Security researchers have linked Black Cat, also known as ALPHV, to a new search engine poisoning (SEO poisoning) campaign that tricks users searching for popular software into downloading malware. Threat actors register or compromise domains that include keywords for popular programs such as Google Chrome, Notepad++, QQ International, iTools, and others. These sites are engineered to rank highly in search engines like Microsoft Bing and, potentially, Google.
SEO poisoning is a technique where attackers deliberately manipulate search engine rankings so that malicious websites appear at the top of search results.
How the Attack Works
Manipulated Search Results
The attackers register or compromise domains that include the names of well-known software, such as Google Chrome, Notepad++, QQ International, and iTools. These domains are carefully optimized to rank highly in search engines like Microsoft Bing and potentially Google, increasing the chance that users will click on them.
Malicious Downloads
Once a victim clicks on one of these search results, they’re taken to a convincing fake download page. Everything—from the layout to the branding—looks legitimate, giving users little reason to be suspicious.
Backdoor Installation
If the installer is downloaded and executed, it secretly installs a backdoor Trojan. This allows attackers to:
- Steal sensitive information
- Gain remote access to the system
- Monitor activity or deploy additional malware
All of this can happen without the victim realizing anything is wrong, according to researchers cited by The Hacker News.
Regional Targeting
Many of the malicious domains include “cn” in their names (for example, cn-notepadplusplus[.]com), suggesting the campaign is specifically targeting Chinese-speaking users and regional markets.
Who Is Black Cat?
Black Cat (ALPHV) is a well-established cybercrime syndicate best known for operating a Ransomware-as-a-Service (RaaS) model. Active since at least 2021–2022, the group’s affiliates have been involved in:
- Cryptocurrency theft through impersonation websites
- High-profile ransomware extortion attacks
- Malware distribution via SEO poisoning and malicious search ads
While SEO poisoning has often been associated with other regional threat actors, recent research shows this campaign aligns closely with Black Cat’s tools, tactics, and evolving strategy.
Why This Matters
This campaign is especially dangerous because it targets ordinary users doing routine searches for trusted software. Even cautious users can be fooled when fake sites closely mimic official download pages.
Once infected, compromised systems can be:
- Remotely controlled
- Used to steal personal or corporate data
- Leveraged as part of larger cyberattacks
Domain & Network IOCs
- Newly registered domains (often <30 days old)
- Domains mimicking software names (e.g., chrome-download, notepadplusplus, vlc-player)
- Suspicious TLDs or regional markers like .cn, .top, .xyz, .site
- High entropy or typo-squatted domains (e.g., notepaddplus.com)
- HTTP/S connections to unfamiliar hosting providers shortly after installer execution
SEO poisoning has become a common and effective malware distribution method, not just for Black Cat. Similar campaigns have impersonated downloads for tools like Telegram, DeepL, and VLC, spreading remote access trojans (RATs) and other malware through poisoned search results.
