#seopoisoning — Public Fediverse posts

AMOS Stealer delivered via Cursor AI agent session

On April 23, 2026, Field Effect MDR identified AMOS Stealer malware delivered through a novel technique exploiting Cursor AI agent sessions running Claude Code. The attack employed social engineering to manipulate operators into prompting the AI agent to download and execute malicious AppleScript loaders. The heavily obfuscated scripts performed sandbox evasion checks, collected sensitive data including credentials, SSH keys, browser data, and cryptocurrency wallets, then exfiltrated compressed archives to remote servers within two minutes. The malware prompted users for local account credentials through fake macOS system dialogs, subsequently using elevated permissions to install persistent implants masquerading as legitimate system services. This delivery mechanism makes detection challenging as malicious commands blend with typical agentic coding behavior, representing an evolution in AMOS Stealer tactics beyond traditional SEO poisoning methods.

Pulse ID: 69ec44ff58f20f2cb01e0a1c
Pulse Link: https://otx.alienvault.com/pulse/69ec44ff58f20f2cb01e0a1c
Pulse Author: AlienVault
Created: 2026-04-25 04:37:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #CyberSecurity #ICS #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #RAT #SEOPoisoning #SSH #SocialEngineering #bot #cryptocurrency #AlienVault

SEO Poisoning Attack Abuses Microsoft Signed Binary for RMM Tool Installation

SEO poisoning campaign has discovered impersonating legitimate open source data recovery tool named TestDisk. It silently installs ScreenConnect remote monitoring and management client to gain command execution, file transfer and lateral movement in the network.

Pulse ID: 69e4d8e980b032626e88ccd8
Pulse Link: https://otx.alienvault.com/pulse/69e4d8e980b032626e88ccd8
Pulse Author: cryptocti
Created: 2026-04-19 13:30:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #RCE #SEOPoisoning #ScreenConnect #bot #cryptocti

SEO Poisoning Attack Abuses Microsoft Signed Binary for RMM Tool Installation

SEO poisoning campaign has discovered impersonating legitimate open source data recovery tool named TestDisk. It silently installs ScreenConnect remote monitoring and management client to gain command execution, file transfer and lateral movement in the network.

Pulse ID: 69e4d8e980b032626e88ccd8
Pulse Link: https://otx.alienvault.com/pulse/69e4d8e980b032626e88ccd8
Pulse Author: cryptocti
Created: 2026-04-19 13:30:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #RCE #SEOPoisoning #ScreenConnect #bot #cryptocti

SEO Poisoning Attack Abuses Microsoft Signed Binary for RMM Tool Installation

SEO poisoning campaign has discovered impersonating legitimate open source data recovery tool named TestDisk. It silently installs ScreenConnect remote monitoring and management client to gain command execution, file transfer and lateral movement in the network.

Pulse ID: 69e4d8e980b032626e88ccd8
Pulse Link: https://otx.alienvault.com/pulse/69e4d8e980b032626e88ccd8
Pulse Author: cryptocti
Created: 2026-04-19 13:30:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #RCE #SEOPoisoning #ScreenConnect #bot #cryptocti

SEO Poisoning Attack Abuses Microsoft Signed Binary for RMM Tool Installation

SEO poisoning campaign has discovered impersonating legitimate open source data recovery tool named TestDisk. It silently installs ScreenConnect remote monitoring and management client to gain command execution, file transfer and lateral movement in the network.

Pulse ID: 69e4d8e980b032626e88ccd8
Pulse Link: https://otx.alienvault.com/pulse/69e4d8e980b032626e88ccd8
Pulse Author: cryptocti
Created: 2026-04-19 13:30:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #RCE #SEOPoisoning #ScreenConnect #bot #cryptocti

SEO Poisoning Attack Abuses Microsoft Signed Binary for RMM Tool Installation

SEO poisoning campaign has discovered impersonating legitimate open source data recovery tool named TestDisk. It silently installs ScreenConnect remote monitoring and management client to gain command execution, file transfer and lateral movement in the network.

