Over 8,500 systems infected via fake PuTTY and WinSCP downloads in a global SEO poisoning campaign
When search engines betray your trust
You Google “PuTTY download,” click the top result, install it—and unknowingly infect your system. A global SEO poisoning campaign has hit over 8,500 systems, targeting IT admins and developers with a stealthy backdoor called Oyster.
Cybercriminals exploited trust in Google search results to deliver trojanized admin tools that quietly grant attackers remote access.
Blackhat SEO + fake domains = perfect trap
Attackers created cloned download sites with deceptive domains like
updaterputty[.]com
, nearly identical to legitimate ones. These were pushed to the top of Google results using blackhat SEO. In some cases, malicious adsredirected users straight to the infected installers.
What looks like a clean, official page is actually malicious infrastructure designed to trick even experienced users.
Oyster backdoor: open access every 3 minutes
Once installed, the tool drops Oyster, also tracked as Broomstick or CleanUpLoader. It uses a scheduled task to run
rundll32.exe
every 3 minutes, executing twain_96.dll via the
DllRegisterServer
export.
This grants persistent remote access, allowing hackers to issue commands silently—without setting off alarms or suspicion.
APT-level operation with supply chain risks
According to Arctic Wolf, this campaign bears the hallmarks of an Advanced Persistent Threat. The goal may extend beyond individual infections to compromise enterprise IT supply chains.
The takeaway? Even Google search results can become dangerous. Trust is the real target.
