Cybersecurity researchers have disclosed a malicious campaign that leverages search engine optimization (SEO) poisoning techniques to deliver a known malware loader called Oyster (aka Broomstick or CleanUpLoader).
The malvertising activity, per Arctic Wolf, promotes fake websites hosting trojanized versions of legitimate tools like PuTTY and WinSCP, aiming to trick software professionals searching for these programs into installing them instead.
“Upon execution, a backdoor known as Oyster/Broomstick is installed,” the company said in a brief published last week.
“Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism.”
The names of some of the bogus websites are listed below –
- updaterputty[.]com
- zephyrhype[.]com
- putty[.]run
- putty[.]bet, and
- puttyy[.]org
It’s suspected that the threat actors behind the campaign may also be targeting other IT tools to deliver the malware, making it imperative that users stick to trusted sources and official vendor sites to download the necessary software.
The disclosure comes as black hat SEO poisoning techniques are being used to game search results associated with artificial intelligence (AI)-related keywords to spread Vidar, Lumma, and Legion Loader.
These websites come fitted with JavaScript code that checks for the presence of ad blockers and gathers information from the victim’s browser, before initiating a redirection chain that ultimately takes the victim to a phishing page hosting a ZIP archive.
“The final download pages in this campaign deliver Vidar Stealer and Lumma Stealer as password-protected ZIP archives, with the password provided on the final downloading page,” Zscaler ThreatLabz said. “Once extracted, they contain an 800MB NSIS installer, a deceptively large size intended to appear legitimate and bypass detection systems with file size limitations.”
The NSIS installer is then used to execute an AutoIt script that’s ultimately responsible for launching the stealer payloads. The delivery mechanism for Legion Loader, in contrast, leverages an MSI installer to deploy the malware via a batch script.
A similar SEO poisoning campaign has been observed to elevate phishing pages when users search for the names of popular web applications to direct users to fake Cloudflare CAPTCHA check pages that make use of the infamous ClickFix strategy to drop RedLine Stealer via Hijack Loader.
According to data compiled by Kaspersky, small- and medium-sized businesses (SMBs) are being increasingly targeted by cyber attacks that deliver malware disguised as popular AI and collaboration tools like OpenAI ChatGPT, DeepSeek, Cisco AnyConnect, Google Drive, Microsoft Office, Microsoft Teams, Salesforce, and Zoom.
“Between January and April 2025 alone, around 8,500 small and medium-sized business users were targeted by cyberattacks in which malware or potentially unwanted software was disguised as these popular tools,” the Russian cybersecurity company said.
Zoom accounted for about 41% of the total number of unique files, followed by Outlook and PowerPoint at 16% each, Excel at 12%, Word at 9%, and Teams at 5%. The number of unique malicious files mimicking ChatGPT increased by 115% to 177 in the first four months of 2025.
While the trend of abusing fake search engine listings to take advantage of users’ implicit in popular brands is a well-known tactic, recent campaigns have hijacked searches for tech support pages linked to Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal to serve legitimate pages through sponsored results in Google – but with an ingenious twist.
“Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead,” Malwarebytes said.
This is achieved by means of a technique called search parameter injection to show within a search bar a number that’s under the attacker’s control in order to give the impression that it’s an official search result within the help center pages and deceive unsuspecting users into calling them.
What makes the attack particularly insidious is that the parameters added to the right of the actual help center domain (e.g., “Call us 1-***-***-**** for free”) are not visible in the sponsored search result, thereby giving no reason for users to suspect anything is amiss.
It’s not just Google’s advertising platform. Threat actors have also been caught serving fake ads on Facebook to phish for cryptocurrency wallet recovery phrases and spreading malware in conjunction with Pi2Day, a yearly event linked to the Pi Network community.
The malware, spread via ads urging users to install a new version of the Pi Network desktop app for Windows, comes with capabilities to steal saved credentials and crypto wallet keys, log user input, and download additional payloads, all the while evading detection.
Romanian cybersecurity company Bitdefender said the activity is possibly the work of a single threat actor that’s “running parallel fraud schemes on Meta to maximize reach, financial gain, and targeting efficiency.”
It doesn’t end here, for phony websites impersonating AI, VPN services, and other well-known software brands have been found to deliver Poseidon Stealer on macOS systems and a loader dubbed PayDay Loader, which then acts as a conduit for Lumma Stealer on Windows machines. The activity has been codenamed Dark Partners by security researcher g0njxa.
PayDay Loader relies on Google Calendar links as a dead drop resolver to extract the command-and-control (C2) server and obtain obfuscated JavaScript code engineered to load the Lumma Stealer payload and siphon sensitive data.
Interestingly, the email address used to create the Google Calendar events (“echeverridelfin@gmail[.]com”) was also spotted in connection with a malicious npm package called “os-info-checker-es6.” This indicates that the Dark Partners actors have likely experimented with different delivery mechanisms.
“The PayDay Loader has a Node.js stealer module to exfiltrate cryptocurrencies wallet data to an external C2,” g0njxa said. “Using the ADM-ZIP library for Node.js , the PayDay Loader is able to find, pack, and send wallet information to a hard-coded C2 host.”
These campaigns go hand in hand with an ongoing phenomenon where scammers and cybercriminals set up sprawling networks comprising thousands of websites to spoof popular brands and commit financial fraud by advertising real products that are never delivered. One such network, dubbed GhostVendors by Silent Push, buys Facebook ads space to promote over 4,000 sketchy sites.
The malicious Facebook Marketplace ads are run for a few days, after which they are stopped, effectively deleting all traces of them from the Meta Ad Library. It’s worth pointing out that Meta has only retained ads on social issues, elections, and politics for the past seven years.
“This helped to confirm a known Meta ad library policy existed, and highlighted that potentially these threat actors were taking advantage of this by rapidly launching and stopping ads for similar products on different pages,” Silent Push researchers said.
Another network spotted by the company, targeting English and Spanish language shoppers with fake marketplace ads, is assessed to be the work of Chinese threat actors. These websites are mainly designed to steal credit card information entered on payment pages, while claiming to process the orders. Some of the bogus sites also include Google Pay purchase widgets to enable payments.
“This fake marketplace campaign primarily targets consumers with a phishing threat that exploits major brands, well-known organizations, and the fame of some political figures,” Silent Push said.
