top of page

SEO Poisoning set to develop as a trend in 2023

Search Engine Optimisation (SEO) Poisoning is growing to be a popular technique with an unusually large quantity of malicious campaigns being observed recently.

SEO poisoning is an attack vector whereby threat actors manipulate SEO rankings to deliver malicious payloads.

In an SEO Poisoning technique known as Malvertising, actors manipulate search engine rankings through purchasing legitimate sponsored advertisements and having their website appear at the top of search results.

Techniques such as malvertising are becoming increasingly common as traditional techniques such as malicious Microsoft Office macros are no longer proving as successful.

Whilst SEO Poisoning is a long-standing cyber threat, multiple campaigns masquerading as legitimate software such as VLC Media Player, 7-Zip, WinRAR, CCleaner, and Notepad++ have been observed in recent times.

Palo Alto's Unit 42 threat intelligence team have observed 7-Zip malvertising through Google adverts to deliver the Redline (information) Stealer and the Gozi banking trojan - indicating that the actors are likely financially motivated.

Information stealers provide the threat actor with information such as banking/cryptocurrency credentials, browser cookies, session tokens, and more.

This information can then be used to conduct further attacks or sold on illicit marketplaces to other threat actors.

Malvertising for CCleaner has also been observed distributing the Redline Stealer. The malware can be bought on cybercriminal forums on a standalone or subscription basis to accommodate for all budgets, offering typical Infostealer capabilities amongst the ability to steal cryptocurrency, upload and download files, and even execute commands.

In their malvertising exposé, HP's Wolf Security team shared observations around campaigns that have been active since late Q4 2022 - mimicking software such as Audacity, Blender and GIMP.

HP also shared insights into IcedID and infostealers such as Vidar Stealer, Rhadamanthys Stealer, and BatLoader which are all in use by malvertising campaigns.

Organisations should be aware that increased activity surrounding malvertising campaigns is currently ongoing and may continue to develop as a trend in 2023.

When using search engines such as Google, personnel should also be cautious of the web domain they are visiting and aware of how to spot typosquatting and impersonation attempts.

Additionally, software should only be downloaded from official channels such as an organisation portal or vendor stores like the Microsoft Windows Store where possible.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page