Oyster Malware as PuTTY, KeyPass Attacking IT Admins by Poisoning SEO Results

The Oyster malware, also known as Broomstick or CleanupLoader, has resurfaced in attacks disguised as popular tools like PuTTY, KeyPass, and WinSCP.

This malware, active since at least 2023, tricks users into downloading malicious installers, potentially paving the way for ransomware infections such as Rhysida.

CyberProof Threat Researchers recently uncovered a real-world instance in the second half of July 2025, where an unsuspecting user was lured into installing a fake PuTTY executable.

The attack was swiftly detected and blocked by security measures, preventing any hands-on keyboard activity from intruders. This incident highlights the persistent danger of SEO poisoning, where attackers manipulate search rankings to promote malicious sites mimicking legitimate software downloads.

The campaign begins with users searching for tools like PuTTY. Poisoned results lead to domains such as updaterputty[.]com, putty[.]run, or putty[.]bet, which host fake installers.

In the observed case, the malicious file named PuTTY-setup.exe with SHA256 hash a8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb was downloaded from danielaurel[.]tv.

Once executed, the installer drops a malicious DLL file, zqin.dll, and runs it via rundll32.exe. This establishes the Oyster backdoor, which collects system information, steals credentials, executes commands, and downloads additional malware, reads the report.

Persistence is achieved through a scheduled task called “FireFox Agent INC,” set to run every three minutes, ensuring the malware remains active even after reboots.

Notably, the installer used a revoked digital certificate, a tactic seen in other recent campaigns like those abusing ConnectWise ScreenConnect.

VirusTotal scans revealed multiple files signed with the same revoked certificate, indicating a broader operation. Proxy logs from the incident showed the user visiting SEO-poisoned sites, confirming the deception.

Oyster campaigns have evolved from impersonating Google Chrome and Microsoft Teams to targeting IT-specific tools, exploiting admins’ trust in familiar software. Arctic Wolf first reported similar malvertising in early June 2025, linking it to trojanized installers that deliver the backdoor. These loaders often facilitate ransomware, as seen with Rhysida deployments.

For IT admins, the risk is acute: a single poisoned search can compromise entire networks. In the CyberProof case, sandbox analysis on Any.Run confirmed the file’s malicious behavior, including DLL execution and task scheduling. No further exploitation occurred due to timely detection, but the potential for data theft or ransomware remains high.

Indicators of Compromise (IoCs) for Oyster Backdoor

To mitigate, organizations should educate users on verifying downloads, enable multi-factor authentication, and deploy endpoint detection tools. Regularly hunting for suspicious scheduled tasks and monitoring for revoked certificates can help. As SEO poisoning surges, staying vigilant against these deceptive tactics is crucial for safeguarding IT environments.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now