Quttera researchers recently analyzed a widespread Spam SEO malware campaign, which we track internally as the Z-Campaign. This campaign represents a modern evolution of the well-known Japanese Keyword Hack, using stealthy file-inclusion techniques, cloaking, and malware-as-a-service (MaaS) infrastructure to manipulate search engine rankings while remaining invisible to site owners.

Unlike older SEO spam attacks that relied on obvious inline obfuscation, the Z-Campaign minimizes changes to legitimate files and hides its main payload in non-standard locations and file types. This makes it harder for traditional signature-based scanners to detect, while still enabling large-scale abuse of compromised websites.

This post explains how the campaign works, why it is effective, what defenders should look for, and how to remediate infected sites.

Websites impacted by the Z-Campaign are compromised by a sophisticated variant of Spam SEO malware designed to manipulate search engine result pages (SERPs).

The attackers use compromised WordPress or generic PHP environments to:

• Inject spam content visible only to search engine crawlers
• Redirect real users to scam or illicit third-party sites
• Poison search engine indexes using fake sitemaps and modified robots.txt files

The name “Z-Campaign” is derived from a recurring server-side directory and URL structure observed across multiple infections and historical samples of similar malware.

At a high level, the infection follows a two-stage design:

1. Loader – a minimal modification to a legitimate core PHP file
2. Payload – a larger malicious script hidden in a dot-directory and executed indirectly

This separation reduces the likelihood of detection and allows attackers to update spam content centrally without reinfecting each site.

The infection begins with a small block of injected code placed at the very top of a legitimate index.php file.
Rather than embedding large, obfuscated logic inline, the loader uses a local file inclusion technique to execute a secondary file without a .php extension.

Why this matters:

• The modification to index.php is minimal and easy to miss
• Some scanners ignore executable code inside .txt or non-PHP files
• The malicious logic can reside outside the typical web root

This approach represents a clear evolution from older eval(base64_decode())-style injections that were easier to detect.

The payload file contains the malware's core logic and acts as a client for a remote command-and-control (C2) system.
Its responsibilities include:

• Identifying search engine crawlers
• Fetching spam content or redirect instructions from remote servers
• Injecting SEO spam into responses
• Maintaining persistence through sitemap and robots.txt manipulation

A critical component of the payload is its cloaking mechanism.

The malware inspects the HTTP User-Agent to determine whether the visitor is a known crawler (such as Googlebot or Bingbot).

• Search engine crawlers receive keyword-stuffed spam pages
• Real users are redirected to external scam or affiliate-driven sites

This selective behavior allows attackers to rank spam pages highly in search results without alerting site owners during normal browsing.

Beyond serving spam content, the malware actively works to accelerate indexing and persistence:

• Fake XML sitemaps are generated to advertise spam URLs
• robots.txt may be overwritten to guide crawlers toward malicious content
• Requests for SEO-related files are intercepted and dynamically served

This ensures that spam pages are quickly discovered and indexed, maximizing monetization before they are detected.

The Z-Campaign shows strong indicators of a Malware-as-a-Service (MaaS) operation:

• Shared infrastructure across many victims
• Structured URL paths suggesting campaign and affiliate identifiers
• Centralized control of spam content and redirects

This model allows operators to manage thousands of infected sites simultaneously and rotate spam campaigns without redeploying malware.

Website owners and defenders should watch for the following warning signs:

File System Indicators

• Unexpected dot-directories (e.g., .cpanel, .config) in hosting accounts
• Non-PHP files containing executable PHP code
• Unknown sitemap files (e.g., *sitemap*.xml)
• Modified or regenerated robots.txt

Code-Level Indicators

• Core PHP files loading external logic via require_once
• Functions associated with remote content fetching
• Conditional output based on User-Agent or HTTP referer

Behavioral Indicators

• Spam pages are visible in Google search results but not in browsers
• Sudden SEO ranking changes for unrelated keywords
• Search Console warnings or manual actions

Note: MITRE ATT&CK techniques are mapped based on observed behavior and publicly documented definitions; not all techniques may be present in every variant.

If a site is suspected or confirmed to be infected:

1. Remove the loader - Inspect core PHP files and remove unauthorized include statements
2. Delete the hidden payload - Remove malicious files from dot-directories or unexpected locations
3. Restore SEO files - Rebuild robots.txt and delete unauthorized sitemaps
4. Flush caches - Clear application, CDN, and server-side caches
5. Request re-indexing - Use search engine tools to remove spam URLs and trigger a clean crawl
6. Patch and harden - Update CMS, plugins, themes, and credentials to prevent reinfection

The Z-Campaign highlights several blind spots in traditional security tooling:

• Minimal changes to legitimate files
• Executable logic hidden in non-standard file types
• Payloads stored outside typical scanning paths
• Conditional execution is visible only to crawlers

Effective defense requires behavioral analysis, file integrity monitoring, and continuous external scanning.

Spam SEO malware is not a low-impact nuisance—it can silently destroy a site’s reputation, revenue, and trust. The Z-Campaign demonstrates how attackers continue to refine their techniques to evade detection while maximizing monetization.
Understanding how these campaigns operate is the first step toward detecting them early and stopping them effectively.

Quttera Threat Research Team