Telegram, WPS Office, Google, GitHub and DeepL Translate: Chinese malware is flooding GitHub pages - HiddenGh0st, Winos and kkRAT hit devs via SEO poisoning

Chinese Users Targeted by Malware Campaigns via Spoofed Downloads and SEO Poisoning

Cybersecurity researchers from Fortinet FortiGuard Labs and Zscaler ThreatLabz have uncovered malware campaigns targeting Chinese users seeking popular software downloads. Attackers are leveraging typosquatted domains, SEO poisoning, and GitHub Pages to distribute remote access trojans (RATs), including new and sophisticated variants.

Key Campaigns and Tactics

1. SEO Poisoning & Trojanized Installers

   • Threat actors created fake download pages for widely used applications, including Google Chrome, Signal, Telegram, WhatsApp, WPS Office, and DeepL Translate.
   • Using SEO manipulation, they tricked users into visiting malicious sites, where trojanized installers delivered HiddenGh0st and Winos both variants of the notorious Gh0st RAT.

2. kkRAT: A New and Evasive Threat

   • Zscaler identified kkRAT, a previously unknown trojan with Gh0st RAT and Big Bad Wolf code similarities, active since May 2024.
   • Features include:
     • Clipboard hijacking to replace cryptocurrency wallet addresses.
     • Remote monitoring via tools like Sunlogin and GotoHTTP.
     • Antivirus evasion by disabling security software, including 360 Internet Security, 360 Total Security, and HeroBravo System Diagnostics.
   • The malware uses encrypted network communication to avoid detection.

3. GitHub Pages Exploited for Phishing

   • Unlike the typosquatted domains in Fortinet’s findings, the kkRAT campaign abused GitHub Pages to host phishing sites, exploiting the platform’s trusted reputation.
   • The malicious GitHub account has since been terminated.

Impact

These campaigns highlight a growing trend of social engineering and supply-chain deception, where attackers exploit trust in legitimate platforms and software to deploy malware. The use of advanced RATs with antivirus evasion and cryptocurrency theft capabilities underscores the evolving sophistication of cyber threats targeting Chinese users.

Source: https://www.techradar.com/pro/security/chinese-malware-is-flooding-github-pages-hiddengh0st-winos-and-kkrat-hit-devs-via-seo-poisoning

GitHub cybersecurity rating report: https://www.rankiteo.com/company/Github

Google cybersecurity rating report: https://www.rankiteo.com/company/google

DeepL cybersecurity rating report: https://www.rankiteo.com/company/deepl

WPS Office cybersecurity rating report: https://www.rankiteo.com/company/wps-office

Telegram Messenger cybersecurity rating report: https://www.rankiteo.com/company/telegram-messenger

"id": "GITGOODEEWPSTEL1770472851",
"linkid": "Github, google, deepl, wps-office, telegram-messenger",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'location': 'China', 'type': 'Individual Users'}],
 'attack_vector': ['SEO Poisoning',
                   'Trojanized Installers',
                   'GitHub Pages Abuse'],
 'data_breach': {'data_encryption': 'Yes (malware uses encrypted network '
                                    'communication)',
                 'data_exfiltration': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Cryptocurrency wallet addresses',
                                              'Remote monitoring data']},
 'description': 'Cybersecurity researchers from Fortinet FortiGuard Labs and '
                'Zscaler ThreatLabz uncovered malware campaigns targeting '
                'Chinese users seeking popular software downloads. Attackers '
                'leveraged typosquatted domains, SEO poisoning, and GitHub '
                'Pages to distribute remote access trojans (RATs), including '
                'new and sophisticated variants like HiddenGh0st, Winos, and '
                'kkRAT.',
 'impact': {'data_compromised': 'Cryptocurrency wallet addresses, remote '
                                'monitoring data',
            'identity_theft_risk': 'High (due to clipboard hijacking and '
                                   'remote monitoring)',
            'operational_impact': 'Potential unauthorized access and control '
                                  'of infected systems',
            'payment_information_risk': 'High (cryptocurrency wallet addresses '
                                        'compromised)',
            'systems_affected': 'User devices infected with RATs'},
 'initial_access_broker': {'backdoors_established': 'Yes (RATs installed)',
                           'entry_point': ['Fake download pages',
                                           'GitHub Pages']},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Growing trend of social engineering and supply-chain '
                    'deception, exploitation of trusted platforms like GitHub '
                    'Pages, and the use of advanced RATs with antivirus '
                    'evasion capabilities.',
 'motivation': ['Financial Gain', 'Data Theft', 'Remote Access'],
 'post_incident_analysis': {'root_causes': ['SEO poisoning',
                                            'Typosquatted domains',
                                            'Abuse of trusted platforms '
                                            '(GitHub Pages)']},
 'recommendations': 'Enhanced user awareness of SEO poisoning and typosquatted '
                    'domains, stricter monitoring of software download '
                    'sources, and improved detection of encrypted malicious '
                    'network traffic.',
 'references': [{'source': 'Fortinet FortiGuard Labs'},
                {'source': 'Zscaler ThreatLabz'}],
 'response': {'third_party_assistance': 'Fortinet FortiGuard Labs, Zscaler '
                                        'ThreatLabz'},
 'title': 'Chinese Users Targeted by Malware Campaigns via Spoofed Downloads '
          'and SEO Poisoning',
 'type': 'Malware Campaign'}