Pulse ID: 69e4d8e980b032626e88ccd8
Pulse Link: https://otx.alienvault.com/pulse/69e4d8e980b032626e88ccd8
Pulse Author: cryptocti
Created: 2026-04-19 13:30:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #RCE #SEOPoisoning #ScreenConnect #bot #cryptocti

Kong RAT: la nuova campagna di SEO poisoning con dropper NativeAOT .NET 10 che prende di mira gli sviluppatori cinesi

https://insicurezzadigitale.com/kong-rat-la-nuova-campagna-di-seo-poisoning-con-dropper-nativeaot-net-10-che-prende-di-mira-gli-sviluppatori-cinesi/

Dios mio! While researching a particular type of Colombian folk music, we stumbled across a .edu domain selling... accordions? Our first thought was potentially domain hijacking, but it appears to be more likely an exploitation of CVE-2026-27210 (TLDR; cross-site scripting). While the vulnerability has been patched in the plugin itself, not all pages have updated their plugins, and search engines have already indexed the poisoned pages! Pivoting led to 50+ additional domains found spread across three risky TLDs: .sbs, .pics, and .shop. The domains on .sbs and .pics appear to be config servers to exploit the vulnerability; the domains on .shop are the landing pages where victims can be scammed.

IOCs:
000o[.]sbs,0pen[.]sbs,123buys[.]shop,123me[.]shop,1bg[.]pics,1ki[.]pics,1mage[.]sbs,1ql[.]pics,1ty[.]pics,1vi[.]pics,1wr[.]pics,2ty[.]pics,569oagri[.]shop,66buys[.]shop,6ip[.]pics,6ym[.]pics,7rt[.]pics,8pi[.]pics,99buys[.]shop,99i[.]pics,9gwe[.]shop,a25n[.]shop,bk2[.]pics,bk59t[.]shop,buysok[.]shop,c68k[.]shop,cc1[.]pics,doo[.]pics,ep7[.]pics,estore-1[.]com,g9gvv[.]sbs,gaer896[.]shop,gm5[.]pics,gosok[.]shop,gt3[.]pics,h66p[.]shop,hh6[.]pics,iilvw[.]sbs,im9[.]pics,img1[.]sbs,in6[.]pics,jj3[.]pics,kk9[.]pics,lilil[.]sbs,llvvw[.]sbs,m66p6[.]shop,mebuys[.]shop,mg6[.]pics,mh8f6k[.]shop,mkk[.]pics,ms1[.]pics,nn6[.]pics,onsgs[.]com,p6[.]pics,p888p[.]shop,pan1[.]top,pic1[.]sbs,pic2[.]sbs,pt11[.]sbs,py3y[.]com,qq1[.]pics,rey89p[.]shop,shop56[.]shop,t88t8[.]shop,tp1[.]pics,tp9[.]pics,trues[.]sbs,up9[.]pics,upimg[.]sbs,uu2[.]pics,vt5[.]pics,vteyu[.]shop,vvf1[.]sbs,vvp1[.]sbs,w2w[.]pics,w88p[.]shop,wp59q[.]shop,wvlll[.]sbs,wvv1[.]sbs,wvvvv[.]sbs,x2p[.]pics,xyaer548[.]shop,yi1[.]pics

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #seo_poisoning #seopoisoning

Dios mio! While researching a particular type of Colombian folk music, we stumbled across a .edu domain selling... accordions? Our first thought was potentially domain hijacking, but it appears to be more likely an exploitation of CVE-2026-27210 (TLDR; cross-site scripting). While the vulnerability has been patched in the plugin itself, not all pages have updated their plugins, and search engines have already indexed the poisoned pages! Pivoting led to 50+ additional domains found spread across three risky TLDs: .sbs, .pics, and .shop. The domains on .sbs and .pics appear to be config servers to exploit the vulnerability; the domains on .shop are the landing pages where victims can be scammed.

IOCs:
000o[.]sbs,0pen[.]sbs,123buys[.]shop,123me[.]shop,1bg[.]pics,1ki[.]pics,1mage[.]sbs,1ql[.]pics,1ty[.]pics,1vi[.]pics,1wr[.]pics,2ty[.]pics,569oagri[.]shop,66buys[.]shop,6ip[.]pics,6ym[.]pics,7rt[.]pics,8pi[.]pics,99buys[.]shop,99i[.]pics,9gwe[.]shop,a25n[.]shop,bk2[.]pics,bk59t[.]shop,buysok[.]shop,c68k[.]shop,cc1[.]pics,doo[.]pics,ep7[.]pics,estore-1[.]com,g9gvv[.]sbs,gaer896[.]shop,gm5[.]pics,gosok[.]shop,gt3[.]pics,h66p[.]shop,hh6[.]pics,iilvw[.]sbs,im9[.]pics,img1[.]sbs,in6[.]pics,jj3[.]pics,kk9[.]pics,lilil[.]sbs,llvvw[.]sbs,m66p6[.]shop,mebuys[.]shop,mg6[.]pics,mh8f6k[.]shop,mkk[.]pics,ms1[.]pics,nn6[.]pics,onsgs[.]com,p6[.]pics,p888p[.]shop,pan1[.]top,pic1[.]sbs,pic2[.]sbs,pt11[.]sbs,py3y[.]com,qq1[.]pics,rey89p[.]shop,shop56[.]shop,t88t8[.]shop,tp1[.]pics,tp9[.]pics,trues[.]sbs,up9[.]pics,upimg[.]sbs,uu2[.]pics,vt5[.]pics,vteyu[.]shop,vvf1[.]sbs,vvp1[.]sbs,w2w[.]pics,w88p[.]shop,wp59q[.]shop,wvlll[.]sbs,wvv1[.]sbs,wvvvv[.]sbs,x2p[.]pics,xyaer548[.]shop,yi1[.]pics

