SEO Poisoning Attack Abuses Microsoft Signed Binary for RMM Tool Installation

SEO poisoning campaign has discovered impersonating legitimate open source data recovery tool named TestDisk. It silently installs ScreenConnect remote monitoring and management client to gain command execution, file transfer and lateral movement in the network.

Pulse ID: 69e4d8e980b032626e88ccd8
Pulse Link: https://otx.alienvault.com/pulse/69e4d8e980b032626e88ccd8
Pulse Author: cryptocti
Created: 2026-04-19 13:30:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #RCE #SEOPoisoning #ScreenConnect #bot #cryptocti

Kong RAT: la nuova campagna di SEO poisoning con dropper NativeAOT .NET 10 che prende di mira gli sviluppatori cinesi

https://insicurezzadigitale.com/kong-rat-la-nuova-campagna-di-seo-poisoning-con-dropper-nativeaot-net-10-che-prende-di-mira-gli-sviluppatori-cinesi/

Payroll pirate attacks targeting Canadian employees

Microsoft Incident Response researchers identified Storm-2755, a financially motivated threat actor conducting payroll pirate attacks against Canadian users. The campaign uses malvertising and SEO poisoning on generic search terms like "Office 365" to lure victims to a fraudulent sign-in page. Through adversary-in-the-middle techniques, the actor captures authentication tokens and session cookies, bypassing MFA protections. Storm-2755 maintains persistence using Axios HTTP client to replay stolen tokens, then conducts discovery for payroll and HR contacts. The actor impersonates compromised users to socially engineer HR staff or directly manipulates payroll systems like Workday. Malicious inbox rules hide correspondence from victims. Attacks resulted in direct financial losses through redirected salary payments to attacker-controlled bank accounts.

Pulse ID: 69d80c2c976a9ec209e19217
Pulse Link: https://otx.alienvault.com/pulse/69d80c2c976a9ec209e19217
Pulse Author: AlienVault
Created: 2026-04-09 20:29:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #Bank #Canadian #Cookies #CyberSecurity #HTTP #InfoSec #MFA #Malvertising #Microsoft #OTX #Office #OpenThreatExchange #RAT #SEOPoisoning #Troll #bot #iOS #AlienVault

Stealer Campaign Impacting SLTT macOS Users

MacSync Stealer is a macOS infostealer operating as Malware-as-a-Service (MaaS), distributed through SEO poisoning and fake ClickFix CAPTCHAs. The campaign has evolved through three iterations since November 2025, shifting from fake download sites to malicious ChatGPT conversations and finally to sophisticated shell-based loaders with dynamic AppleScript payloads. Threat actors use Google-sponsored search results to redirect victims to fake CAPTCHA pages that trick users into executing malicious terminal commands. The stealer targets browser credentials, cryptocurrency wallets, SSH keys, cloud provider credentials, and Keychain data. A critical capability includes trojanizing Ledger hardware wallet applications to capture seed phrases. The February 2026 campaign generated over 18,000 clicks in three days, with Russian-language comments suggesting operators work within a Russian-speaking ecosystem. The malware employs API key-gated C2 infrastructure and in-memory execution for evasion.

Pulse ID: 69d7ed2e323d7edb856fa161
Pulse Link: https://otx.alienvault.com/pulse/69d7ed2e323d7edb856fa161
Pulse Author: AlienVault
Created: 2026-04-09 18:17:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #ChatGPT #Cloud #CyberSecurity #Edge #Google #InfoSec #InfoStealer #MaaS #Mac #MacOS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Russia #SEOPoisoning #SSH #Trojan #bot #cryptocurrency #AlienVault

Dios mio! While researching a particular type of Colombian folk music, we stumbled across a .edu domain selling... accordions? Our first thought was potentially domain hijacking, but it appears to be more likely an exploitation of CVE-2026-27210 (TLDR; cross-site scripting). While the vulnerability has been patched in the plugin itself, not all pages have updated their plugins, and search engines have already indexed the poisoned pages! Pivoting led to 50+ additional domains found spread across three risky TLDs: .sbs, .pics, and .shop. The domains on .sbs and .pics appear to be config servers to exploit the vulnerability; the domains on .shop are the landing pages where victims can be scammed.

