Cyberattackers are now using a novel attack technique in which they are using Google SEO to deploy malware payloads. This technique takes advantage of human psychology and SEO tricks to improve compromised websites’ ranking in Google search results.

What has been discovered?

  • Recently, researchers observed a new SEO technique in use by Gootloader which is an advanced infection framework for the Gootkit RAT that further delivers other malware payloads.
  • This technique has been used to spread various malware, such as Kronos, Cobalt Strike, and REvil ransomware. 
  • These attacks are mostly observed in countries such as South Korea, Germany, France, and the U.S.

Technical details

  • The attackers formed a vast network of hacked WordPress sites. They were using SEO poisoning to show fake forum posts, along with malicious links on Google forums.
  • In addition, they made changes to the CMS of the compromised websites to show the fake message boards to visitors from specific locations.
  • It is estimated that Gootloader operators control a network of around 400 servers.

Delivery mechanism

  • Researchers could not conclude any particular exploit used to compromise these domains as the CMS could be hijacked by malware, stolen credentials, or brute-force attacks.
  • The campaign was found to be using two legitimate applications: the ImagingDevices.exe (available in Windows) and the Embarcadero External Translation Manager.


Cybercriminals are now using a sophisticated chain of social engineering, along with technical skills, that can easily dupe anyone. Therefore, it is important for end-users to detect such fraud by staying alert while using the internet. In addition, they are recommended to use third-party tools that can alert users about such malicious websites.

Cyware Publisher