{
	"id": "33db367f-4bd4-4cd8-b0df-a8b45f98e104",
	"created_at": "2026-04-06T00:13:16.021903Z",
	"updated_at": "2026-04-10T03:23:52.255942Z",
	"deleted_at": null,
	"sha1_hash": "0aa8d58854cb8639ca06443b21781f25872e26f4",
	"title": "SEO Poisoning: Risks, Solutions \u0026 Indicators of Compromise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7073284,
	"plain_text": "SEO Poisoning: Risks, Solutions \u0026 Indicators of Compromise\r\nBy Tom Hegel\r\nPublished: 2023-01-19 · Archived: 2026-04-05 14:21:28 UTC\r\nIn recent weeks there has been a noticeable increase in malicious search engine advertisements found in the wild–\r\nan attack method known as SEO Poisoning, which can be considered a type of malvertising (malicious\r\nadvertising). Industry colleagues have also observed this activity, as noted by vx-underground this week. There is\r\nan increasing variety in the specifics of the malware delivery method, such as which searches produce the\r\nmalicious advertisements and which malware being delivered.\r\nIn the vast majority of these cases, attackers aim to opportunistically infect unsuspecting users with commodity\r\nmalware, as we will examine below. However it is important to note attackers have used this technique in a variety\r\nof ways for years. One noteworthy example is the early 2022 report of BATLOADER and Atera Agent being\r\ndelivered in such ways. Ultimately, the attackers are most successful in these scenarios when they SEO poison the\r\nresults of popular downloads associated with organizations that do not have extensive internal brand protection\r\nresources.\r\nIn this post, we will examine an ongoing SEO Poisoning campaign related to Blender 3D, the open-source 3D\r\ngraphics software, as an example of how these attacks are used to infect users via web searches.\r\nBlender 3D SEO Poisoning\r\nMimicking the actions of an unsuspecting user, we performed a routine Google search for “Blender 3D” and\r\nexamined the Ad results presented at the top.\r\nhttps://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/\r\nPage 1 of 8\n\nNotably, the malicious ads being delivered by this search quickly shift, highlighting how the attackers are likely\r\nautomating these efforts at scale, including both the SEO poisoning and the creation of malicious domains where\r\nthey lead. See screenshots others have collected for such examples of how these are not single malicious domains\r\nbut rather a continuous flow of new activity after cleanup.\r\nOn January 18th we can see three malicious Blender 3D ads before the legitimate Blender.org domain is listed.\r\nJanuary 18th 2023 SEO Poisoning Results for Blender 3D\r\nThe above three malicious ads link to:\r\nblender-s.org\r\nblendersa.org\r\nblender3dorg.fras6899.odns.fr\r\nThe top results, blender-s.org is a near exact copy of the legitimate Blender domain.\r\nhttps://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/\r\nPage 2 of 8\n\nMalicious blender-s Website\r\nhttps://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/\r\nPage 3 of 8\n\nLegitimate blender Website\r\nThe malicious blender-s site contains a download link for “Blender 3.4”; however, the download is delivered\r\nthrough a Dropbox URL rather than blender.org , and delivers a blender.zip file.\r\nhttps://www.dropbox[.]com/s/pndxrpk8zmwjp3w/blender.zip\r\nExamining the Dropbox share details, we can see the following uploader properties:\r\nSize: 1.91 MB\r\nModified: 1/16/2023, 5:00 AM\r\nType: Archive\r\nUploaded by: rays-who rays-who\r\nDate uploaded: 1/16/2023, 5:00 AM\r\nIn this case, the ZIP file SHA1 hash is 43058fc2e4dfa2d8a9108da51186e35b7d49f0c6 , which contains a\r\nblender.exe file ( ffdc43c67773ba9d36a309074e414316667ef368 ).\r\nThe Blender.exe file is signed by an invalid certificate belonging to AVG Technologies USA, LLC. This same\r\ncertificate has a long history of illicit crimeware use, including by Racoon Stealer.\r\nName: AVG Technologies USA, LLC\r\nThumbprint: 95AB6BCA9A015D877B443E71CB09C0ED0B5DE811\r\nSerial Number: 0E 31 E4 8D 08 06 5B 09 8F 84 E7 C5 10 33 60 74\r\nThe delivered sample is recognized by multiple vendor engines, including the SentinelOne agent, as malware.\r\nWe’ll release additional details on this specific malware family at a later time.\r\nVirusTotal vendor detections for malicious blender.exe sample\r\nExamination of the malicious link to blendersa.org reveals that the site is nearly identical to the previous\r\nexample, which also provides a download link to a Dropbox URL.\r\nhttps://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/\r\nPage 4 of 8\n\nMalicious blendersa Website\r\nThe Dropbox link in this case is\r\nhttps://www.dropbox[.]com/s/fxcv1rp1fwla8b7/blender.zip\r\nand the uploader properties follow a similar pattern to the blender-s example.\r\nSize: 1.91 MB\r\nModified: 1/16/2023, 5:07 AM\r\nType: Archive\r\nUploaded by: support-duck support-duck\r\nDate uploaded: 1/16/2023, 5:07 AM\r\nThe files associated with this version are:\r\nBlender.zip – SHA1: f8caaca7c16a080bb2bb9b3d850d376d7979f0ec\r\nBlender.exe – SHA1: 069588ff741cc1cbb50e98f66a4bf9b4c514b957\r\nThe actors behind these two sites are also responsible for dozens of others themed around popular software such\r\nas Photoshop, specific financial trading tools, and remote access software. The actor’s own infrastructure was\r\nhidden behind CloudFlare, who thankfully were quick to confirm and respond by flagging the sites as malicious\r\nafter we reported the service abuse. Any new visitors moving forward will receive the following warning:\r\nhttps://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/\r\nPage 5 of 8\n\nSite Updated with CloudFlare Phishing Warning\r\nThe final malicious Blender 3D ad is for blender3dorg.fras6899.odns.fr , which happens to use a variety of\r\ndelivery methods. For example, the download link may use a Discord URL rather than Dropbox one.\r\nMalicious blender3dorg Website\r\nhttps://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/\r\nPage 6 of 8\n\nThe specific Discord link for this example is\r\nhttps://cdn.discordapp[.]com/attachments/1001563139575390241/1064932247175700581/blender-3.4.1-window\r\nThis ultimately delivers blender-3.4.1-windows-x64.zip ( f00c1ded3d8b42937665da3253bac17b8f5dc2d3 ),\r\nwhich is a directory containing a malicious ISO file.\r\nThe use of malicious ISO files is not new – as many have reported over the last year.\r\nBlender-3.4.1-windows-x64.iso ( 53b7bbde90c22e2a7965cb548158f10ab2ffbb24 ) is roughly 800 MB in size, and\r\ncontains a blender-3.4.1-windows-x64.exe and a large collection of suspicious XML files.\r\nConclusion\r\nSEO poisoning leading to malicious advertisements are the rising star in today’s crimeware malware delivery\r\nmethods. The examples above are just a few of many that can easily be found by researchers or stumbled upon by\r\nusers with common and legitimate search queries. Attackers are finding a large amount of success in such attack\r\nmethods, and we can expect to see this method evolving to conceal effort even further.\r\nDescription IOC\r\nMalicious Domain blender-s.org\r\nMalware Download Location www.dropbox[.]com/s/pndxrpk8zmwjp3w/blender.zip\r\nblender.zip 43058fc2e4dfa2d8a9108da51186e35b7d49f0c6\r\nBlender.exe ffdc43c67773ba9d36a309074e414316667ef368\r\nC2 74.119.194.167\r\nMalicious Domain blendersa.org\r\nMalware Download Location www.dropbox[.]com/s/fxcv1rp1fwla8b7/blender.zip\r\nBlender.exe 069588ff741cc1cbb50e98f66a4bf9b4c514b957\r\nblender.zip f8caaca7c16a080bb2bb9b3d850d376d7979f0ec\r\nMalicious Domain blender3dorg.fras6899.odns.fr\r\nMalware Download Location\r\ncdn.discordapp[.]com/attachments/\r\n1001563139575390241/1064932247175700581/\r\nblender-3.4.1-windows-x64.zip\r\nZIP f00c1ded3d8b42937665da3253bac17b8f5dc2d3\r\nISO 53b7bbde90c22e2a7965cb548158f10ab2ffbb24\r\nhttps://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/\r\nPage 7 of 8\n\nSentinelOne Singularity™ provides protection for endpoint, identity and cloud. To learn more about how\r\nSentinelOne can protect your organization, contact us or request a free demo.\r\nSource: https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/\r\nhttps://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/"
	],
	"report_names": [
		"breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434396,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0aa8d58854cb8639ca06443b21781f25872e26f4.pdf",
		"text": "https://archive.orkl.eu/0aa8d58854cb8639ca06443b21781f25872e26f4.txt",
		"img": "https://archive.orkl.eu/0aa8d58854cb8639ca06443b21781f25872e26f4.jpg"
	}
}