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #seo_poisoning #seopoisoning

Dios mio! While researching a particular type of Colombian folk music, we stumbled across a .edu domain selling... accordions? Our first thought was potentially domain hijacking, but it appears to be more likely an exploitation of CVE-2026-27210 (TLDR; cross-site scripting). While the vulnerability has been patched in the plugin itself, not all pages have updated their plugins, and search engines have already indexed the poisoned pages! Pivoting led to 50+ additional domains found spread across three risky TLDs: .sbs, .pics, and .shop. The domains on .sbs and .pics appear to be config servers to exploit the vulnerability; the domains on .shop are the landing pages where victims can be scammed.

IOCs:
000o[.]sbs,0pen[.]sbs,123buys[.]shop,123me[.]shop,1bg[.]pics,1ki[.]pics,1mage[.]sbs,1ql[.]pics,1ty[.]pics,1vi[.]pics,1wr[.]pics,2ty[.]pics,569oagri[.]shop,66buys[.]shop,6ip[.]pics,6ym[.]pics,7rt[.]pics,8pi[.]pics,99buys[.]shop,99i[.]pics,9gwe[.]shop,a25n[.]shop,bk2[.]pics,bk59t[.]shop,buysok[.]shop,c68k[.]shop,cc1[.]pics,doo[.]pics,ep7[.]pics,estore-1[.]com,g9gvv[.]sbs,gaer896[.]shop,gm5[.]pics,gosok[.]shop,gt3[.]pics,h66p[.]shop,hh6[.]pics,iilvw[.]sbs,im9[.]pics,img1[.]sbs,in6[.]pics,jj3[.]pics,kk9[.]pics,lilil[.]sbs,llvvw[.]sbs,m66p6[.]shop,mebuys[.]shop,mg6[.]pics,mh8f6k[.]shop,mkk[.]pics,ms1[.]pics,nn6[.]pics,onsgs[.]com,p6[.]pics,p888p[.]shop,pan1[.]top,pic1[.]sbs,pic2[.]sbs,pt11[.]sbs,py3y[.]com,qq1[.]pics,rey89p[.]shop,shop56[.]shop,t88t8[.]shop,tp1[.]pics,tp9[.]pics,trues[.]sbs,up9[.]pics,upimg[.]sbs,uu2[.]pics,vt5[.]pics,vteyu[.]shop,vvf1[.]sbs,vvp1[.]sbs,w2w[.]pics,w88p[.]shop,wp59q[.]shop,wvlll[.]sbs,wvv1[.]sbs,wvvvv[.]sbs,x2p[.]pics,xyaer548[.]shop,yi1[.]pics

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #seo_poisoning #seopoisoning

Dios mio! While researching a particular type of Colombian folk music, we stumbled across a .edu domain selling... accordions? Our first thought was potentially domain hijacking, but it appears to be more likely an exploitation of CVE-2026-27210 (TLDR; cross-site scripting). While the vulnerability has been patched in the plugin itself, not all pages have updated their plugins, and search engines have already indexed the poisoned pages! Pivoting led to 50+ additional domains found spread across three risky TLDs: .sbs, .pics, and .shop. The domains on .sbs and .pics appear to be config servers to exploit the vulnerability; the domains on .shop are the landing pages where victims can be scammed.

