The Black Cat gang has launched a cyberattack campaign leveraging search engine optimization (SEO) to promote phishing websites that impersonate legitimate Notepad++ download pages. By manipulating search engine results, these malicious sites appear at the top of keyword searches, increasing the likelihood of user visits. Once a user visits these sites, they are presented with carefully crafted download pages offering software installation packages that are bundled with backdoor Trojans. When installed, these backdoors provide attackers with remote control over the victim's system, enabling the theft of sensitive data without the user's knowledge. This attack vector does not rely on exploiting software vulnerabilities but rather on social engineering and supply chain compromise through counterfeit software distribution. The campaign is notable for its use of SEO to increase reach and effectiveness, making it a sophisticated phishing approach. Although no specific affected software versions or CVEs are identified, the threat is significant due to the stealthy nature of the backdoor and the potential for data exfiltration. The campaign was detected by CNCERT and Microstep Online, with no known exploits in the wild beyond this campaign. The attack requires user interaction to download and install the malicious software, and it targets users searching for popular software downloads, exploiting trust in search engine rankings and legitimate software brands.

For European organizations, this threat poses a risk of sensitive data theft, potential intellectual property loss, and unauthorized remote access to infected systems. Organizations relying on Notepad++ or similar open-source software for development or administrative tasks may inadvertently introduce backdoors into their environments. The stealthy nature of the backdoor Trojan can facilitate prolonged attacker presence, enabling further lateral movement and data exfiltration. This can lead to operational disruption, reputational damage, and regulatory compliance issues, especially under GDPR requirements for data protection. The campaign’s use of SEO to distribute malware increases the attack surface, as even cautious users may be deceived by high-ranking search results. The threat is particularly concerning for sectors with high software usage and development activity, such as finance, technology, and government agencies. Additionally, the campaign could indirectly impact supply chain security if infected machines are used to develop or distribute software internally. The medium severity reflects the need for vigilance but also the requirement for user interaction to succeed.

European organizations should implement a multi-layered defense strategy against this threat. First, enforce strict policies to download software only from verified official sources or trusted repositories, avoiding third-party sites promoted via search engines. Educate users about the risks of downloading software from search results and the importance of verifying digital signatures or checksums of installation packages. Deploy endpoint detection and response (EDR) tools capable of identifying backdoor behaviors and unusual network communications indicative of remote control Trojans. Use web filtering solutions to block access to known phishing domains and monitor DNS queries for suspicious patterns. Regularly audit installed software for unauthorized or counterfeit applications. Implement network segmentation to limit the impact of compromised endpoints and enforce least privilege access controls. Maintain up-to-date threat intelligence feeds to detect emerging phishing domains related to this campaign. Finally, conduct phishing simulation exercises to raise awareness and improve user detection capabilities.