Sophisticated cyberattacks have been uncovered involving backdoored installers for popular applications such as Signal, Line, and Gmail.
These malicious campaigns specifically target Chinese-speaking users by leveraging deceptive download pages hosted on non-branded, generic domains.
The attackers manipulate search engine results to lure unsuspecting individuals into downloading malware-laden executables.
Deceptive Infrastructure and Fake Domains
Unlike traditional phishing schemes that mimic official URLs, these campaigns rely on unrelated domain names, such as “ggyxx.wenxinzhineng[.]top” for Gmail and “z1.xiaowu[.]pw” for Signal.
These domains are hosted on a centralized Alibaba server in Hong Kong (IP: 47.243.192[.]62), suggesting a coordinated infrastructure.
The download pages deliver ZIP files containing Windows executables that execute malicious payloads upon installation.
For example, the fake Signal page at “z1.xiaowu[.]pw” offers a file named Sriguoe-i4.zip, while the fraudulent Gmail page prompts users to download Goongeurut.zip.
According to Hunt, these files exhibit consistent behavior patterns upon execution, including temporary file extraction, process injection, and system modifications designed to disable security defenses.
Malware Behavior and System Exploitation
Dynamic analysis of the malware reveals infostealer-like capabilities.
The execution flow begins with the dropped executable spawning temporary files in the user’s AppData directory.
These files initiate further processes, such as svrnezcm.exe, which modifies Windows Defender settings via PowerShell commands to exclude the entire C:\ drive from scanning.
This evasion technique ensures the malware can operate undetected.
The malware also establishes outbound connections to command-and-control (C2) servers for potential data exfiltration or remote instructions.
For instance, DNS queries resolve to “zhzcm.star1ine[.]com,” while TCP connections are made to “8.210.9[.]4” on port 45.
In addition to Signal, Line, and Gmail, other applications like BitBrowser and even Google Translate have been spoofed in this campaign.
The fake Google Translate page at “sigkiti[.]com” masquerades as a browser-based translation service but prompts users to download an outdated Flash Player update containing malware.
The attackers’ reliance on generic domains rather than impersonating official software vendors indicates a broad targeting strategy aimed at casting a wide net across Chinese-speaking users.
This campaign highlights the importance of verifying software sources before installation.
Users are advised to avoid unofficial download sites and carefully inspect domain names for legitimacy.
Security teams should monitor indicators of compromise (IOCs), such as malicious domains and file hashes, to detect potential infections early.
By exploiting search engine manipulation and distributing backdoored executables through deceptive pages, attackers demonstrate how easily system defenses can be compromised when users unknowingly install malicious software.
