Oyster Backdoor Disguised as PuTTY and KeyPass Targets IT Admins via SEO Poisoning

Threat actors have been using trojanized versions of well-known IT tools like PuTTY and WinSCP to spread the Oyster backdoor, also known as Broomstick or CleanupLoader, in a sophisticated malvertising and SEO poisoning campaign that Arctic Wolf researchers first noticed in early June 2025.

There have also been hints that KeyPass has been involved in similar lures.

This operation exploits search engine results and sponsored ads on platforms such as Bing to promote malicious websites that mimic legitimate software download portals, primarily targeting IT professionals who frequently seek administrative utilities.

Infection Tactics

Upon downloading and executing these fake installers, victims unwittingly deploy the Oyster backdoor, which establishes persistence by creating a scheduled task that executes every three minutes.

This task leverages rundll32.exe to run a malicious DLL, such as twain_96.dll or zqin.dll, via the DllRegisterServer export, enabling remote access, system reconnaissance, credential theft, command execution, and further malware deployment.

The campaign’s roots trace back to at least 2023, where Oyster has historically masqueraded as installers for Google Chrome and Microsoft Teams, often paving the way for ransomware infections like Rhysida by acting as a loader for additional payloads.

CyberProof Threat Researchers identified a specific Oyster infection in the second half of July 2025, where a user was deceived into downloading a malicious PuTTY impersonator from the URL https://danielaurel.tv/wp-json/api/download/553d53f6d17341fb5a4acdd48f2a0152.

The file, named PuTTY-setup.exe with SHA256 hash a8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb, was signed with a revoked certificate, a tactic increasingly seen in malware campaigns including those abusing ConnectWise ScreenConnect.

Sandbox analysis on platforms like Any.run revealed the kill chain: the installer drops and executes the DLL payload via rundll32.exe, followed by persistence through a scheduled task dubbed “FireFox Agent INC.”

Web proxy logs confirmed user searches led to SEO-poisoned sites, with endpoint events verifying the file’s presence and execution.

Fortunately, the backdoor was detected and blocked, preventing hands-on-keyboard activities, though it highlights the risks of unvetted downloads.

Technical Analysis

Delving deeper, the Oyster backdoor’s functionality includes collecting system information, exfiltrating credentials, and facilitating lateral movement, making it a versatile tool for initial access in broader intrusions.

In the observed incident, the malware’s use of revoked certificates aligns with trends in recent campaigns, where attackers exploit these for evasion before detection.

Arctic Wolf’s analysis notes that while only PuTTY and WinSCP trojans were confirmed, expansions to other tools like KeyPass are plausible, emphasizing the need for vigilant threat hunting.

Recommendations from experts stress avoiding search engine reliance for software acquisition, instead mandating direct navigation to official vendor sites or internal repositories to mitigate SEO poisoning risks.

Organizations should also implement domain blocking for known malicious hosts to curb exposure.

To aid in defense, security teams can employ hunting queries focused on indicators like scheduled task creations involving rundll32.exe and anomalous DLL executions.

This campaign underscores the evolving threat landscape, where malvertising blends with social engineering to target high-value users, potentially leading to ransomware or data breaches if not addressed promptly.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!