What appeared to be routine searches for familiar software tools masked a coordinated campaign in which malicious links rose to the top of search results, quietly funneling users toward a backdoor designed for surveillance and data theft.
A cybercrime group known as Black Cat has been linked to a large-scale search engine manipulation campaign that exploited users’ trust in popular software brands, according to a joint assessment by Chinese cybersecurity authorities and private researchers. The operation relied less on technical exploits than on careful mimicry: convincing websites, familiar download buttons, and search results engineered to appear legitimate.
The campaign, detailed by National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and ThreatBook, illustrates how search behavior itself has become an attack surface, particularly when combined with targeted regional cues and widely used software names.
A Backdoor Hidden Behind Familiar Downloads
At the center of the activity is a backdoor Trojan that establishes contact with a hard-coded remote server, “sbido[.]com:2869.” Once installed, the malware is capable of harvesting web browser data, logging keystrokes, extracting clipboard contents and exfiltrating other sensitive information from an infected machine.
Investigators say the malicious program is not typically delivered through overtly suspicious files. Instead, it arrives bundled inside software installation packages that appear routine to users. The goal is persistence and quiet data collection rather than immediate disruption, allowing compromised systems to remain under remote control without obvious signs of infection.
Search Results as the Entry Point
The infections are traced back to an SEO poisoning strategy designed to push fraudulent websites to the top of search results on engines such as Microsoft Bing. Users searching for everyday tools — including Notepad++, Google Chrome, QQ International and iTools — were redirected to high-ranking links that closely resembled official download pages.
In one recent wave, searches for Notepad++ led users to a phishing domain masquerading as an associated site, “cn-notepadplusplus[.]com.” Other domains linked to the campaign included “cn-obsidian[.]com,” “cn-winscp[.]com,” and “notepadplusplus[.]cn.” The recurring use of “cn” in the domain names, researchers said, was a deliberate signal aimed at Chinese users searching in their local language or region.
Clicking a download button on these sites redirected victims again — this time to a page mimicking GitHub, hosted at “github.zh-cns[.]top,” from which a ZIP archive could be downloaded.
Side-Loading and Silent Installation
Inside the ZIP file, investigators found an installer that created a desktop shortcut. That shortcut functioned as the entry point for side-loading a malicious DLL, which in turn launched the backdoor Trojan. The process required little technical sophistication from the user and did not rely on exploiting software vulnerabilities, making it difficult to detect through traditional warning signs.
CNCERT/CC and ThreatBook noted that the download pages were carefully constructed to resemble legitimate software distribution portals. Once the program was installed, the backdoor operated without the user’s knowledge, quietly siphoning data from the host computer.
Scale, Targeting and a Longer Pattern
The campaign’s reach was substantial. Between December 7 and 20, 2025, Black Cat is assessed to have compromised roughly 277,800 hosts across China, with the highest single-day total reaching 62,167 infected machines. The figures point to a broad, automated distribution model rather than isolated incidents.
Researchers said the group has been active since at least 2022, repeatedly using SEO poisoning as a delivery mechanism for malware focused on data theft and remote access. In a previous operation in 2023, Black Cat was linked to the theft of at least $160,000 worth of cryptocurrency through the impersonation of AICoin, a virtual currency trading platform.
CNCERT/CC advised users to avoid clicking links from unknown sources and to rely on trusted, official channels for software downloads.