IOCs:
000o[.]sbs,0pen[.]sbs,123buys[.]shop,123me[.]shop,1bg[.]pics,1ki[.]pics,1mage[.]sbs,1ql[.]pics,1ty[.]pics,1vi[.]pics,1wr[.]pics,2ty[.]pics,569oagri[.]shop,66buys[.]shop,6ip[.]pics,6ym[.]pics,7rt[.]pics,8pi[.]pics,99buys[.]shop,99i[.]pics,9gwe[.]shop,a25n[.]shop,bk2[.]pics,bk59t[.]shop,buysok[.]shop,c68k[.]shop,cc1[.]pics,doo[.]pics,ep7[.]pics,estore-1[.]com,g9gvv[.]sbs,gaer896[.]shop,gm5[.]pics,gosok[.]shop,gt3[.]pics,h66p[.]shop,hh6[.]pics,iilvw[.]sbs,im9[.]pics,img1[.]sbs,in6[.]pics,jj3[.]pics,kk9[.]pics,lilil[.]sbs,llvvw[.]sbs,m66p6[.]shop,mebuys[.]shop,mg6[.]pics,mh8f6k[.]shop,mkk[.]pics,ms1[.]pics,nn6[.]pics,onsgs[.]com,p6[.]pics,p888p[.]shop,pan1[.]top,pic1[.]sbs,pic2[.]sbs,pt11[.]sbs,py3y[.]com,qq1[.]pics,rey89p[.]shop,shop56[.]shop,t88t8[.]shop,tp1[.]pics,tp9[.]pics,trues[.]sbs,up9[.]pics,upimg[.]sbs,uu2[.]pics,vt5[.]pics,vteyu[.]shop,vvf1[.]sbs,vvp1[.]sbs,w2w[.]pics,w88p[.]shop,wp59q[.]shop,wvlll[.]sbs,wvv1[.]sbs,wvvvv[.]sbs,x2p[.]pics,xyaer548[.]shop,yi1[.]pics

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #seo_poisoning #seopoisoning

"SEO Poisoning - Mon site se fait attaquer depuis un an"

#Référencement #SEO #Korben #Blog #SEOpoisoning ...

https://korben.info/seo-poisoning-temoignage.html

BADIIS to the Bone: New Insights to a Global SEO Poisoning Campaign

Pulse ID: 69954283ea362eb76cda3d07
Pulse Link: https://otx.alienvault.com/pulse/69954283ea362eb76cda3d07
Pulse Author: Tr1sa111
Created: 2026-02-18 04:39:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #SEOPoisoning #bot #Tr1sa111

Fake Microsoft Teams and Google Meet downloads are being used to spread the #Oyster backdoor malware instead of the real apps via poisoned search results and malicious ads.

Read: https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backdoor/

#CyberSecurity #Malware #MicrosoftTeams #GoogleMeet #SEOpoisoning #Malvertising

Attackers are turning Google results into malware delivery systems, using fake software installers and sponsored ads to plant backdoors inside organizations. In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin unpack the latest SEO poisoning and malvertising research and share actionable defenses.

From ad blocking to safer browsing habits, learn how to protect your team from the poisoned web. Listen to the podcast: https://www.chatcyberside.com/e/search-results-are-the-new-phish-inside-seo-poisoning-attacks/

Watch the video: https://youtu.be/xKKA1ikoZ-4

#SEOpoisoning #Malvertising #Cybersecurity #Software #Advertising #Phishing #PoisonedWeb

🛡️ Microsoft revokes 200+ fraudulent certificates linked to Vanilla Tempest’s Rhysida ransomware campaign. The attacker used fake Teams installers and SEO-poisoned domains to deploy malware.

💬 How are your organizations defending against trojanized software campaigns? Comment your strategies & follow TechNadu for verified cybersecurity intelligence.

#Rhysida #Ransomware #CyberSecurity #InfoSec #ThreatIntel #Malware #VanillaTempest #OysterBackdoor #SEOpoisoning #TechNadu