Cybersecurity researchers have uncovered a sophisticated malicious campaign that uses search engine optimization (SEO) poisoning tactics to distribute a known malware loader called Oyster (also known as Broomstick or CleanUpLoader). According to Arctic Wolf, this malvertising scheme promotes fake websites hosting trojanized versions of popular tools like PuTTY and WinSCP, aiming to deceive IT professionals searching for legitimate software into downloading compromised versions instead.
“Upon execution, a backdoor known as Oyster/Broomstick is installed,” the company explained. “Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism.”
Some of the fraudulent domains involved include updaterputty[.]com, zephyrhype[.]com, putty[.]run, putty[.]bet, and puttyy[.]org. It’s believed the attackers may be targeting other IT tools as well, emphasizing the importance of downloading software exclusively from trusted sources.
This campaign coincides with a rise in black hat SEO poisoning targeting AI-related keywords, spreading malware such as Vidar, Lumma, and Legion Loader. These malicious sites use JavaScript to detect ad blockers and collect browser information before redirecting victims to phishing pages that host password-protected ZIP archives containing large NSIS installers designed to evade detection. Zscaler ThreatLabz noted, “Once extracted, they contain an 800MB NSIS installer, a deceptively large size intended to appear legitimate and bypass detection systems with file size limitations.”
Similarly, another SEO poisoning campaign elevates phishing pages mimicking popular web applications and directs users to fake Cloudflare CAPTCHA checks that drop RedLine Stealer via Hijack Loader.
Kaspersky reported a sharp increase in malware attacks targeting small and medium-sized businesses (SMBs), with cybercriminals disguising threats as widely used AI and collaboration tools like OpenAI ChatGPT, Microsoft Office, and Zoom. “Between January and April 2025 alone, around 8,500 small and medium-sized business users were targeted,” the firm revealed.
Additionally, attackers manipulate search results for brand support pages using search parameter injection, replacing legitimate help numbers with scammy ones to dupe users. Malwarebytes explained, “The parameters added… are not visible in the sponsored search result, thereby giving no reason for users to suspect anything is amiss.”
Beyond Google, Facebook ads have been exploited to phish cryptocurrency wallet recovery phrases and spread malware tied to events like Pi2Day, with Bitdefender suggesting a single actor may be running multiple fraud schemes on Meta platforms.
Furthermore, campaigns delivering Poseidon Stealer on macOS and PayDay Loader on Windows—dubbed Dark Partners—use Google Calendar links as command-and-control servers to exfiltrate sensitive data. Researcher g0njxa noted, “The PayDay Loader has a Node.js stealer module to exfiltrate cryptocurrencies wallet data to an external C2.”
These efforts are part of larger networks, such as GhostVendors, that use Facebook ads to promote thousands of fake marketplace sites designed to steal credit card data and exploit consumers with bogus product offers, often removing ads quickly to avoid detection. Silent Push researchers highlighted, “Potentially these threat actors were taking advantage of this by rapidly launching and stopping ads for similar products on different pages.”
This surge in SEO poisoning, malvertising, and fake marketplace scams underscores the growing sophistication of cybercriminals exploiting trusted brands and search engines to trick users and steal sensitive information.
 poisoning tactics to...){kind=link}