Download and get hacked: the silent malware hiding in Google results

Over 8,500 systems infected via fake PuTTY and WinSCP downloads in a global SEO poisoning campaign

When search engines betray your trust

You Google “PuTTY download,” click the top result, install it—and unknowingly infect your system. A global SEO poisoning campaign has hit over 8,500 systems, targeting IT admins and developers with a stealthy backdoor called Oyster.

Cybercriminals exploited trust in Google search results to deliver trojanized admin tools that quietly grant attackers remote access.

Blackhat SEO + fake domains = perfect trap

Attackers created cloned download sites with deceptive domains like updaterputty[.]com, nearly identical to legitimate ones. These were pushed to the top of Google results using blackhat SEO. In some cases, malicious adsredirected users straight to the infected installers.

What looks like a clean, official page is actually malicious infrastructure designed to trick even experienced users.

Oyster backdoor: open access every 3 minutes

Once installed, the tool drops Oyster, also tracked as Broomstick or CleanUpLoader. It uses a scheduled task to run rundll32.exe every 3 minutes, executing twain_96.dll via the DllRegisterServer export.

This grants persistent remote access, allowing hackers to issue commands silently—without setting off alarms or suspicion.

APT-level operation with supply chain risks

According to Arctic Wolf, this campaign bears the hallmarks of an Advanced Persistent Threat. The goal may extend beyond individual infections to compromise enterprise IT supply chains.

The takeaway? Even Google search results can become dangerous. Trust is the real target.