Jan 07, 2026Ravie LakshmananCybercrime / Software program Safety
A cybercrime gang often called Black Cat has been attributed to a SEO (search engine optimization) poisoning marketing campaign that employs fraudulent websites promoting well-liked software program to trick customers into downloading a backdoor able to stealing delicate knowledge.
In accordance with a report printed by the Nationwide Pc Community Emergency Response Technical Staff/Coordination Middle of China (CNCERT/CC) and Beijing Weibu On-line (aka ThreatBook), the exercise is designed to strategically push bogus websites to the highest of search outcomes on search engines like google like Microsoft Bing, particularly focusing on customers searching for applications like Google Chrome, Notepad++, QQ Worldwide, and iTools.
“After visiting these high-ranking phishing pages, customers are lured by fastidiously constructed obtain pages, trying to obtain software program set up packages bundled with malicious applications,” CNCERT/CC and ThreatBook stated. “As soon as put in, this system implants a backdoor Trojan with out the consumer’s data, resulting in the theft of delicate knowledge from the host pc by attackers.”
Black Cat is assessed to be energetic since not less than 2022, orchestrating a collection of assaults designed for knowledge theft and distant management utilizing malware distributed by way of search engine optimization poisoning campaigns. In 2023, the group is claimed to have stolen not less than $160,000 value of cryptocurrency by impersonating AICoin, a preferred digital forex buying and selling platform.
Within the newest set of assaults, customers looking for Notepad++ are served hyperlinks to a convincing phishing web site masquerading as related to the software program program (“cn-notepadplusplus[.]com”). Different domains registered by Black Cat embrace “cn-obsidian[.]com,” “cn-winscp[.]com,” and “notepadplusplus[.]cn.”
The inclusion of “cn” within the domains signifies that the risk actors are particularly going after Chinese language customers who could also be searching for such instruments by way of search engines like google.
Ought to unsuspecting customers find yourself clicking the “obtain” button on the pretend web site, they’re redirected to a different URL that mimics GitHub (“github.zh-cns[.]prime”) from the place a ZIP archive may be downloaded. Current inside the ZIP file is an installer that creates a shortcut on the consumer’s desktop. The shortcut acts because the entry level for side-loading a malicious DLL that, in flip, launches the backdoor.
The malware establishes contact with a hard-coded distant server (“sbido[.]com:2869”), permitting it to steal net browser knowledge, log keystrokes, extract clipboard contents, and different precious data from the compromised host.
CNCERT/CC and ThreatBook famous that the Black Cat cybercrime syndicate has compromised about 277,800 hosts throughout China between 7 and 20, 2025, with the very best day by day variety of compromised machines inside the nation scaling a excessive of 62,167.
To mitigate the chance, customers are suggested to chorus from clicking on hyperlinks from unknown sources and follow trusted sources for downloading software program.
