Over 8,500 systems infected via fake PuTTY and WinSCP downloads in a global SEO poisoning campaign
When search engines betray your trust
You Google “PuTTY download,” click the top result, install it—and unknowingly infect your system. A global SEO poisoning campaign has hit over 8,500 systems, targeting IT admins and developers with a stealthy backdoor called Oyster.
Cybercriminals exploited trust in Google search results to deliver trojanized admin tools that quietly grant attackers remote access.
Blackhat SEO + fake domains = perfect trap
Attackers created cloned download sites with deceptive domains like updaterputty[.]com, nearly identical to legitimate ones. These were pushed to the top of Google results using blackhat SEO. In some cases, malicious adsredirected users straight to the infected installers.
What looks like a clean, official page is actually malicious infrastructure designed to trick even experienced users.
Oyster backdoor: open access every 3 minutes
Once installed, the tool drops Oyster, also tracked as Broomstick or CleanUpLoader. It uses a scheduled task to run rundll32.exe every 3 minutes, executing twain_96.dll via the DllRegisterServer export.
This grants persistent remote access, allowing hackers to issue commands silently—without setting off alarms or suspicion.
APT-level operation with supply chain risks
According to Arctic Wolf, this campaign bears the hallmarks of an Advanced Persistent Threat. The goal may extend beyond individual infections to compromise enterprise IT supply chains.
The takeaway? Even Google search results can become dangerous. Trust is the real target.
Sign up for the newsletter. Stay updated!
We will send you periodical important communications and news about the digital world. You can unsubscribe at any time by clicking the appropriate link at the bottom of the newsletter.
Leave a Reply