Introduction to the HaxorSEO Marketplace
Fortra Intelligence and Research Experts (FIRE) have uncovered a group of active malicious threat actors operating since 2020. The group refers to themselves as Haxor, a slang word for hackers, and their marketplace as HxSEO, or HaxorSEO. HxSEO has established its primary base of operations and marketplace on Telegram and WhatsApp.
HxSEO stands out for their emphasis on unethical search engine optimization (SEO) techniques, selling a service that supports phishing campaigns by improving the perceived legitimacy of malicious pages. Their optimization is impressively successful, with FIRE identifying fraudulent login pages that rank higher than the legitimate pages of global financial institutions.
HxSEO leverages a range of malicious tools along with unethical Search Engine Optimization (SEO) tactics to ensure malicious sites appear at the top of your search results, making comprised sites harder to spot and to lure more potential victims. They also specialize in illicit backlink sales for SEO poisoning.
FIRE identified the HxSEO marketplace, where threat actors and fraudsters can purchase a backlink to their website of choice, from a selection of legitimate domains already compromised by the group. These domains are typically 15-20 years old and are marketed alongside a selection of ‘trust’ scores to advertise how effective the purchased backlink would be for increasing search engine rankings.
Once payment is made, the group will add the backlink along with the malicious address to the legitimate domain, increasing the buyer’s likelihood of successfully achieving their goals.
HaxorSEO Poisoning - Deeper Dive
As SEO poisoning is the focus of the HxSEO marketplace, it warrants a deeper conversation about how it works and how the field is constantly shifting thanks to community threat intelligence and the evolving ‘black box’ nature of SEO algorithms.
SEO poisoning is a cyberattack where malicious actors manipulate search engine results to rank harmful websites highly, tricking users into clicking them. Search engines actively combat these methods and spam by employing advanced algorithms and manual review processes to identify, devalue, and penalize suspected abuse. Initiatives such as FS-ISAC (Financial Services Information Sharing and Analysis Centers) and Search Engine reporting programs have made it more challenging to target users via malvertising, where a compelling ad directs a user to a malicious site. Without the ease of paying a high traffic platform to present malicious sites to potential victims, threat actors have turned to other methods for elevating their sites, like SEO poisoning.
HxSEO specializes in backlink sales, where another website links to a designated domain or URL to improve ranking within a search engine. Backlinks are perceived to add legitimacy and authority, improving indexing and increasing the likelihood of your site being presented to a user – especially when presented by a reputable and relevant site. In addition to elevating malicious websites with backlinks from reputable domains, HxSEO can negatively impact the SEO score of legitimate pages that are being imitated using bad backlinks hosted on spammy, low-authority sights - harming ethical SEO.
Alongside the backlinks, other key techniques used are:
Keyword stuffing: Overloading a webpage with key words or phrases to manipulate search engine rankings.
Hidden text: Where key words or links are concealed from users but visible to search engine crawlers. Examples include white text on a white background, font size set to zero, or off-screen positioning.
Automatically generated content: created by bots or generative AI and intended to artificially inflate the ranking of harmful websites, provided the search engine perceives it as adding value and not ‘AI-slop.’
When users search for sensitive keywords like "financial logins" for specific banks, HxSEO team's manipulation ensures the compromised sites appear first in the search results, ahead of the legitimate page they are imitating, luring unsuspecting users into illegitimate content. FIRE have observed HxSEO’s successful optimization of credential harvesting pages imitating high profile banks and financial service login pages. In some cases, fraudulent login pages ranked higher than the legitimate page.
HxSEO TEAM's SEO poisoning can support a variety different techniques depending on the Threat Actor’s objective. Fraudulent sites use keywords that target legal, financial and business-related searches to lure traffic to unwanted content that resembles webpages of legitimate organizations. As well as credential harvesting pages, pages have been identified that download malware when visited, including viruses, information stealers, and ransomware kits.
Having covered how SEO poisoning works and how threat actors utilize HxSEO’s services, we will dive deeper into HxSEO teams's operations and marketplace.
