Table of Contents
TL;DR
This post documents backlinks, and how thractors use them for SEO poisoning to deliver Lumma Stealer and SectopRAT. I show how I find backlinks, and a technique to monitor for new backlinks.
Tactical Pause
THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.
Thruntellisearch Source
Palo Alto Unit 42 shared the X post shown below [1]. This is my initial source for this activity.
The specific part of the delivery chain that we’re looking at is from the first stage in the Unit42 post – “winsofthub[.]com/dld”.
Analysis Scope
This specific analysis will touch on the delivery. Specifically, I will discuss how thractors use backlinks to achieve SEO Poisoning. I will not be discussing the malware. You can reference Unit 42’s CTI for more info on the malware.
SEO Poisoning
I’ve posted about how the Gootloader thractor used SEO poisoning back in NOV 2024 [2].
Crowdstrike describes how SEO Poisoning can be achieved via “Blackhat SEO” [3]. Specifically, Crowdstrike describes “private link networks”, and how they can be used to boost search engine results artificially.
Backlinks Explained
Sergey Brin and Lawrence Page, the co-founders of Google, explain how backlinks are used for their PageRank calculation to prioritize results [4]. To put it simply, backlinks impact how high up in the search results a link will be. There are other metrics that are used, but that would be out of scope for this post. Google doesn’t share the specific recipe to their sauce, but they do mention how PageRank has evolved since Google was launched [5]
How to check for backlinks
How do we check for backlinks to a site? I’ve found that ahrefs’ Backlink Checker is the easiest tool to use to find backlinks for a site [6]. You can use it to check for backlinks to winsofthub[.]com [7]. The snip below shows the results. The results in the snip should lead us to conclude that this thractor is employing backlinks to attempt to improve its prioritization in the search results.
Backlinks Analysis
Slack Marketplace
First we can analyze the Slack Marketplace. The Slack marketplace appears to be a place where you can share your Slack apps. It appears to be a free service. When I try to search for the backlink title, the search dialog pops up as if it’s about to load, but it eventually returns nothing. I am unable to search via the search bar.
I ran a successful Google dork. The dork query and snip is below. Note how the first result shows a link to winsofthub[.]online – it is very close to winsofthub[.]com and likely from the same thractor.
site:https://slack.com/marketplace Canva Pro Crack Latest Version
The snip below shows what the app page looks like.
I also note that these appear related because of their use of the “dl” variation in the URI path. Some are “dl”, some are “ddl”, and some are “dld”.
I ran a dork to find the winsofthub[.]com results that are on the Slack Marketplace. The snip below shows the results, and the snip below that shows what one of the app pages look like.
Note how every link to winsofthub[.]com goes to the dld path. The thractor posts many fake downloads using the same link, and the download filenames are generic.
CBTU Nationbuilder and GurujiSangat
The CBTU and GurujiSangat sources are both sites built with NationBuilder – I group them together because of that.
Here’s a snip of what the CBTU result looks like – as seen in urlscan [8].
The GurujiSangat result is no longer up, but here’s another GurujiSangat result from urlscan that I assess is likely related [9].
It is interesting that both backlinks use NationBuilder.
GitHub
The snip below shows the GitHub README page for the final backlink.
Overall assessment of the backlinks
The thractor is using free services to post backlinks to boost their SEO performance. The links lead to their malware delivery chain.
Action this knowledge
Take action on this knowledge, and remember to check for backlinks!
Whenever I remember to check for backlinks, I always hope to find a backlink farm [10] that is implemented the same way Gootloader was implemented [11]. With the Gootloader backlink farms, you could crawl them using the sitemap. The backlinks for this specific activity does not have the same capability. You would need to monitor it with dorks.
I think a thruntellisearch analyst could monitor for new activity via a dork, and in combination with a filter for recency. The snip below shows how to limit the results to the past week. Also note how the results now show the “x days ago”.
This technique can be used to monitor for new links. This could be particularly useful for a malware analyst that is looking to maintain ongoing thractor thrintelligence.
Summary
This post documents backlinks, and how thractors use them for SEO poisoning. I show how I find backlinks, and a technique to monitor for new backlinks.
References
- https://x.com/Unit42_Intel/status/1956477339199472102
- https://malasada.tech/gootloader-updated-delivery-vector/#seo-poisoning
- https://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/seo-poisoning/?srsltid=AfmBOorsr6STeUxADgnDLNNyu8DMl0DDDXdOtOHI9rBdQsXEkhA3PJJY#:~:text=Example%20of%20seo%20poisoning%20on%20a%20search%20engine%20result
- http://infolab.stanford.edu/~backrub/google.html
- https://developers.google.com/search/docs/appearance/ranking-systems-guide#link-analysis
- https://ahrefs.com/backlink-checker
- https://ahrefs.com/backlink-checker/?input=winsofthub.com&mode=subdomains
- https://urlscan.io/result/0198b33e-aa80-7518-89df-2fb17ee844bf/
- https://urlscan.io/result/01988596-c6c2-730c-bb89-0978c6cd0b17/
- https://malasada.tech/what-is-a-gootloader-backlink-farm/
- https://malasada.tech/gootloader-updated-delivery-vector/#private-link-networks-backlinks
with planny aloha
mahalo for your time