Fortinet uncovered an August 2025 SEO-poisoning campaign that used malicious SEO plugins and look-alike domains to lure Chinese-speaking users into downloading fake software, resulting in installations of Hiddengh0st and Winos variants. The investigation identified 13 initial IoCs (five domains, four subdomains, four IPs), narrowed to nine primary IoCs for DNS analysis, and expanded to reveal 7,741 email-connected domains and additional malicious IPs. #Hiddengh0st #Winos
Keypoints
- Fortinet identified an SEO poisoning campaign in August 2025 targeting Chinese-speaking users with fake software sites and manipulated search rankings using SEO plug-ins and look-alike domains.
- Victims were tricked into installing Hiddengh0st and Winos malware variants from the malicious sites.
- Researchers initially identified 13 IoCs (five domains, four subdomains, four IPs) before excluding legitimate domains used as abused hosting subdomains, yielding nine IoCs (five domains, four IPs) for the main DNS footprint analysis.
- Analysis of the excluded subdomains found they were malicious and active from 17β30 September 2025 (bucket00716β¦) and active since 17 September 2025 with a 60s TTL (znrce3zβ¦).
- WHOIS and DNS queries showed the five domain IoCs were a mix of aged and newly registered domains, registered across multiple registrars and countries, with varied DNS histories (total 494 historical domain-to-IP resolutions for four domains).
- The four IP IoCs are geolocated in China, had 1,593 historical IP-to-domain resolutions across three IPs with DNS history, and varying administrative records (BGP Network, China Unicom, and two without ISPs on record).
- Expansion via WHOIS History and reverse WHOIS queries produced 7,741 email-connected domains and DNS queries found eight additional IPs (seven marked malicious), with a sample of artifacts available for download.
MITRE Techniques
- [T1598] Phishing for Information β Attackers used look-alike domains and fake software sites to trick users into downloading malware: βvictims ended up installing Hiddengh0st and Winos variants into their computers.β
- [T1598.002] Search Engine Poisoning β Manipulated search rankings with SEO plug-ins and registered look-alike domains to surface malicious download links: βattackers manipulated search rankings with SEO plug-ins and registered look-alike domains that closely mimicked legitimate software sites.β
- [T1078] Valid Accounts (abuse of legitimate hosting) β Abuse of legitimate cloud-hosted subdomains to host malicious content: βtwo subdomainsβ¦ were excluded from our main analysis since their domains were legitimate and probably abused.β
Indicators of Compromise
- [Domain] primary malicious domains identified β aisizhushou[.]com, wps1[.]com (and deepl-fanyi[.]com, c4p11[.]shop, telegramni[.]com referenced)
- [Subdomain] abused legitimate cloud subdomains β bucket00716[.]s3[.]ap-southeast-2[.]amazonaws[.]com, znrce3z[.]oss-ap-southeast-1[.]aliyuncs[.]com
- [IP address] primary IP IoCs (geolocated in China) β 137[.]220[.]152[.]99, 202[.]95[.]8[.]47 (and 27[.]124[.]13[.]325)
- [Historic resolutions] DNS resolution examples and counts β aisizhushou[.]com first resolved 5 February 2017; telegramni[.]com had 46 resolutions and last resolved 1 September 2025
- [Email-connected domains] large expansion via WHOIS history β 7,741 email-connected domains discovered from historical WHOIS email addresses
- [Additional IPs] extra IPs from DNS queries with threat intel results β eight additional IPs found, seven marked malicious (sample artifacts available for download)