Overview

• Fortinet traced SEO-driven redirects managed by a nice.js JSON chain that funneled searches for popular tools to lookalike download pages.
• Trojanized installers bundled legitimate apps with malicious DLLs such as EnumW.dll, which performed anti-analysis checks and set persistence via TypeLib COM hijacking or startup shortcuts based on 360 Total Security detection.
• Some phishing pages were hosted on GitHub Pages for credibility, and the GitHub account used for distribution has since been removed.
• The campaigns delivered multiple RATs, including HiddenGh0st, Winos/ValleyRAT and the newly reported kkRAT, which supports crypto-clipboard hijacking, screen capture and deployment of remote monitoring tools like Sunlogin and GotoHTTP.
• Researchers observed BYOVD techniques reusing RealBlindingEDR code to terminate processes for Chinese antivirus products including 360 suites, Kingsoft, HeroBravo and QQ 电脑管家.