Weaponized Versions of PuTTY and WinSCP Attacking IT Admins Via Search Results

A sophisticated SEO poisoning campaign targeting system administrators with malicious backdoor malware.

Arctic Wolf security researchers have uncovered a dangerous search engine optimization (SEO) poisoning and malvertising campaign that has been targeting IT professionals since early June 2025.

The campaign uses fake websites hosting Trojanized versions of popular IT tools, specifically PuTTY and WinSCP, to install backdoor malware on victims’ systems.

Campaign Overview

The malicious campaign leverages search engine manipulation to promote fake download sites that closely mimic legitimate software repositories. When IT professionals search for these essential tools, they are presented with sponsored advertisements and poisoned search results that redirect them to attacker-controlled domains.

Key targeted tools include:

• PuTTY: A popular SSH client used for secure remote connections
• WinSCP: An SFTP/FTP client for secure file transfers

Technical Details of the Attack

Upon downloading and executing the Trojanized installers, victims unknowingly install a sophisticated backdoor known as Oyster/Broomstick. This malware employs advanced persistence mechanisms that make it particularly dangerous for enterprise environments.

The backdoor establishes persistence through:

• Scheduled tasks that execute every three minutes
• Malicious DLL execution (twain_96.dll) via rundll32.exe
• DLL registration techniques using the DllRegisterServer export function

The campaign specifically targets IT professionals and system administrators because these users typically have elevated privileges within corporate networks. This makes them valuable targets for threat actors seeking to:

• Quickly spread through enterprise networks.
• Access sensitive organizational data.
• Gain control over domain controllers.
• Deploy additional malware payloads, including ransomware.

The attack exploits IT professionals’ frequent need to download administrative tools, making the social engineering aspect particularly effective.

Many administrators rely on search engines to quickly locate software, creating an opportunity for attackers to intercept these searches with malicious results.

Arctic Wolf has identified several domains associated with this campaign that organizations should immediately block:

• updaterputty[.]com
• zephyrhype[.]com
• putty[.]run
• putty[.]bet
• puttyy[.]org

Recommendations for Organizations

Implement Trusted Software Acquisition Practices:

• Prohibit staff from using search engines to locate administrative tools.
• Establish vetted internal software repositories.
• Require direct navigation to official vendor websites.
• Implement strict download policies for IT tools.

Deploy Network-Level Protections:

• Block the identified malicious domains at the firewall level.
• Implement DNS filtering to prevent access to known bad domains.
• Monitor for suspicious scheduled tasks and DLL executions.
• Deploy endpoint detection and response (EDR) solutions.

This campaign represents a concerning evolution in targeted attacks against IT infrastructure. Similar SEO poisoning campaigns have increased significantly, with cybersecurity experts noting a 103% increase in related attacks in 2024.

The targeting of essential IT tools demonstrates how threat actors are adapting their tactics to exploit the daily workflows of their victims.

The discovery of this campaign underscores the critical importance of implementing robust cybersecurity practices, particularly around software acquisition and endpoint protection.

Organizations must remain vigilant as attackers continue to evolve their techniques to bypass traditional security measures and target the very professionals responsible for maintaining network security.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now