sends two HTTP_QUERY_DATE queries to www.baidu.com five seconds apart … if elapsed time is shorter than four seconds … the malware terminates”).
[T1497.002] Virtualization/Sandbox Evasion: Artifact Detection – ACPI and HPET checks plus desktop file count are used to detect virtualized/sandbox environments (“checks the number of files on the user’s desktop … queries ACPI firmware tables … halts execution if HPET table is missing”).
[T1105] Ingress Tool Transfer – Multi-step JSON redirect chain (nice.js -> JSON -> final URL) used to retrieve the malicious installer (“nice.js controls the malware delivery process … calls a download link that returns JSON data … redirect to the final URL of the malicious installer”).
[T1056.001] Input Capture: Keylogging – Input logger records keystrokes and clipboard to DisplaySessionContainers.log and uses registry EnableOfflineKeyboard to enable offline logging (“drops the file: C:ProgramDataDisplaySessionContainers.log … HKCUSoftwareConsoleClientEnableOfflineKeyboard”).
[T1112] Modify Registry – Malware writes multiple registry keys and values for persistence and configuration (SoftwareDeepSer, HKCUSoftwareConsoleClient) (“creates a registry key—SoftwareDeepSer and populates it … writes the C2 server IP address into the DServerInfo value”).
[T1027] Obfuscated Files or Information – vstdlib.dll packed with repeated bytes in .data to inflate memory usage and slow analysis (“vstdlib.dll, which is deliberately packed with repeated bytes in its .data section … overwhelm analysis tools”).
[T1095] Non-Standard Port – C2 communication uses hard-coded IPs and creates marker files (venwin.lock) to indicate successful C2 connection (“creates a file named venwin.lock in C:UsersPublic … contains ‘lock’”).

Indicators of Compromise

[Domain] Spoofed download and hosting domains – deepl-fanyi[.]com, aisizhushou[.]com (xiazai1[.]aisizhushou[.]io)
[Domain] Hosting/storage domains – bucket00716[.]s3[.]ap-southeast-2[.]amazonaws[.]com, znrce3z[.]oss-ap-southeast-1[.]aliyuncs[.]com
[IP] C2 and infrastructure IPs – 137[.]220[.]152[.]99, 43[.]248[.]172[.]132 (and other IPs listed)
[SHA256] Installer/ZIP hash – ZIP: 251f24e8c7e4fbe2…3a6182c79c6abd5e98d407bb1e6a7b2e633bd659c29ae539b80ceeb07b9db711b6a
[SHA256] DLL hashes – EnumW.dll: a32d14f28c44ec6f…b642930f8903f7e8c4d8955347575afd2f2abee2ee2d612ba381442026bfd (and vstdlib/payload/plugin hashes: 02ef3930…, 2a1ae074…)

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attacks
Severity Level: High

In August 2025, FortiGuard Labs identified an SEO poisoning campaign aimed at Chinese-speaking users. The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites. By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware

The attackers set up multiple fraudulent websites designed to imitate trusted software providers. These sites distributed several malware families, most notably Hiddengh0st and variants of Winos. We identified them during our review of domains associated with the IP addresses we are tracking. Since SEO poisoning serves as the primary vector for delivering malware, our article focuses on that method to remain concise.

A script named nice.js controls the malware delivery process on these sites. The script follows a multi-step chain: it first calls a download link that returns JSON data, which includes a secondary link. That secondary link then points to another JSON response containing a link that redirects to the final URL of the malicious installer. The initial request includes two parameters — device type and domain name — which determine which JSON data is retrieved.

This analysis focuses on the malware hosted on a spoofed website impersonating DeepL.

MSI installer

The installer package combines both the legitimate DeepL software and malicious components, including a DLL file (EnumW.dll), fragments of a ZIP archive (temp_data_1–55), and other unrelated files. Once launched, the installer elevates itself to administrator privileges. It then drops the file fragments into C:ProgramDataData_Xowlls and places the rest into C:Program Files (x86)DeepLSetupDeepLSetup. After extraction, it triggers the ooo89 function within EnumW.dll, which initiates the malicious activity.

EnumW.dll

The EnumW.dll file includes a debug directory reference (C:UsersAdministratorDesktopmsi自动打包dll_FKTrumpx64ReleaseFKtrump.pdb). Its ooo89 function begins with several anti-analysis checks designed to evade detection.

Parent process validation: If the parent process is not msiexec.exe—the expected Windows Installer process—EnumW.dll assumes it is being run in an analysis environment and immediately exits.
Sleep integrity check: This check serves as a technique to evade sandboxing or other analysis tools. The function sends two HTTP_QUERY_DATE queries to www.baidu.com five seconds apart. If the elapsed time is shorter than four seconds, which suggests that an analysis tool has skipped the sleep call, the malware terminates.
ACPI table inspection: The malware first checks the number of files on the user’s desktop, which is often low in sandboxes. If fewer than six files are found, it queries ACPI firmware tables. The DLL halts execution if the High Precision Event Timer (HPET) table is missing or if the total number of ACPI tables is fewer than eight—both indicators of a virtualized environment.

Once the anti-analysis checks are complete, EnumW.dll reconstructs a file named emoji.dat by combining the temp_data_1–55 fragments stored in the Data_Xowlls folder. This file is then decompressed, and the embedded components are extracted into a directory labeled plsamc{system uptime} under the user profile.

Among the extracted files is vstdlib.dll, which is deliberately packed with repeated bytes in its .data section. This design overwhelms analysis tools by inflating memory usage and slowing performance, while compression ensures the file size remains small enough for delivery.

The DLL then searches for EXE files from the same folder. This helps the DLL find 749ju.exe, which side-loads vstdlib.dll to continue the infection chain. By not specifying the filename in the code, the DLL complicates our analysis.

vstdlib.dll

vstdlib.dll executes the payload embedded within emjio.tmp and sets up persistence mechanisms to keep it active. It first writes embedded data to resource.dat in the user’s profile directory, then extracts additional files into a subfolder named Nxonq1284_QUC under %APPDATA%, using the password Panzer0.

Next, the malware creates a registry key—SoftwareDeepSer and populates it with the following values:

Value name: OpenAi_Service

Value: C:Users{User name}AppDataRoamingNxonq1284_QUCinsalivation.exe

Value name: MyData

Value: {shellcode and encrypted payload from emjio.tmp}

Value name: Onload1

Value: C:Users{User name}Desktopemoji749ju.exe

The malware also checks whether 360Tray.exe (part of 360 Total Security antivirus) is running. If detected, vstdlib.dll continuously allocates, fills, and frees memory without useful computation. This tactic is meant to evade or stall analysis tools. In this scenario, persistence is established through TypeLib hijacking. The malware drops an XML file (d.s) into C:UsersPublicDownloads and creates a registry key at:

SoftwareClassesTypeLib{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}1.1