.webp?w=696&resize=696,0&ssl=1 "Trojan-Infected PuTTY and WinSCP")
Arctic Wolf has identified a sophisticated cybersecurity threat targeting IT professionals through search engine optimization (SEO) poisoning and malvertising campaigns since early June 2025.
The campaign involves the distribution of Trojanized versions of popular legitimate IT tools, specifically PuTTY and WinSCP, through fake websites that appear in search results and sponsored advertisements.
Upon execution, these malicious installers deploy the Oyster/Broomstick backdoor, establishing persistent access to compromised systems through scheduled tasks and DLL registration mechanisms.
Sophisticated Attack Vector Targets IT Infrastructure
The malicious campaign utilizes SEO poisoning techniques to manipulate search engine results, causing fake websites to appear prominently when users search for legitimate IT tools.
Arctic Wolf researchers have observed sponsored advertisements on Bing specifically promoting fraudulent PuTTY download sites, demonstrating how attackers leverage legitimate advertising platforms to distribute malware.
The threat actors have registered multiple domains designed to mimic official software repositories, including updaterputty[.]com, zephyrhype[.]com, putty[.]run, putty[.]bet, and puttyy[.]org.
These fake sites are specifically crafted to deceive IT professionals who routinely download and install administrative tools.
The attackers capitalize on the trust these professionals place in search engines and the urgency often associated with acquiring necessary software tools.
By targeting PuTTY and WinSCP, two widely used SSH clients and file transfer tools, the campaign maximizes its potential impact on enterprise environments.
Advanced Persistence Mechanisms Deploy Oyster/Broomstick Backdoor
Upon successful installation, the Trojanized software deploys the Oyster/Broomstick backdoor, which establishes sophisticated persistence mechanisms on infected systems.
The malware creates scheduled tasks that execute every three minutes, running a malicious DLL file named twain_96.dll through rundll32.exe using the DllRegisterServer export function.
This technique leverages Windows’ native DLL registration process, making the malicious activity appear legitimate to security monitoring systems.
The use of DLL registration as a persistence mechanism demonstrates the attackers’ technical sophistication and understanding of Windows internals.
This approach allows the malware to maintain access to compromised systems even after reboots or security scans, significantly extending the potential dwell time within targeted networks.
Recommended Defensive Measures
Arctic Wolf recommends implementing comprehensive defensive strategies to mitigate exposure to this campaign.
Organizations should establish trusted software acquisition practices, requiring IT staff to obtain administrative tools exclusively from vetted internal repositories or official vendor websites rather than relying on search engines.
Additionally, security teams should immediately block the identified malicious domains at the network level to prevent users from accessing these fraudulent download sources.
The campaign’s targeting of IT professionals represents a particularly concerning development, as these individuals typically possess elevated system privileges and access to critical infrastructure components within their organizations.
.webp?resize=1600,900&ssl=1&description=Trojan-Infected PuTTY and WinSCP - Arctic Wolf has identified a sophisticated cybersecurity threat targeting IT professionals through search.){kind=link}