Hackers stuffed malware into fake Signal, WhatsApp, and Chrome apps

Published: 15 September 2025
deepl, whatsapp, signal seo poisoning
Image by Cybernews

Hackers are tricking Google search results, luring users into downloading malicious apps pretending to be Signal, WhatsApp, and Chrome.

A new attack has been identified, preying on unsuspecting users by posing as trusted software providers.

FortiGuard Labs researchers say the threat actors are gaming search algorithms with SEO plugins and registered lookalike domains. Once on the website, the victims are tricked into downloading trojanized installers. Among the exploited platforms are well-known brands, such as:

ADVERTISEMENT
  • Signal
  • WhatsApp
  • Deepl
  • Chrome
  • Telegram
  • Line
  • VPN provider
  • WPS Office

The fraudulent websites deliver several malware families, most notably Hiddengh0st and a new variant of Winos. The attackers bundle malicious components into installer packages that appear to deliver real applications.

Once launched, the installer drops malicious DLLs into hidden directories, gains administrator privileges, and executes functions designed to evade detection.

The malware enables attackers to:

  • Collect detailed system and victim information
  • Enumerate antivirus and security tools
  • Log keystrokes and clipboard data
  • Capture foreground window titles and screen activity
  • Load additional plugins for extended surveillance and control

Plugins delivered by the malware also suggest that the attackers could potentially intercept Telegram communications.

seo poisoning china
Fake websites. Source: FortiGuard Labs

SEO poisoning is a serious danger

ADVERTISEMENT

The campaign contributes to the rise of SEO poisoning, a technique that involves manipulating search engines to push fraudulent sites into the top results. With this attack technique, even vigilant users who stick to seemingly “trusted” search rankings could be caught off guard.

According to the report, the campaign primarily targeted Chinese-speaking users.

“The installers contained both the legitimate application and the malicious payload, making it difficult for users to notice the infection,” wrote FortiGuard Labs researchers.

seo poisoning
Poisoned search results. Source: FortiGuard Labs

“Even highly ranked search results were weaponized in this way, underscoring the importance of carefully inspecting domain names before downloading software.”

Previous research by Cisco Talos has identified several SEO-poisoning campaigns, where attackers used popular AI apps to lure their victims. Multiple ransomware gangs have disguised their malicious software with platforms such as ChatGPT or InVideo.

Another fraud campaign exploited PayPal, Apple, Bank of America, Netflix, and Microsoft. Cybercriminals purchased sponsored ads on Google, pretending to be a major brand. The ads led victims to fake websites, where they were prompted to download malware.

Unlock more exclusive Cybernews content on YouTube

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked