{ "id": "9764edb8-8988-47e3-b29f-d328bfa1ca20", "created_at": "2026-04-06T00:10:52.597178Z", "updated_at": "2026-04-10T03:23:51.442011Z", "deleted_at": null, "sha1_hash": "490f4a4cd9ad2b9544858235de91e2141e7d63cf", "title": "Lost in Translation: Threat Actors Use SEO Poisoning and Fake DeepL Sites to Distribute Gh0st RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1053032, "plain_text": "Lost in Translation: Threat Actors Use SEO Poisoning and Fake\r\nDeepL Sites to Distribute Gh0st RAT\r\nBy Defentive\r\nPublished: 2025-08-25 · Archived: 2026-04-05 17:54:57 UTC\r\nExecutive Summary\r\nThe Defensive Threat Research team has uncovered an ongoing malware campaign deploying Gh0st RAT through\r\nSEO poisoning and fake DeepL websites. This campaign primarily targets Chinese-speaking users, luring them\r\ninto downloading malicious software disguised as the trusted DeepL translation tool. The downloaded payload is a\r\nremote access trojan known as Gh0st RAT — that enables attackers to surveil, control, and exfiltrate data from\r\ninfected machines.\r\nThe campaign relies on manipulating search engine algorithms to push malicious domains to the top of search\r\nresults. Once installed, Gh0st RAT establishes persistence and communicates with command-and-control (C2)\r\nservers, enabling long-term unauthorized access.\r\nPress enter or click to view image in full size\r\nhttps://defentive.medium.com/lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539601d\r\nPage 1 of 8\n\nCampaign Overview\r\nGh0st RAT is a longstanding and widely-used remote access trojan known for its stealth and control capabilities.\r\nInitially associated with espionage campaigns, it continues to be a preferred tool for threat actors targeting\r\ngovernments, businesses, and individuals.\r\nThis recent campaign showcases how SEO poisoning, a tactic where attackers manipulate search engine rankings,\r\nis being effectively used to deceive users seeking legitimate software. By creating convincing DeepL clones,\r\nattackers are able to trick users into infecting their own systems.\r\nThe campaign is currently active and primarily targets Chinese-speaking users. Threat actors are leveraging fake\r\nDeepL translation software websites as the lure, presenting them as legitimate download sources. These malicious\r\nsites are being promoted through SEO poisoning techniques, with a notable concentration of poisoned links\r\nappearing in Bing search results.\r\nWhen users click on these links, they are led to archive files that conceal executable payloads. Once executed,\r\nthese payloads install Gh0st RAT, enabling attackers to perform surveillance, steal sensitive data, and maintain\r\nhttps://defentive.medium.com/lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539601d\r\nPage 2 of 8\n\nremote control over the victim’s system.\r\nTechnical Analysis\r\nWhen a victim searches for keywords related to DeepL translation software in Chinese, they are often presented\r\nwith poisoned search results prominently placed on page one of search engines — particularly Bing and Baidu,\r\nwhich are heavily used in the region. These top-ranked links lead unsuspecting users to fake DeepL download\r\npages designed to impersonate the official DeepL Translator website (https://www.deepl.com/).\r\nPress enter or click to view image in full size\r\nExample 1 — SEO Poisoned Website\r\nPress enter or click to view image in full size\r\nExample 2 — SEO Poisoned Website\r\nhttps://defentive.medium.com/lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539601d\r\nPage 3 of 8\n\nOur research team at Defentive successfully replicated this attack scenario, and the following section includes\r\nreal-time screenshots and analysis of the malicious flow. The impersonated website closely mimics DeepL’s\r\nbranding and layout, featuring deceptive headers in Chinese such as: “Experience DeepL Translator for Windows\r\non the official DeepL website.”\r\nPress enter or click to view image in full size\r\nWebsite 1 — app-deepl[.]com\r\nPress enter or click to view image in full size\r\nWebsite 2 — deepl-fanyi[.]com\r\nPress enter or click to view image in full size\r\nhttps://defentive.medium.com/lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539601d\r\nPage 4 of 8\n\nWebsite 3 — fanyi-deepl[.]com\r\nOnce the victim clicks on the “Download DeepL” button, they are served a ZIP archive hosted on a suspicious\r\ndomain controlled by the threat actor:\r\nhttps[:]//3efa80a98d7746af5da5f4a366db1782[.]linkgodrive[.]icu/DeepLSetup[.]zip\r\nPress enter or click to view image in full size\r\nZIP Download\r\nThe ZIP file — DeepLSetup.zip — contains a Microsoft Installer (MSI) file with the naming pattern:\r\nDeepLSetup-{RandomDigits}.msi\r\nhttps://defentive.medium.com/lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539601d\r\nPage 5 of 8\n\nPress enter or click to view image in full size\r\nFake DeepL Setup Installer (MSI)\r\nUpon execution, the installer presents a legitimate-looking setup interface to create a false sense of authenticity,\r\nwhile silently deploying the Gh0st RAT malware in the background. This deceptive behavior enables the attacker\r\nto establish remote access to the victim’s system without raising suspicion.\r\nGet Defentive’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDuring installation, the MSI drops a malicious executable — the actual Gh0st RAT payload — at the following\r\nlocation:\r\nC:\\\\ProgramData\\\\S2ElrV\\\\mitey[.]exe\r\nThe Defentive research team confirmed this activity by capturing the following command-line execution, which\r\ninitiates the malware under elevated privileges:\r\n\"C:\\\\WINDOWS\\\\Installer\\\\MSI3805[.]tmp\" /EnforcedRunAsAdmin /DontWait \"C:\\\\ProgramData\\\\S2ElrV\\\\mitey\r\nPersistence Mechanism\r\nTo maintain persistence on the compromised host, the malware modifies the Windows registry autorun key to\r\nexecute the malicious binary at system startup:\r\nRegistry Key: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nhttps://defentive.medium.com/lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539601d\r\nPage 6 of 8\n\nName: MyApplication\r\nValue: C:\\ProgramData\\S2ElrV\\mitey[.]exe\r\nAdditionally, this variant drops a Windows Batch Script (bat) at the following path:\r\nC:\\\\Users\\\\admin\\\\AppData\\\\Roaming\\\\5373631A[.]bat\r\nThe script continuously monitors the system for the presence of mitey[.]exe. If the process is not found, the script\r\nwill re-launch it from its drop path, ensuring the RAT remains active even after termination attempts.\r\nCommand \u0026 Control (C2)\r\nThe Gh0st RAT malware communicates with its Command \u0026 Control (C2) server using the TCP protocol, which\r\ncan often evade traditional security monitoring tools that rely on HTTP/HTTPS or DNS-based detections. This use\r\nof low-profile, custom TCP traffic introduces a significant blind spot, allowing threat actors to maintain covert\r\naccess to compromised systems.\r\nThe Defentive Threat Research team successfully identified and intercepted the C2 infrastructure associated with\r\nthis campaign. The active C2 endpoint was observed at:\r\n154[.]23[.]221[.]136:1821\r\nFurther investigation revealed that this IP is hosted within the AS18186 (NEBULA-GLOBAL) autonomous\r\nsystem — an abused hosting provider based in Hong Kong, commonly leveraged in malware campaigns due to its\r\nlax abuse response and anonymity-friendly services.\r\nAppendix\r\nIndicators of Compromise\r\nDomains\r\ndeepl-fanyi[.]com\r\nfanyi-deepl[.]com\r\napp-deepl[.]com\r\nlinkgodrive[.]icu\r\nIP\r\n154[.]23[.]221[.]136:1821\r\nHash\r\ne815f451f1f48085966b061cf8d6b0ebe88b77125ef23da4a00442f4705fb540\r\nhttps://defentive.medium.com/lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539601d\r\nPage 7 of 8\n\nMITRE ATT\u0026CK\r\nTactic Technique Technique ID Description / Relevance Reconnaissance Search Engine Discovery: Search\r\nEngines T1593.002 SEO poisoning used to manipulate search engine rankings for malicious sites. Initial Access\r\nPhishing: Spearphishing via Link T1566.002 Victims are lured via poisoned search results to click and download\r\nmalware. Initial Access Drive-by Compromise T1189 Malicious websites serve malware without needing\r\nadditional social engineering. Execution User Execution: Malicious File T1204.002 Users execute MSI or EXE\r\nfiles disguised as legitimate software. Execution Command and Scripting Interpreter: Windows Command Shell\r\nT1059.003 Batch files are used to monitor and reinitiate RAT processes. Persistence Registry Run Keys / Startup\r\nFolder T1547.001 Gh0st RAT adds a registry autorun entry to maintain persistence. Persistence Scheduled\r\nTask/Job: Scheduled Task T1053.005 Potential use for persistence (variant-dependent). Command and Control\r\nNon-Application Layer Protocol T1095 Gh0st RAT uses custom TCP communication for C2. Command and\r\nControl Application Layer Protocol: Web Protocols T1071.001 (optional) Some variants may use web-based\r\nprotocols. Defense Evasion Obfuscated Files or Information T1027 Payloads may be packed or encrypted to evade\r\ndetection. Defense Evasion Deobfuscate/Decode Files or Information T1140 Malware may decode itself during\r\nruntime. Exfiltration Exfiltration Over C2 Channel T1041 Data exfiltration uses the same C2 channel as command\r\nand control. Discovery System Information Discovery T1082 Malware gathers system data post-infection.\r\nConclusion\r\nAt Defentive, we don’t just react to cyber threats — we hunt them down before they reach your network. Our\r\nthreat research team continuously monitors adversarial activity, tracks malware campaigns, and uncovers hidden\r\ninfrastructure to deliver real-time, actionable intelligence. This Gh0st RAT campaign is just one example of how\r\nwe proactively disrupt the attacker lifecycle and empower organizations with the insights they need to defend\r\nagainst even the most evasive threats. If you’re ready to elevate your threat detection and response capabilities,\r\npartner with Defentive — where cybersecurity meets precision.\r\nhttps://www.defentive.com\r\nSource: https://defentive.medium.com/lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539\r\n601d\r\nhttps://defentive.medium.com/lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539601d\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://defentive.medium.com/lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539601d" ], "report_names": [ "lost-in-translation-threat-actors-use-seo-poisoning-and-fake-deepl-sites-to-distribute-gh0st-rat-4e827539601d" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434252, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/490f4a4cd9ad2b9544858235de91e2141e7d63cf.pdf", "text": "https://archive.orkl.eu/490f4a4cd9ad2b9544858235de91e2141e7d63cf.txt", "img": "https://archive.orkl.eu/490f4a4cd9ad2b9544858235de91e2141e7d63cf.jpg" } }