IOCs:
000o[.]sbs,0pen[.]sbs,123buys[.]shop,123me[.]shop,1bg[.]pics,1ki[.]pics,1mage[.]sbs,1ql[.]pics,1ty[.]pics,1vi[.]pics,1wr[.]pics,2ty[.]pics,569oagri[.]shop,66buys[.]shop,6ip[.]pics,6ym[.]pics,7rt[.]pics,8pi[.]pics,99buys[.]shop,99i[.]pics,9gwe[.]shop,a25n[.]shop,bk2[.]pics,bk59t[.]shop,buysok[.]shop,c68k[.]shop,cc1[.]pics,doo[.]pics,ep7[.]pics,estore-1[.]com,g9gvv[.]sbs,gaer896[.]shop,gm5[.]pics,gosok[.]shop,gt3[.]pics,h66p[.]shop,hh6[.]pics,iilvw[.]sbs,im9[.]pics,img1[.]sbs,in6[.]pics,jj3[.]pics,kk9[.]pics,lilil[.]sbs,llvvw[.]sbs,m66p6[.]shop,mebuys[.]shop,mg6[.]pics,mh8f6k[.]shop,mkk[.]pics,ms1[.]pics,nn6[.]pics,onsgs[.]com,p6[.]pics,p888p[.]shop,pan1[.]top,pic1[.]sbs,pic2[.]sbs,pt11[.]sbs,py3y[.]com,qq1[.]pics,rey89p[.]shop,shop56[.]shop,t88t8[.]shop,tp1[.]pics,tp9[.]pics,trues[.]sbs,up9[.]pics,upimg[.]sbs,uu2[.]pics,vt5[.]pics,vteyu[.]shop,vvf1[.]sbs,vvp1[.]sbs,w2w[.]pics,w88p[.]shop,wp59q[.]shop,wvlll[.]sbs,wvv1[.]sbs,wvvvv[.]sbs,x2p[.]pics,xyaer548[.]shop,yi1[.]pics

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #seo_poisoning #seopoisoning

"SEO Poisoning - Mon site se fait attaquer depuis un an"

#Référencement #SEO #Korben #Blog #SEOpoisoning ...

https://korben.info/seo-poisoning-temoignage.html

Fake Microsoft Teams and Google Meet downloads are being used to spread the #Oyster backdoor malware instead of the real apps via poisoned search results and malicious ads.

Read: https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backdoor/

#CyberSecurity #Malware #MicrosoftTeams #GoogleMeet #SEOpoisoning #Malvertising

Fake Microsoft Teams and Google Meet Downloads Spread Oyster Backdoor https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backdoor/ #MicrosoftTeams #CleanUpLoader #Cybersecurity #Malvertising #SEOPoisoning #CyberAttack #Broomstick #CyberProof #GoogleMeet #Security #backdoor #security #Malware #Oyster #WinSCP #PuTTY

Account Takeover Scams Surge as FBI Reports Over $262 Million in Losses https://thecyberexpress.com/account-takeover-fraud-sees-sharp-spike/ #InternetCrimeComplaintCenter(IC3) #phishingdomainsandwebsites #AccountTakeover(ATO)fraud #MultifactorAuthentication #TheCyberExpressNews #socialengineering #phishingwebsites #AccountTakeover #BlackFridaySale #TheCyberExpress #FirewallDaily #SEOpoisoning #Governance #CyberNews #ATOFraud #FBI

Account Takeover Scams Surge as FBI Reports Over $262 Million in Losses https://thecyberexpress.com/account-takeover-fraud-sees-sharp-spike/ #InternetCrimeComplaintCenter(IC3) #phishingdomainsandwebsites #AccountTakeover(ATO)fraud #MultifactorAuthentication #TheCyberExpressNews #socialengineering #phishingwebsites #AccountTakeover #BlackFridaySale #TheCyberExpress #FirewallDaily #SEOpoisoning #Governance #CyberNews #ATOFraud #FBI

Account Takeover Scams Surge as FBI Reports Over $262 Million in Losses https://thecyberexpress.com/account-takeover-fraud-sees-sharp-spike/ #InternetCrimeComplaintCenter(IC3) #phishingdomainsandwebsites #AccountTakeover(ATO)fraud #MultifactorAuthentication #TheCyberExpressNews #socialengineering #phishingwebsites #AccountTakeover #BlackFridaySale #TheCyberExpress #FirewallDaily #SEOpoisoning #Governance #CyberNews #ATOFraud #FBI

Account Takeover Scams Surge as FBI Reports Over $262 Million in Losses https://thecyberexpress.com/account-takeover-fraud-sees-sharp-spike/ #InternetCrimeComplaintCenter(IC3) #phishingdomainsandwebsites #AccountTakeover(ATO)fraud #MultifactorAuthentication #TheCyberExpressNews #socialengineering #phishingwebsites #AccountTakeover #BlackFridaySale #TheCyberExpress #FirewallDaily #SEOpoisoning #Governance #CyberNews #ATOFraud #FBI

SEO Poisoning Attack Hits Windows Users With Hiddengh0st and Winos Malware https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/ #ScamsandFraud #Cybersecurity #SEOPoisoning #CyberAttack #Hiddengh0st #Security #Malware #China #Fraud #Winos #Scam

