Chinese malware is flooding GitHub pages - HiddenGh0st, Winos and kkRAT hit devs via SEO poisoning

• Chinese users are being targeted by malware campaigns using spoofed download sites and SEO poisoning
• kkRAT features advanced capabilities including clipboard hijacking, remote monitoring, and antivirus evasion
• Attackers exploited GitHub Pages to host phishing sites

Chinese users looking to download popular browsers and communications software are being targeted by different malware variants, granting attackers remote access capabilities. This is according to multiple cybersecurity organizations, including Fortinet FortiGuard Labs, and Zscaler ThreatLabz.

The former discovered an SEO poisoning campaign to deliver two Remote Access Trojans (RAT) - HiddenGh0st, and Winos - both variants of the infamous Gh0st RAT.

In the campaign, the threat actors created spoofed download pages for programs such as DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office, on typosquatted domains.