This post is also available in:
עברית (Hebrew)
A new cyberattack technique is using Google Search to distribute malware disguised as widely used applications such as WhatsApp, Telegram, Chrome, and others. Security researchers at FortiGuard Labs have uncovered a campaign that manipulates search engine results to push fake download pages to the top of search rankings—tricking users into installing trojans.
The attackers behind this operation are using a combination of SEO manipulation and lookalike domains to make their sites appear legitimate. Once a user clicks on one of these fraudulent links, they’re taken to a page that closely mimics the official site of a known app. The site then offers an installer that appears genuine but contains a hidden malicious payload.
Targeted applications in this campaign include messaging platforms (Signal, Telegram, WhatsApp, Line), productivity tools (WPS Office), translation apps (DeepL), browsers (Chrome), and VPN services. The installer packages often contain both the real application and malware, increasing the likelihood that users will trust and run the file.
Once executed, the installer quietly drops harmful DLL files into hidden folders, escalates privileges, and begins to collect system data. Capabilities observed include keylogging, clipboard monitoring, capturing screen activity, and identifying installed security software. Some versions also include plugins designed to extend surveillance capabilities, including the potential interception of Telegram communications.
The malware families involved include known threats such as Hiddengh0st and a new variant of Winos, both of which enable long-term monitoring and remote access.
This method—known as SEO poisoning—relies on manipulating search engine algorithms to make malicious links appear among the top search results. It’s a growing concern, as even careful users may unknowingly download malware by clicking on what seems to be a reputable link.
While this particular campaign appears to be focused on Chinese-speaking users, similar tactics have been seen in broader attacks. The findings reinforce the importance of verifying download sources and double-checking domain names—even when links appear to come from trusted search results.