SEO Poisoning Attack Hits Windows Users With Hiddengh0st and Winos Malware https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/ #ScamsandFraud #Cybersecurity #SEOPoisoning #CyberAttack #Hiddengh0st #Security #Malware #China #Fraud #Winos #Scam

SEO Poisoning Attack Hits Windows Users With Hiddengh0st and Winos Malware https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/ #ScamsandFraud #Cybersecurity #SEOPoisoning #CyberAttack #Hiddengh0st #Security #Malware #China #Fraud #Winos #Scam

SEO Poisoning Attack Hits Windows Users With Hiddengh0st and Winos Malware https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/ #ScamsandFraud #Cybersecurity #SEOPoisoning #CyberAttack #Hiddengh0st #Security #Malware #China #Fraud #Winos #Scam

🚨 SEO poisoning alert! Watch what you download as #Windows users are being targeted with fake search results that lead to installers containing Hiddengh0st and Winos malware

Read: https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/

#Cybersecurity #Malware #Hiddengh0st #Winos #SEOpoisoning

🚨 SEO poisoning alert! Watch what you download as #Windows users are being targeted with fake search results that lead to installers containing Hiddengh0st and Winos malware

Read: https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/

#Cybersecurity #Malware #Hiddengh0st #Winos #SEOpoisoning

🚨 SEO poisoning alert! Watch what you download as #Windows users are being targeted with fake search results that lead to installers containing Hiddengh0st and Winos malware

Read: https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/

#Cybersecurity #Malware #Hiddengh0st #Winos #SEOpoisoning

🚨 SEO poisoning alert! Watch what you download as #Windows users are being targeted with fake search results that lead to installers containing Hiddengh0st and Winos malware

Read: https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/

#Cybersecurity #Malware #Hiddengh0st #Winos #SEOpoisoning

🚨 SEO poisoning alert! Watch what you download as #Windows users are being targeted with fake search results that lead to installers containing Hiddengh0st and Winos malware

Read: https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/

#Cybersecurity #Malware #Hiddengh0st #Winos #SEOpoisoning

Over 350 High-Profile Websites Hit by 360XSS Attack https://hackread.com/over-350-high-profile-websites-hit-by-360xss-attack/ #Cybersecurity #Vulnerability #CyberAttacks #SEOPoisoning #CyberAttack #Security #360XSS #Krpano #XSS

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores https://gbhackers.com/seo-poisoning-fake-sites/ #FakeEcommerceSites #CyberSecurityNews #SEOPoisoning #BlackhatSEO #CyberCrime #Malware

Are You Googling This? You Could Be Walking Into a Cyber Trap https://thecyberexpress.com/seo-poisoning-australia/ #AreBengalCatslegalinAustralia #SEOPoisoningAttacks #TheCyberExpressNews #TheCyberExpress #FirewallDaily #MarketReports #GoogleSearch #SEOpoisoning #MalwareNews #HackerNews #GootLoader #CyberNews #Australia #Sophos

Fake GlobalProtect VPN Downloads Used to Spread WikiLoader Malware https://hackread.com/fake-globalprotect-vpn-downloads-wikiloader-malware/ #Cybersecurity #GlobalProtect #SEOPoisoning #CyberAttack #WailingCrab #WikiLoader #Security #Malware #Scam #SEO #VPN

SEO Poisoning to Domain Control: The Gootloader Saga Continues

In February 2023, a user downloaded and executed a file from a SEO-poisoned search result, leading to a Gootloader infection. Around nine hours later, Gootloader facilitated Cobalt Strike deployment into the registry and memory. The threat actor used SystemBC to tunnel RDP access, compromising domain controllers, backup servers, and other key servers. The threat actor interactively reviewed sensitive files via RDP, but no data exfiltration was confirmed.

Pulse ID: 65dc5f0cd3b2b09478de2ba2
Pulse Link: https://otx.alienvault.com/pulse/65dc5f0cd3b2b09478de2ba2
Pulse Author: AlienVault
Created: 2024-02-26 09:51:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#OTX #OpenThreatExchange #InfoSec #bot #CyberSecurity #RDP #RAT #CobaltStrike #SeoPoisoning #GootLoader #DomainController #Troll #AlienVault

newest #solarmarker infostealer malware:

https://www.virustotal.com/gui/file/250fe7be536bb8674dd7e0e7c4de2ca1e3311ed657181d950dda6590a3bded51/details

#SEOPoisoning -> Fake Sites -> download via diggiski[.]com