title: SEO Poisoning (T1608.006)
id: df00tech-t1608-006
status: experimental
description: "Adversaries manipulate search engine optimization (SEO) rankings to promote malicious infrastructure hosting payloads toward potential victims. Techniques include keyword stuffing in compromised websites (often WordPress/CMS sites), purchasing or planting incoming links to boost site reputation, combining with cloaking and redirect mechanisms to evade crawler scrutiny while serving malicious content to real users, and gaming in-site developer platform searches (GitHub, npm, PyPI) for supply chain lures. The goal is to intercept users conducting legitimate searches and route them to adversary-controlled download sites, directly enabling Drive-by Compromise (T1189). Gootloader is the most extensively documented threat actor leveraging SEO poisoning — compromised WordPress sites rank highly in search results for legal document and business template queries, serving ZIP archives containing obfuscated JavaScript payloads. Detection pivots entirely to victim-side indicators: proxy and web gateway logs capturing HTTP Referer headers from search engines correlating with suspicious file downloads, endpoint telemetry showing browser-spawned script interpreter execution chains, and file system artifacts showing archive extraction followed by script execution in user-writable directories."
references:
  - https://attack.mitre.org/techniques/T1608/006/
  - https://df00tech.com/detections/T1608.006
author: df00tech
date: 2026/03/13
tags:
  - attack.t1608.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software downloads where users search for and directly download vendor-provided installers — particularly common for open-source tools, developer utilities, and freeware; mitigation: maintain an allowlist of trusted software vendor domains"
  - "IT administrators discovering and downloading troubleshooting or diagnostic tools via web search, particularly ZIP archives and MSI packages"
  - Developer workflows where searching for SDK documentation leads to downloading JavaScript sample files or compressed source archives from official project sites
  - Automated patch management or software inventory agents using browser user-agents that may produce referrer headers resembling search engine traffic
  - Security researchers intentionally downloading samples from threat-sharing platforms or malware repositories that appear in search results
level: high