Black Cat Behind SEO Poisoning Malware Campaign Targeting Popular Software Searches

[Parkinsond]

Content source

https://thehackernews.com/2026/01/black-cat-behind-seo-poisoning-malware.html

A cybercrime gang known as Black Cat has been attributed to a search engine optimization (SEO) poisoning campaign that employs fraudulent sites advertising popular software to trick users into downloading a backdoor capable of stealing sensitive data.

In the latest set of attacks, users searching for Notepad++ are served links to a convincing phishing site masquerading as associated with the software program ("cn-notepadplusplus[.]com"). Other domains registered by Black Cat include "cn-obsidian[.]com," "cn-winscp[.]com," and "notepadplusplus[.]cn."

Black Cat Behind SEO Poisoning Malware Campaign Targeting Popular Software Searches

Black Cat cybercrime group used SEO poisoning and fake software downloads to infect nearly 278,000 systems in China with data-stealing malware.

thehackernews.com

After trying to visit the before mentioned website:
Edge SmartScreen: Not detected
ControlD DNS (Hagezi TIF): Not detected
uBO (with Hagezi Ultimate mini): Not detected
Norton safe web extension: Not detected
Symantec browser protection extension: Detected
Norton safe web website: Detected
VirusTotal: Detected by Kaspersky

 

[Divergent]

Infection Chain

Payload
The ZIP contains an installer that establishes a desktop shortcut.

Execution
This shortcut initiates a DLL side-loading attack to execute the backdoor payload stealthily.

Capabilities
The malware logs keystrokes, steals clipboard data, and exfiltrates browser cookies/credentials.

Indicators of Compromise (IOCs)
The following domains and command-and-control (C2) servers were identified in the source text. These should be treated as high-priority blocks.

fraudulent Domains

cn-notepadplusplus[.]com

cn-obsidian[.]com

cn-winscp[.]com

notepadplusplus[.]cn

Distribution/Drop Site:

github.zh-cns[.]top

C2 Infrastructure

sbido[.]com:2869

Detection Status
Your testing confirms that signature-based detection is currently lagging for these specific assets. Relying solely on browser filters (like SmartScreen or uBO) is insufficient for this specific campaign at this time.

Recommendations

Network Blocking
Immediately block the domains and the C2 IP/port (sbido[.]com:2869) at the firewall or DNS level.

Application Whitelisting
Ensure software like Notepad++ and WinSCP are only downloaded from their official repositories (notepad-plus-plus.org and winscp.net).

Behavioral Monitoring
Configure EDR to flag processes spawning from unexpected locations (e.g., shortcuts created by installers in non-standard directories) or engaging in DLL side-loading behaviors.

User Awareness
Advise users to verify the URL strictly before downloading utilities. Official domains rarely use prefixes like cn- followed by the full software name for global distributions.

References

CNCERT/CC & ThreatBook Report
(Cited in The Hacker News)

The Hacker News
Black Cat Behind SEO Poisoning Malware Campaign

User Findings
Validated detection gaps in Edge SmartScreen and standard ad-blockers

 

[Sandbox Breaker - DFIR]

Another solid way is to block domains less then 30 days old and .top domains.

 

[Parkinsond]

Another solid way is to block domains less then 30 days old and .top domains.

I have stopped using "block newly registered domains" as it blocks several websites I use regularly.

 

[Parkinsond]

NextDNS (Native TIF): Not detected.

 

[Wrecker4923]

Those websites seem to have been flagged by "DNS4EU Security DNS", blocked by Osprey. Aren't you using Osprey?