Cybersecurity researchers have uncovered a sophisticated malvertising campaign that has been actively targeting IT professionals since early June 2025, using search engine optimization (SEO) poisoning to distribute the dangerous Oyster backdoor through fake versions of popular administrative tools.
Campaign Mechanics and Initial Infection
Arctic Wolf researchers first identified this campaign, which leverages malicious sponsored advertisements and compromised search results to trick IT administrators into downloading trojanized versions of legitimate software, including PuTTY, WinSCP, and KeyPass.
The attack begins when unsuspecting users search for these standard IT tools and encounter malicious websites that closely mimic official download pages.
CyberProof threat researchers documented a specific incident from July 2025 where a user downloaded a malicious installer masquerading as “PuTTY-setup.exe” from the URL danielaurel.tv/wp-json/api/download/553d53f6d17341fb5a4acdd48f2a0152.
The malicious file, with SHA256 hash a8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb, was signed with a revoked certificate, highlighting the attackers’ use of compromised code-signing infrastructure.
Technical Operation and Persistence
Upon execution, the fake installer deploys the Oyster backdoor (also known as Broomstick or CleanupLoader) through a sophisticated multi-stage process.
The malware establishes persistence by creating a scheduled task called “FireFox Agent INC” that executes a malicious DLL file every three minutes via rundll32.exe using the DllRegisterServer export.
This technique demonstrates the attackers’ understanding of Windows system administration and their ability to blend malicious activity with legitimate system processes.
The backdoor provides comprehensive system access, enabling attackers to collect sensitive information, steal credentials, execute remote commands, and download additional payloads.
Security researchers have linked Oyster infections to subsequent ransomware deployments, including Rhysida attacks, making this campaign particularly dangerous for enterprise environments.
Widespread Infrastructure and Mitigation
The campaign operates through multiple malicious domains designed to impersonate legitimate software repositories.
Arctic Wolf has identified key infrastructure, including updaterputty[.]com, zephyrhype[.]com, putty[.]run, putty[.]bet, and puttyy[.]org.
These domains utilize convincing branding and professional web design to deceive even security-conscious IT professionals.
Organizations can protect themselves by implementing strict software acquisition policies that prohibit downloading administrative tools through search engines.
Instead, IT departments should maintain vetted internal repositories or require direct navigation to official vendor websites.
Network administrators should immediately block the identified malicious domains and monitor for the specific file hashes and scheduled task names associated with this campaign.
This ongoing threat demonstrates the evolution of social engineering attacks, specifically targeting IT professionals, who are exploited through their daily workflows and trusted software tools to achieve initial system compromise.
Indicator of Compromise
- updaterputty[.]com
- zephyrhype[.]com
- putty[.]run
- putty[.]bet
