An SEO poisoning campaign has been found spreading Batloader and Atera Agent malware. The targets are professionals looking for productive tools (e.g. Visual Studio, Zoom, and TeamViewer).

What are the SEO tactics?

Attackers leverage SEO techniques to poison search results by ranking fake sites on Google for the most searched keywords. In this case, hackers target Microsoft Visual Studio 2015, Zoom, and TeamViewer, among others.
  • Whenever a visitor clicks on the malicious search results link, they are led to an already compromised site with a Traffic Direction System (TDS). 
  • After redirection, the site displays a fake forum discussion where a user enquires about a specific app and another fake user provides a download link.
  • Clicking the download link creates a packaged malware installer using the name of the wanted application. People fall for it due to the legitimacy of software, as is true in most such cases.

The malware infection

If the downloaded installer is running, two different infection chains drop malware payloads on the system.
  • The first infection chain installs fake software bundled with BATLOADER, Atera Agent, and Ursnif. The second infection drops ATERA Agent without the malware loading stages. 
  • Additionally, the first infection chain used MSHTA to run a genuine Windows DLL (AppResolver) loaded with malicious VBScript to tamper Defender settings and add specific exclusions.

The Conti connection

The researchers claim that some techniques used in the campaigns match with those in the Conti playbooks that got leaked in August 2020 and then replicated by various groups and individuals.


The recent campaign indirectly shows the demand for data for targeting professionals. Moreover, downloading productivity apps from third-party stores and websites is never a good idea. Thus, always use reliable anti-malware solutions and official sources for downloading software or apps.
Cyware Publisher