SEO poisoning & malvertising campaign Summary 

A sophisticated SEO poisoning and malvertising campaign has been active since early June 2025, targeting IT administrators with Trojanized installers of commonly used tools like PuTTY and WinSCP. 

Attackers are manipulating search engine results and sponsored ads to lead users to fake websites, which deliver backdoored versions of these tools. Arctic Wolf security researchers have uncovered thia malvertising campaign that has been targeting IT professionals since early June 2025.

The malicious campaign leverages search engine manipulation to promote fake download sites that closely mimic legitimate software repositories. 

Technical Summary 

A threat campaign has been leveraging SEO poisoning and malicious advertisements to trick IT professionals into downloading Trojanized versions of PuTTY and WinSCP from fake websites. Once installed, a malware known as Oyster (aka Broomstick) creates persistent access within the victim’s environment, posing a severe risk to enterprise infrastructure. 

This malware establishes persistence by creating a scheduled task that triggers every three minutes, invoking rundll32.exe to execute a malicious DLL named twain_96.dll using the DllRegisterServer export function, a technique commonly used to bypass traditional detection.  

The attackers specifically target IT administrators and system operators due to their elevated privileges, which allows rapid lateral movement, access to sensitive systems such as domain controllers and the potential deployment of additional payloads like ransomware.

The campaign’s effectiveness stems from its exploitation of everyday workflows, especially IT admins’ reliance on search engines to download tools making it both highly targeted and socially engineered for success. 

Element	Detail
Initial Access	SEO poisoning and fake sponsored ads redirect users to malicious download sites.
Malicious Tools	Trojanized installers of PuTTY and WinSCP.
Payload	Backdoor malware is known as Oyster/Broomstick.
Persistence	Scheduled Task every 3 minutes executing twain_96.dll using rundll32.exe via DllRegisterServer.
Target	IT admins with elevated privileges (Domain Admins, Server Admins).
Objective	Network penetration, domain controller access, data exfiltration, possible ransomware deployment.

Malicious Sponsored PuTTY Ad on Bing.       Source: Arcticwolf 

Observed Malicious Domains 

Organizations are urged to block the following domains immediately: 

• updaterputty[.]com 

• zephyrhype[.]com 

• putty[.]run 

• putty[.]bet 

• puttyy[.]org 

These domains host fake versions of PuTTY and WinSCP and are actively used in the ongoing campaign. 

Remediation: 

1. Enforce Trusted Software Acquisition Policies 

• Mandate the use of verified internal software repositories or direct access to official vendor websites. 

• Where feasible, implement ad-blocking or web filtering to restrict access to software download categories known to be targeted by malvertising. 

2. Strengthen Network and Endpoint Security Controls 

• Block known malicious domains at firewall and DNS levels. 

• Continuously monitor endpoints for suspicious behavior, including: 

• The creation of unauthorized or high frequency scheduled tasks. 

• DLL execution via rundll32.exe, especially involving non-standard DLLs such as twain_96.dll. 

• Deploy or enhance EDR/XDR solutions to detect backdoor persistence methods. 

3. User Awareness 

• Educate IT staff on SEO poisoning and the risks of downloading tools via search results. 

Conclusion: 
By focusing on widely used administrative tools like PuTTY and WinSCP, threat actors are exploiting the trust and habits of IT professionals through convincing social engineering and poisoned search results.

This approach turns essential tools into delivery mechanisms for backdoors and persistent threats, compromising high-privilege users at the core of enterprise infrastructure.  

Organizations must respond decisively by reinforcing endpoint monitoring, tightening software acquisition policies and implementing robust network-level defenses to mitigate the risks posed by this rapidly evolving threat landscape. 

References: 

• https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools/