Sophisticated campaign targets Chinese-speaking users with fake software sites and RATs stealing data and cryptocurrency with HiddenGh0st, Winos, and kkRAT
SEO poisoning as a weapon
Attackers leveraged SEO plugins and typosquatted domains to push fake websites mimicking popular tools like Google Chrome, Telegram, Signal, WhatsApp, WPS Office, and DeepL Translate into top Google results.
These counterfeit pages tricked users into downloading trojanized installers carrying HiddenGh0st and Winos (ValleyRAT).
HiddenGh0st and Winos: old RATs, new tricks
Both malware strains, derived from Gh0st RAT, enable:
- encrypted C2 communication,
- system profiling,
- keylogging and clipboard hijacking,
- theft of Ethereum and Tether wallets.
Installers bundled the legitimate app with the malicious payload, making detection harder.
kkRAT: the emerging threat
In parallel, Zscaler ThreatLabz discovered kkRAT, a new remote access trojan linked to Gh0st RAT and China-based Big Bad Wolf malware.
Its features include:
- clipboard hijacking of crypto wallet addresses,
- BYOVD techniques to disable antivirus,
- deployment of remote monitoring tools like Sunlogin and GotoHTTP.
GitHub Pages abused
Attackers weaponized GitHub Pages to host phishing installers, abusing the legitimacy of the platform to distribute malware under disguise.
Advanced evasion
The malware checks for sandbox environments, disables 360 Total Security and other Chinese AV suites, and leverages malicious DLLs and Windows shortcuts to maintain persistence.
Final goal: stealing crypto and full control
Beyond data theft and surveillance, the primary goal remains the exfiltration of cryptocurrency while ensuring full remote access to the victim’s system.
Sign up for the newsletter. Stay updated!
We will send you periodical important communications and news about the digital world. You can unsubscribe at any time by clicking the appropriate link at the bottom of the newsletter.
