Cybersecurity researchers have unveiled a malicious campaign that uses search engine optimization (SEO) poisoning methods to distribute a well-known malware loader named Oyster (also known as Broomstick or CleanUpLoader). According to Arctic Wolf, this malvertising effort targets software professionals searching for legitimate tools like PuTTY and WinSCP by promoting fake versions of these programs.
When one of these trojanized applications is executed, the Oyster backdoor is installed. Arctic Wolf highlighted that persistence is achieved by setting up a scheduled task to run every three minutes, employing a malicious DLL (twain_96.dll) through rundll32.exe, indicating its role in maintaining system access.
Examples of some malicious websites involved in this operation include updaterputty.com, zephyrhype.com, and putty.run. It appears that the threat actors may also be eyeing other IT tools for similar strategies, emphasizing the need for users to only download software from trusted sources.
This announcement coincides with the use of black hat SEO techniques to manipulate search results related to AI keywords, further spreading malware like Vidar, Lumma, and Legion Loader. These sites are equipped with JavaScript that checks for ad blockers and gathers browser information before redirecting users to phishing pages. Such pages often deliver malware in the form of password-protected ZIP archives, with the last page providing the decryption password.
The NSIS installer, which the campaign uses, executes an AutoIt script responsible for triggering the malicious payloads. The distribution method varies—a contrast to Legion Loader, which employs an MSI installer.
Another observed campaign using similar SEO poisoning tactics directs users looking for popular web applications to fraudulent CAPTCHA pages that deploy RedLine Stealer via Hijack Loader. Research by Kaspersky indicates that small to medium-sized businesses are becoming increasingly vulnerable as cybercriminals disguise malware as trustworthy AI and collaboration tools, which targeted around 8,500 users from January to April 2025.
The report specified that Zoom, Outlook, and PowerPoint were among the most frequently mimicked applications, highlighting the urgency for users to be vigilant against such threats. Additionally, scammers have exploited search parameters to redirect users to fake customer support pages for major brands, replacing authentic contact numbers with scam numbers, further complicating the cybersecurity landscape.
These schemes extend beyond Google’s advertising platform, as malicious advertisements have also surfaced on Facebook, targeting users with deceptive cryptocurrency-related offers. The malware distributed through this channel has been discovered to steal saved credentials and cryptocurrency wallet keys while evading detection.
Recent findings have also exposed networks of fraudulent websites impersonating various software brands and distributing malware, all part of a broader landscape where criminals engage in systematic fraud operations. Ultimately, the continuous emergence of these tactics serves as a call to action for users and organizations to remain vigilant and rely on reputable sources for software downloads and services.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.