Connect with us

Cyber Security

Chinese “HotPage” Exposes Users to Adware and Potential Attacks

Published

9 months ago

on

ESET Research has discovered a sophisticated Chinese browser injector: a signed, vulnerable, ad-injecting driver from a mysterious Chinese company. This threat, which ESET dubbed HotPage, comes self-contained in an executable file that installs its main driver and injects libraries into Chromium-based browsers. Posing as a security product capable of blocking advertisements, it introduces new ads. Additionally, the malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of other ads.

The malware introduces more vulnerabilities and leaves the system open to even more dangerous threats. An attacker with a non-privileged account could leverage the vulnerable driver to obtain SYSTEM privileges or inject libraries into remote processes to cause further damage, all while using a legitimate and signed driver. At the end of 2023, ESET researchers stumbled upon an installer named “HotPage.exe” that deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers’ network traffic. The installer was detected by most security products as an adware component.

What stood out to ESET researchers was the embedded driver signed by Microsoft. According to its signature, it was developed by a Chinese company named Hubei Dunwang Network Technology Co., Ltd. “The lack of information about the company was intriguing. The distribution method is still unclear, but according to our research, this software was advertised as an internet café security solution aimed at Chinese-speaking individuals. It purports to improve the web browsing experience by blocking ads and malicious websites, but the reality is quite different — it leverages its browser traffic interception and filtering capabilities to display game-related ads. It also sends some information about the computer to the company’s server, most likely to gather installation statistics,” explains ESET researcher Romain Dumont, who discovered the threat.

According to available information, the business scope of the company includes technology-related activities such as development, services, and consulting – but also advertising activities. The principal shareholder is currently Wuhan Yishun Baishun Culture Media Co., Ltd., a very small company that specialises in advertising and marketing. Due to the level of privileges needed to install the driver, the malware might have been bundled with other software packages or advertised as a security product.

Using Windows’ notification callbacks, the driver component monitors new browsers or tabs being opened. Under certain conditions, the adware will use various techniques to inject shellcode into browser processes to load its network-tampering libraries. Using Microsoft’s Detours hooking library, the injected code filters HTTP(S) requests and responses. The malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of gaming ads. On top of its obvious mischievous behaviour, this kernel component leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system: the SYSTEM account.

Due to improper access restrictions to this kernel component, any process can communicate with it and leverage its code injection capability to target any non-protected processes. “The HotPage driver reminds us that abusing Extended Verification certificates is still a thing. As a lot of security models are at some point based on trust, threat actors are inclined to play along the line between legitimate and shady. Whether such software is advertised as a security solution or simply bundled with other software, the capabilities granted thanks to this trust expose users to security risks,” adds Romain.

ESET reported this driver to Microsoft in March 2024 and followed their coordinated vulnerability disclosure process. ESET technologies detect this threat — which Microsoft removed from the Windows Server Catalog on May 1, 2024 — as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.

Related Topics:
Continue Reading

Cyber Security

GISEC Global 2025: Phishing, Data Breaches, Ransomware, and Supply Chain Attacks Causing Challenges

Published

18 hours ago

on

April 29, 2025

By

Maher Jadallah, the Vice President for Middle East and North Africa at Tenable, says effective exposure management requires a unified view of the entire attack surface (more…)

Continue Reading

Cyber Security

GISEC Global 2025: A Place Where Innovation, Partnerships, and Leadership Come Together

Published

18 hours ago

on

April 29, 2025

By

Meriam ElOuazzani, the Senior Regional Director for META at SentinelOne, says, the company will showcase its latest developments in AI-powered security solutions, reinforcing its position as a leader in this area (more…)

Continue Reading

Artificial Intelligence

Cequence Intros Security Layer to Protect Agentic AI Interactions

Published

1 day ago

on

April 29, 2025

By

Cequence Security has announced significant enhancements to its Unified API Protection (UAP) platform to deliver a comprehensive security solution for agentic AI development, usage, and connectivity. This enhancement empowers organizations to secure every AI agent interaction, regardless of the development framework. By implementing robust guardrails, the solution protects both enterprise-hosted AI applications and external AI APIs, preventing sensitive data exfiltration through business logic abuse and ensuring regulatory compliance.

There is no AI without APIs, and the rapid growth of agentic AI applications has amplified concerns about securing sensitive data during their interactions. These AI-driven exchanges can inadvertently expose internal systems, create significant vulnerabilities, and jeopardize valuable data assets. Recognising this critical challenge, Cequence has expanded its UAP platform, introducing an enhanced security layer to govern interactions between AI agents and backend services specifically. This new layer of security enables customers to detect and prevent AI bots such as ChatGPT from OpenAI and Perplexity from harvesting organizational data.

Internal telemetry across Global 2000 deployments shows that the overwhelming majority of AI-related bot traffic, nearly 88%, originates from large language model infrastructure, with most requests obfuscated behind generic or unidentified user agents. Less than 4% of this traffic is transparently attributed to bots like GPTBot or Gemini. Over 97% of it comes from U.S.-based IP addresses, highlighting the concentration of risk in North American enterprises. Cequence’s ability to detect and govern this traffic in real time, despite the lack of clear identifiers, reinforces the platform’s unmatched readiness for securing agentic AI in the wild.

Key enhancements to Cequence’s UAP platform include:

  • Block unauthorized AI data harvesting: Understanding that external AI often seeks to learn by broadly collecting data without obtaining permission, Cequence provides organizations with the critical capability to manage which AI, if any, can interact with their proprietary information.
  • Detect and prevent sensitive data exposure: Empowers organizations to effectively detect and prevent sensitive data exposure across all forms of agentic AI. This includes safeguarding against external AI harvesting attempts and securing data within internal AI applications. The platform’s intelligent analysis automatically differentiates between legitimate data access during normal application usage and anomalous activities signaling sensitive data exfiltration, ensuring comprehensive protection against AI-related data loss.
  • Discover and manage shadow AI: Automatically discovers and classifies APIs from agentic AI tools like Microsoft Copilot and Salesforce Agentforce, presenting a unified view alongside customers’ internal and third-party APIs. This comprehensive visibility empowers organizations to easily manage these interactions and effectively detect and block sensitive data leaks, whether from external AI harvesting or internal AI usage.
  • Seamless integration: Integrates easily into DevOps frameworks for discovering internal AI applications and generates OpenAPI specifications that detail API schemas and security mechanisms, including strong authentication and security policies. Cequence delivers powerful protection without relying on third-party tools, while seamlessly integrating with the customer’s existing cybersecurity ecosystem. This simplifies management and security enforcement.

“Gartner predicts that by 2028, 33% of enterprise software applications will include agentic AI, up from less than 1% in 2024, enabling 15% of day-to-day work decisions to be made autonomously. We’ve taken immediate action to extend our market-leading API security and bot management capabilities,” said Ameya Talwalkar, CEO of Cequence. “Agentic AI introduces a new layer of complexity, where every agent behaves like a bidirectional API. That’s our wheelhouse. Our platform helps organizations embrace innovation at scale without sacrificing governance, compliance, or control.”

These extended capabilities will be generally available in June.

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.