On October 8, 2022, researchers from AVANS, the security team under Changsha Zhongge Innovation Technology Co., Ltd., discovered that a malware named "Leidian SEO" is currently spreading across the internet. Its distribution channels include, but are not limited to, web forums and other means. The malware targets SEO administrators of major corporate websites with the aim of gaining control over the victim's computer, thereby stealing the website administrator's access.

Once executed, the program performs the following silent operations

It requests http://85.xx.xx.155/84NIs2/Plugins/cred64.dll to download a DLL hijacking file.

(The above image shows the background silent schedule: executing the backdoor program rower.exe every minute to ensure continued control over the victim's machine.)

The above image represents the attacker's server IP profile (data sourced from ThreatBook Intelligence Community).

        Additionally, based on traceable information, it was found that the attacker’s server also hosts a DDoS control system, as shown in the following screenshot:

        Moreover, a black-market SEO website associated with this malware has been identified:

        Malware Distribution Channels:

The AVANS researchers have disclosed this malware on relevant online forums.

    AVANS TEAM is the security team under Zhongge Innovation Technology, founded in 2022. As an emerging team in the cybersecurity industry, it is dedicated to promoting information security, exposing cybercrime, supporting enterprise information security, and identifying internet security vulnerabilities.