TZUTC: -0500
MSGID: 1503.consprcy@1:2320/105 2d2ebf90
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Chinese malware is flooding GitHub pages - HiddenGh0st, Winos and kkRAT hit
devs via SEO poisoning

Date:
Mon, 15 Sep 2025 21:00:00 +0000

Description:
Users searching for different programs are at risk from at least five
different RATs.

FULL STORY

Chinese users looking to download popular browsers and communications 
software are being targeted by different malware variants , granting 
attackers remote access capabilities. This is according to multiple
cybersecurity organizations, including Fortinet FortiGuard Labs, and Zscaler
ThreatLabz. 

The former discovered an SEO poisoning campaign to deliver two Remote Access
Trojans (RAT) - HiddenGh0st, and Winos - both variants of the infamous Gh0st
RAT. 

In the campaign, the threat actors created spoofed download pages for 
programs such as DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp,
and WPS Office, on typosquatted domains.

Stealing crypto and disabling AV 

They then manipulated search rankings using different SEO plugins to trick
people searching for these programs into visiting the wrong sites. The
download seemingly deploys the wanted program, but the installer is
trojanized, also serving one of the above-mentioned trojans. 

At the same time, researchers from Zscaler observed a previously unknown
trojan, called kkRAT, being disseminated. This campaign started in May this
year and also includes Winos and FatalRAT. 

kkRATs code is similar to that of Gh0st RAT and Big Bad Wolf, Zscaler
explained: kkRAT employs a network communication protocol similar to Ghost
RAT, with an added encryption layer after data compression. The RAT's 
features include clipboard manipulation to replace cryptocurrency addresses
and the deployment of remote monitoring tools (i.e. Sunlogin, GotoHTTP)." 

It is also capable of killing antivirus software before running any malicious
activity, to better hide its presence. Among the AV solutions targeted by the
trojan are 360 Internet Security suite, 360 Total Security, HeroBravo System
Diagnostics suite, and others. 

Unlike Fortinets discovery, in this campaign the phishing sites are hosted on
GitHub pages, leaning into the trust that the platform enjoys with its
community to distribute the trojans. The GitHub account used in this campaign
has since been terminated. 

 Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/chinese-malware-is-flooding-github-page
s-hiddengh0st-winos-and-kkrat-hit-devs-via-seo-poisoning

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426