Seo Blog

Download and get hacked: the silent malware hiding in Google results

Over 8,500 systems infected via fake PuTTY and WinSCP downloads in a global SEO poisoning campaign

When search engines betray your trust

You Google “PuTTY download,” click the top result, install it—and unknowingly infect your system. A global SEO poisoning campaign has hit over 8,500 systems, targeting IT admins and developers with a stealthy backdoor called Oyster.

Cybercriminals exploited trust in Google search results to deliver trojanized admin tools that quietly grant attackers remote access.

Blackhat SEO + fake domains = perfect trap

Attackers created cloned download sites with deceptive domains like updaterputty[.]com, nearly identical to legitimate ones. These were pushed to the top of Google results using blackhat SEO. In some cases, malicious adsredirected users straight to the infected installers.

What looks like a clean, official page is actually malicious infrastructure designed to trick even experienced users.

Oyster backdoor: open access every 3 minutes

Once installed, the tool drops Oyster, also tracked as Broomstick or CleanUpLoader. It uses a scheduled task to run rundll32.exe every 3 minutes, executing twain_96.dll via the DllRegisterServer export.

This grants persistent remote access, allowing hackers to issue commands silently—without setting off alarms or suspicion.

APT-level operation with supply chain risks

According to Arctic Wolf, this campaign bears the hallmarks of an Advanced Persistent Threat. The goal may extend beyond individual infections to compromise enterprise IT supply chains.

The takeaway? Even Google search results can become dangerous. Trust is the real target.

Sign up for the newsletter. Stay updated!

We will send you periodical important communications and news about the digital world. You can unsubscribe at any time by clicking the appropriate link at the bottom of the newsletter.

Dopstart

Dopstart è il sito di Paolino Donato ma anche il suo Nickname su Internet. Dopstart è un consulente SEO. Si occupa di posizionamento nei motori di ricerca fin dal 1998. Dal 2010 ha collaborato con Google in qualità di TC per Google News italiano e Google Noticias per i Paesi di Lingua spagnola e dal 2018 come Product Expert vedi curriculum

Share
Published by
Dopstart

Recent Posts

Google Disavow File: What It Is and How to Use It

Have you found suspicious backlinks that threaten your website?The Google Disavow Tool is the feature that allows…

2 days ago

How to upload photos to Google reviews

Leaving a review on Google is a simple yet powerful gesture: it helps others make better choices…

3 days ago

Google vs publishers: AI Overviews ignite antitrust clash in Europe

A group of independent publishers files a complaint against Google over AI-generated summaries that allegedly…

5 days ago

15 digital marketing ideas to grow your small business

Discover how to attract customers, boost visibility and build lasting relationships with simple but effective…

1 week ago

Google releases June 2025 core update

What’s changing in SEO rankings, search traffic and visibility? (more…)

2 weeks ago

TikTok in 2025: why brands can’t afford to ignore it

Viral marketing, AI and live shopping: TikTok is the new digital shopping mall (more…)

2 weeks ago