TZUTC: -0500   
   MSGID: 1503.consprcy@1:2320/105 2d2ebf90   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Chinese malware is flooding GitHub pages - HiddenGh0st, Winos and kkRAT hit   
   devs via SEO poisoning   
      
   Date:   
   Mon, 15 Sep 2025 21:00:00 +0000   
      
   Description:   
   Users searching for different programs are at risk from at least five   
   different RATs.   
      
   FULL STORY   
      
   Chinese users looking to download popular browsers and communications    
   software are being targeted by different malware variants , granting    
   attackers remote access capabilities. This is according to multiple   
   cybersecurity organizations, including Fortinet FortiGuard Labs, and Zscaler   
   ThreatLabz.    
      
   The former discovered an SEO poisoning campaign to deliver two Remote Access   
   Trojans (RAT) - HiddenGh0st, and Winos - both variants of the infamous Gh0st   
   RAT.    
      
   In the campaign, the threat actors created spoofed download pages for    
   programs such as DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp,   
   and WPS Office, on typosquatted domains.   
      
   Stealing crypto and disabling AV    
      
   They then manipulated search rankings using different SEO plugins to trick   
   people searching for these programs into visiting the wrong sites. The   
   download seemingly deploys the wanted program, but the installer is   
   trojanized, also serving one of the above-mentioned trojans.    
      
   At the same time, researchers from Zscaler observed a previously unknown   
   trojan, called kkRAT, being disseminated. This campaign started in May this   
   year and also includes Winos and FatalRAT.    
      
   kkRATs code is similar to that of Gh0st RAT and Big Bad Wolf, Zscaler   
   explained: kkRAT employs a network communication protocol similar to Ghost   
   RAT, with an added encryption layer after data compression. The RAT's    
   features include clipboard manipulation to replace cryptocurrency addresses   
   and the deployment of remote monitoring tools (i.e. Sunlogin, GotoHTTP)."    
      
   It is also capable of killing antivirus software before running any malicious   
   activity, to better hide its presence. Among the AV solutions targeted by the   
   trojan are 360 Internet Security suite, 360 Total Security, HeroBravo System   
   Diagnostics suite, and others.    
      
   Unlike Fortinets discovery, in this campaign the phishing sites are hosted on   
   GitHub pages, leaning into the trust that the platform enjoys with its   
   community to distribute the trojans. The GitHub account used in this campaign   
   has since been terminated.    
      
    Via The Hacker News   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/chinese-malware-is-flooding-github-page   
   s-hiddengh0st-winos-and-kkrat-hit-devs-via-seo-poisoning   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426