SEO Poisoning Campaign Targets IT Pros: Fake PuTTY & WinSCP Sites Deliver “Oyster” Backdoor
Cybersecurity experts at Arctic Wolf have identified a fresh wave of attacks employing SEO poisoning techniques, aimed at distributing a well-known malware loader called Oyster—also referred to as Broomstick or CleanUpLoader. Threat actors are leveraging counterfeit websites that mimic the official domains of widely used utilities like PuTTY and WinSCP to deceive users—primarily IT professionals—who search for these tools via search engines.
These malicious sites prompt users to download fraudulent versions of legitimate software. Once executed, a backdoor named Oyster is silently installed on the victim’s system. To ensure persistence, attackers create a scheduled task that executes a malicious DLL file every three minutes via the “rundll32.exe” utility—an indicator of DLL registration abuse as the primary persistence mechanism.
Among the identified fake domains spreading the malware are updaterputty[.]com, zephyrhype[.]com, putty[.]run, putty[.]bet, and puttyy[.]org. Analysts believe the list of spoofed applications used to disseminate this loader likely extends beyond just PuTTY and WinSCP.
Simultaneously, other campaigns have surfaced, also employing SEO poisoning to push malware under the guise of artificial intelligence tools. When users search for AI utilities, they may be redirected to sites embedded with JavaScript designed to detect ad blockers and fingerprint browser details. This is followed by a series of redirects leading to phishing pages offering ZIP archives laced with malware.
According to Zscaler, these archives often culminate in the deployment of Vidar Stealer or Lumma Stealer—both delivered as password-protected ZIP files, with the password conveniently displayed on the page. These archives contain an 800MB NSIS installer, which creates an illusion of legitimacy while helping bypass antivirus solutions that flag based on file size. The installer then executes an AutoIt script to trigger the malware payload. Another variant involving Legion Loader uses MSI files and BAT scripts for code execution.
A similar campaign leverages fake Cloudflare CAPTCHA pages. Victims are lured to counterfeit versions of popular web services, where a known technique called ClickFix is used to install RedLine Stealer via Hijack Loader.
Data from Kaspersky Lab reveals that small and mid-sized enterprises are increasingly targeted. In the first four months of 2025 alone, roughly 8,500 incidents were recorded in which malware or potentially unwanted programs masqueraded as legitimate tools such as OpenAI ChatGPT, DeepSeek, Cisco AnyConnect, Google Drive, Microsoft Office, Teams, Salesforce, and Zoom. Zoom accounted for 41% of all unique malicious files, followed by Outlook and PowerPoint (16% each), Excel (12%), Word (9%), and Teams (5%). Meanwhile, the number of fake files impersonating ChatGPT surged by 115%, reaching 177 unique instances.
Particularly concerning are attacks that exploit search engine listings for the tech support pages of well-known brands. When users search for support pages for companies like Apple, Microsoft, Netflix, or PayPal, they may encounter counterfeit sites that closely resemble legitimate ones. Instead of displaying authentic support contact details, these pages provide fraudulent information. This deception is achieved through the manipulation of search parameters that alter the page’s appearance in search results—without modifying the displayed URL. These fraudulent entries are often promoted via paid ads on Google.
These incidents underscore how aggressively cybercriminals exploit the public’s trust in reputable brands, advertising platforms, and search engines to disseminate malware. By fusing social engineering, technical trickery, and large-scale SEO manipulation, attackers are transforming ordinary web searches into high-risk endeavors.
This new wave of attacks doesn’t merely spoof applications or services—it weaponizes the very mechanisms of internet navigation, turning every download and every click into a potential point of compromise.
