Since June 2025, IT professionals have increasingly become targets of a sophisticated malvertising campaign that manipulates search engines to display fake download links for well-known admin tools like PuTTY and WinSCP. These poisoned results direct users to cloned websites, where trojanized installers embed the Oyster backdoor (also known as Broomstick or CleanUpLoader). As soon as IT administrators run these malicious installers thinking they’re deploying trusted utilities the Oyster payload establishes persistence through scheduled tasks and initiates C2 communication. Once installed, the backdoor enables attackers to traverse networks, harvest credentials, and even deploy follow-on malware such as ransomware or Cobalt Strike.

This campaign underscores a chilling new tactic: attackers exploiting SEO and malvertising to compromise privileged users, turning everyday administrative activities into security crises. The deceptive nature of these fake tools, combined with their focus on high-value targets, makes this campaign particularly dangerous and effective.

‍

Technical Description

This campaign begins with SEO poisoning on search engines like Google and Bing, where threat actors bid on search terms such as “PuTTY download” and “WinSCP installer.” Malicious ads redirect users to typosquatting domains such as updaterputty.com, zephyrhype.com, and putty.run designed to closely mimic legitimate software portals. The landing pages prompt victims to download ZIP archives containing tampered Setup.exe files and malicious DLLs that perfectly replicate authentic versions of PuTTY or WinSCP. Researchers from Arctic Wolf and IBM X‑Force attribute this method to carefully controlled malvertising infrastructure, a method known as Search Engine Optimization (SEO) poisoning, tricking users through false legitimacy.

Once executed, Setup.exe uses DLL side-loading, a technique that exploits Windows’ DLL resolution process to load a malicious python311.dll instead of the legitimate library. This DLL loader then unpacks the embedded Oyster backdoor also known as Broomstick or CleanUpLoader which is authored in C++ and built to conduct remote management functions under the radar.

To establish persistence, the malware creates a scheduled task that runs every three minutes. This task invokes rundll32.exe to sequentially execute the malicious twain_96.dll using its DllRegisterServer function as the entry point. By abusing this export, the malware avoids storing or executing visible scripts at startup, making detection by basic security tools much harder. The regular execution cadence also ensures Oyster runs quickly after system boot or task removal.

At runtime, Oyster connects to a command-and-control (C2) server and initiates a two-way communication channel. Typical payload capabilities include:

• Remote command execution to steal data or execute further malware.
• Credential harvesting, especially targeting SSH and SFTP credentials stored by PuTTY and WinSCP.
• Arbitrary file transfers, enabling attackers to stage additional payloads, including ransomware or Cobalt Strike.
• Interactive session support, allowing hands-on key use by operators for complex tasks or lateral movement.

Some campaigns have escalated using Oyster to load ransomware payloads. One example involved deploying a variant of Rhysida ransomware after Oyster was active, with subsequent encryption of NAS and VMDK files. The planned nature of Oyster’s development recently porting from cleartext to encrypted communications exposes its adaptability and potential for stealthy persistence.

Adding to its evasiveness, Oyster frequently employs domain and IP rotation. C2 infrastructure includes short-lived servers that are quickly decommissioned or rotated after a compromise. In some cases, C2 domains even go dormant except during active operations. This creates an unstable footprint in telemetry and IP-based monitoring tools.

‍

Impact

The compromise of assets used by IT professionals poses severe risk to organizations. With Oyster implanted, attackers gain:

• Unrestricted access to servers, sensitive systems, and directories.
• Administrative control, enabling system modifications, security disabling, or user account tampering.
• Credential exposure for SSH/SFTP connections, amplifying access potential.
• Rapid ransomware deployment, with malvertising serving as an efficient initial delivery vector.

Additionally, the timing of scheduled tasks (running every 3 minutes) allows the malware to run stealthily and maintain persistence through reboots. The side-loading tactics further obfuscate the malware’s presence, reducing the likelihood of raising alarms during audits or endpoint scans.

Environments with limited browser or extension protections are especially vulnerable, as the only user behavior exploited is the execution of what appears to be legitimate administrative software. The campaign highlights a departure from email-based phishing in favor of leveraging SEO and web-based trickery to compromise essentials in routine workflows.

‍

IOC and Context Details

Recommended Actions

1. Enforce Secure Software Acquisition Practices

• Block downloads of essential admin tools from search-engine results and unverified domains.
• Encourage users to download only via internal software repositories or official vendor portals.

2. Block Known Malicious Domains

• Update DNS and web-filtering systems to block identified domains. Regularly refresh blocklists to catch future variants.

3. Monitor Scheduled Tasks & DLL Loads

• Configure EDR to alert on tasks that call rundll32.exe with unfamiliar DLLs, particularly names like twain_96.dll.
• Audit scheduled tasks that execute frequently (e.g., every 1–5 minutes).

4. Deploy Robust Endpoint Detection

• Use behavioral analytics to detect DLL side-loading, unexpected child processes beneath admin tools, or anomaly network calls.
• Employ anti-malware solutions that identify malicious Python DLL wrappers.

‍

References

https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools

‍