HaxorSEO and Their Marketplace: Services Offered & Compromised Domains
The HxSEO team have a wide catalogue of compromised sites that can be used for SEO poisoning to elevate malicious pages in search results.
The HxSEO TEAM uses compromised sites that fit a profile as they need to be recognized as reputable sites for SEO to work. They favor older domains that are 15-20 years old, these sites are typically ac.id, .com, .si, and TLDS that have more credibility.
The HxSEO team primarily runs their marketplace operation on Telegram/WhatsApp, advertising all the backlinks they have for sale via a Google sheet containing 1000+ compromised domains. Each website is compromised with a Haxor controlled webshell that enables them to upload the malicious backlink to the reputable site. This expansive backlink marketplace provides malicious third parties with the means to launch phishing campaigns or deploy harmful code through backlinks.
These backlinks then allow third parties to select a domain of choice and essentially gain "votes" or endorsements from these websites to theirs, signaling search engines like Google that their content is trustworthy and relevant.
HxSEO market their selection of compromised sites alongside common SEO metrics used to measure the authority and strength of a domain or webpage. Page authority (PA), domain authority (DA), and domain rating (DR) predict how effective the site is for SEO poisoning, with the domain rating giving the strongest indicator at how effective the domain’s backlink profile is. SS or spam score estimates the likelihood of a domain being penalized or considered spam. The list typically advertises 100-150 compromised websites at a given time, with forgotten academic journal webpages a clear preference.
[sample screenshot of google sheet advertising backlink domains with relevant trust scores]
The backlinks are refined and strategically concealed from both site administrators and general users. This concealment is crucial to their high efficiency in manipulating search engine ranking algorithms.
FIRE are security experts, but not necessarily SEO specialists. To get further insight into the efficacy of this operation we contacted Fortra’s marketing team to speak to an SEO expert. Here is what they had to say:
“HxSEO are emulating SEO best practices for black hat purposes. A key difference is the sustainability of blackhat SEO vs ethical SEO. Black-hat SEO requires constant churn because search engines actively hunt for manipulative patterns like link schemes and cloaking. Once detected, domains and backlink networks are penalized or de-indexed. Then, they need new domains, fresh backlinks, and content updates. While attackers can achieve quick wins (ranking #1 for certain queries), sustaining that position is difficult without ongoing investment and evasion tactics. This is why black-hat SEO is often used for fast-moving campaigns like phishing or malware distribution, where the goal is to exploit visibility for days or weeks before detection.”
Once a scammer selects one of HxSEO's backlinks, which usually cost around $6 per listing, they will automatically inject the necessary code into the compromised site. The price is advertised in Juta Indonesian Rupiah but exact payment method is unknown. With a low price point and immediate set up after purchase, this service is attractive and used by multiple distinct groups. This combined with the difficulty of spotting the backlinks in a search result inevitably leads to attacks at scale.
FIRE cannot be certain how the catalogue of sites were originally compromised, but webshell locations and listed URLs suggest a variety of file upload and remote code execution exploits were used to upload the webshell, most commonly targeting vulnerable php components and Wordpress plugins.
FIRE’s analysis of the webshells suggested the use of a lightly modified Alfa Team Iranian shell that HxSEO TEAM put their own flavor on. Alfa shells are usually known for their verbose interface which allows far less experienced operators to use. Fortra has seen this shell being used to stand up phishing attacks targeting US and Global financial institutions in 2025.
Recommendations
Upon detection of fraudulent web pages linked to HxSEO, Fortra works with the targeted organization, domain service provider, and search engines to mitigate and takedown the malicious page. Given the effectiveness of HxSEOs operation we would also encourage increased awareness in spotting malicious pages as users tend to trust higher ranked pages implicitly.
Users are advised to be weary of URLs that they access via search engines, especially banking login pages. A best practice is to bookmark sensitive login pages, like your bank login, rather than locating it via a search engine. Make sure to verify that the domain in the URL is legitimate and keep an eye out for lookalike domains that may have minor spelling differences you wouldn’t notice immediately. If you are unsure, contact your bank and ask them to identify the correct login page.
