By Sead Fadilpašić

Copyright techradar

Skip to main content

Tech Radar Pro

Tech Radar Gaming

Close main menu

the business technology experts

België (Nederlands)

Deutschland

North America

US (English)

Australasia

New Zealand

View Profile

Search TechRadar

Expert Insights

Website builders

Web hosting

Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights

Don’t miss these

Criminals are using a dangerous fake free VPN to spread malware via GitHub – here’s how to stay safe

GitHub users targeted with dangerous malware attacks – here’s what we know

Over 11,000 Android devices hit by fake login RAT hidden in Meta Ads and fake Google Play store

Be careful where you click in Google search results – it could be damaging malware

More popular npm packages hijacked to spread malware

Windows servers hijacked to boost Google rankings for dodgy gambling sites

Are they brave or stupid? Malware targeting Russian crypto hackers found

Still use Skype at work? Bad news, hackers are targeting it with dangerous malware

Microsoft warns dangerous PipeMagic backdoor is being disguised as ChatGPT desktop app – here’s what we know

This widely used Remote Monitoring tool is being used to deploy AsyncRAT to steal passwords

Minecraft players watch out – these fake mods are hiding password-stealing malware

Hackers are distributing a fake PDF Editor loaded with TamperedChef credential stealing malware

Google warns of Chinese state actor hack in real-time following alerts

New malware exploits trusted Windows drivers to get around security systems – here’s how to stay safe

New Android RAT uses Near Field Communication to automatically steal money from devices

Chinese malware is flooding GitHub pages – HiddenGh0st, Winos and kkRAT hit devs via SEO poisoning

Sead Fadilpašić

15 September 2025

Users searching for different programs are at risk

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

Chinese users are being targeted by malware campaigns using spoofed download sites and SEO poisoning
kkRAT features advanced capabilities including clipboard hijacking, remote monitoring, and antivirus evasion
Attackers exploited GitHub Pages to host phishing sites

Chinese users looking to download popular browsers and communications software are being targeted by different malware variants, granting attackers remote access capabilities. This is according to multiple cybersecurity organizations, including Fortinet FortiGuard Labs, and Zscaler ThreatLabz.

The former discovered an SEO poisoning campaign to deliver two Remote Access Trojans (RAT) – HiddenGh0st, and Winos – both variants of the infamous Gh0st RAT.
In the campaign, the threat actors created spoofed download pages for programs such as DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office, on typosquatted domains.

You may like

Criminals are using a dangerous fake free VPN to spread malware via GitHub – here’s how to stay safe

GitHub users targeted with dangerous malware attacks – here’s what we know

Over 11,000 Android devices hit by fake login RAT hidden in Meta Ads and fake Google Play store

Stealing crypto and disabling AV
They then manipulated search rankings using different SEO plugins to trick people searching for these programs into visiting the wrong sites. The download seemingly deploys the wanted program, but the installer is trojanized, also serving one of the above-mentioned trojans.

At the same time, researchers from Zscaler observed a previously unknown trojan, called kkRAT, being disseminated. This campaign started in May this year and also includes Winos and FatalRAT.
kkRAT’s code is similar to that of Gh0st RAT and Big Bad Wolf, Zscaler explained: “kkRAT employs a network communication protocol similar to Ghost RAT, with an added encryption layer after data compression. The RAT’s features include clipboard manipulation to replace cryptocurrency addresses and the deployment of remote monitoring tools (i.e. Sunlogin, GotoHTTP).”
It is also capable of killing antivirus software before running any malicious activity, to better hide its presence. Among the AV solutions targeted by the trojan are 360 Internet Security suite, 360 Total Security, HeroBravo System Diagnostics suite, and others.

Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Unlike Fortinet’s discovery, in this campaign the phishing sites are hosted on GitHub pages, leaning into the trust that the platform enjoys with its community to distribute the trojans. The GitHub account used in this campaign has since been terminated.
Via The Hacker News
You might also like

CISA is warning of a worrying Git security flaw, so stay alert
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers

Sead Fadilpašić

Social Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Criminals are using a dangerous fake free VPN to spread malware via GitHub – here’s how to stay safe

GitHub users targeted with dangerous malware attacks – here’s what we know

Over 11,000 Android devices hit by fake login RAT hidden in Meta Ads and fake Google Play store

Be careful where you click in Google search results – it could be damaging malware

More popular npm packages hijacked to spread malware

Windows servers hijacked to boost Google rankings for dodgy gambling sites

Latest in Security

CISA blasted by US watchdog for wasting funds and retaining the wrong employees

Researchers uncover huge IPTV piracy network spanning 1,000 domains and 10,000 IP addresses – here’s what you need to know

It doesn’t take a genius to be a cybercriminal – and open source ransomware is making it easier than ever

Salesforce platforms are being cracked open for data theft – FBI warns of UNC6040 and UNC6395 IOCs

VSCode market struck by huge influx of malicious WhiteCobra extensions – so be warned

Double check your Microsoft 365 and Google accounts – this VoidProxy phishing service is hitting them hard

Latest in News

Battlefield 6 will be better for everyone thanks to the Xbox Series S

Amazon teases major hardware launch – here are 5 things to expect, from new Echos to Kindles

I can’t stop rewatching Christopher Nolan’s best movie, and the good news? It’s free to stream

The Apple Watch’s new hypertension upgrade lands in watchOS 26 today – here’s why it’s a big deal and which models are compatible

Your Apple TV 4K gets a free upgrade to tvOS 26 today – here are 5 changes to try

Tesla scraps its cheapest Cybertruck after just five months – as it hurtles towards becoming one of the all-time biggest flops

LATEST ARTICLES

This is the same AI image prompt 10 years apart – the evolution is incredible

Is it time to ditch Sonos for WiiM? How the two multi-room ecosystems compare – and whether you should switch

Researchers uncover huge IPTV piracy network spanning 1,000 domains and 10,000 IP addresses – here’s what you need to know

Amazon has dropped “the best Mac ever” down to a terrific low price of $499

CISA blasted by US watchdog for wasting funds and retaining the wrong employees

TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

Contact Future’s experts

Terms and conditions

Privacy policy

Cookies policy

Advertise with us

Web notifications

Accessibility Statement

Future US, Inc. Full 7th Floor, 130 West 42nd Street,

Please login or signup to comment

Please wait…