How does Oyster Malware spread through SEO poisoning using fake PuTTY and KeyPass installers?

Oyster malware, also known as Broomstick or CleanupLoader, is targeting IT admins by disguising itself as trusted software tools like PuTTY and KeyPass. The attackers use SEO poisoning techniques to manipulate Google search results, leading users to download trojanized installers from malicious domains. Once executed, the malware establishes a persistent backdoor that steals credentials, collects system info, and can lead to ransomware infections such as Rhysida. The attack demonstrates the growing sophistication of SEO-based cyberattacks, urging IT teams to verify sources, use endpoint protection, and monitor for revoked digital certificates.

  Security News & Threat Intelligence   Jul 29, 2025   34  Add to Reading List
How does Oyster Malware spread through SEO poisoning using fake PuTTY and KeyPass installers?

Table of Contents

Overview: What Is the Oyster Malware Campaign?

The Oyster malware—also known by names like Broomstick and CleanupLoader—has made a dangerous return, this time pretending to be popular IT tools like PuTTY, KeePass, and WinSCP. Disguised as legitimate software, the malware spreads through SEO poisoning, a method where attackers manipulate Google search results to rank malicious sites above official sources.

In July 2025, CyberProof researchers uncovered an active attack that lured an IT admin into downloading a fake PuTTY installer. The attack was quickly detected and stopped, but the event serves as a critical warning: these SEO attacks are becoming more targeted and convincing than ever before.

How Attackers Use SEO Poisoning to Spread Malware

SEO poisoning involves the intentional manipulation of search engine results to push harmful websites to the top. Attackers create domains like:

  • putty[.]run

  • putty[.]bet

  • updaterputty[.]com

These sites mimic official download pages and trick users into downloading fake installers. Once downloaded and executed, the installer drops the Oyster backdoor, giving attackers control over the system.

Real-World Attack: Fake PuTTY Executable in Action

In the recent case, the malicious file was downloaded from: 

danielaurel[.]tv

The file (PuTTY-setup.exe) had the following SHA256 hash: 

a8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb

Once executed:

  • It dropped a malicious DLL file named Zqin.dll

  • Ran via rundll32.exe

  • Established a backdoor to steal data and execute commands

Persistence Technique Used:

  • Scheduled Task: “FireFox Agent INC”

  • Runs Every 3 Minutes: Ensures the malware remains active after reboots

Technical Breakdown of the Oyster Attack Chain

Stage Description
Initial Vector SEO Poisoning with fake domains like putty[.]run
User Interaction Victim downloads fake PuTTY installer
Execution Drops Zqin.dll and runs via rundll32.exe
Backdoor Activity Collects data, executes commands, installs more malware
Persistence Creates a repeating scheduled task
Certificate Abuse Uses revoked digital certificates to bypass checks

Why IT Admins Are the Main Target

This campaign specifically targets IT professionals who regularly search for remote access tools. The attackers know that system administrators trust software like PuTTY, KeePass, and WinSCP, making it easier to trick them.

According to Arctic Wolf, similar fake installer attacks were seen earlier in June 2025. These trojanized loaders are often precursors to ransomware, such as Rhysida.

IOC Table: Indicators of Compromise (Oyster Malware)

Type Indicator
Domains updaterputty[.]com, zephyrhype[.]com, putty[.]run, putty[.]bet, puttyy[.]org
IPs 194.213.18.89, 85.239.52.99
File Hashes 3d22a974..., a8e9f0da..., 3654c958...
File Name Zqin.dll

These indicators can be used in firewalls, antivirus systems, and EDR tools to block potential threats.

How Organizations Can Stay Protected

1. Educate Users:
Train staff—especially IT admins—to verify download URLs and never trust high-ranking search results blindly.

2. Use Endpoint Detection and Response (EDR):
Deploy advanced endpoint protection that monitors DLL injections and task creations.

3. Monitor for Suspicious Scheduled Tasks:
Regularly audit scheduled tasks for unknown or irregular names.

4. Check Digital Certificates:
Look for software signed with revoked certificates, which is a common tactic used in malware campaigns.

5. Block Malicious Domains and IPs:
Use the IOC list to prevent access at the network level.

Conclusion: A Wake-Up Call for the IT Community

This Oyster malware campaign is a serious cybersecurity threat, especially for IT admins who are typically the first line of defense in any organization. It shows how SEO poisoning can weaponize everyday searches to spread advanced malware.

Even though the recent attack was stopped before major damage occurred, it serves as a reminder to never trust downloads based on search rankings alone. Use trusted sources and official vendor websites whenever downloading tools.

As attackers evolve, defenders must stay one step ahead—especially when malware hides behind trusted names and familiar tools.

FAQs

What is Oyster malware?

Oyster malware is a backdoor tool, also known as Broomstick or CleanupLoader, that allows attackers to steal data, run commands, and download further payloads after infecting a system.

How is Oyster malware spreading?

It spreads through SEO poisoning—attackers promote fake software like PuTTY and KeyPass using manipulated search engine results that lead users to malicious download sites.

What popular tools are being mimicked?

Oyster malware disguises itself as popular IT tools including PuTTY, KeyPass, and WinSCP.

What is SEO poisoning?

SEO poisoning is a cyberattack technique where threat actors manipulate search engine results to direct users to malicious websites.

What happens when a user downloads the fake installer?

The installer drops a DLL (like zqin.dll) and uses rundll32.exe to execute it, establishing the Oyster backdoor on the system.

What kind of damage can Oyster malware cause?

It can steal credentials, gather system information, execute arbitrary commands, and act as a loader for ransomware such as Rhysida.

What domains are known to be associated with this campaign?

Domains include updaterputty[.]com, putty[.]run, putty[.]bet, zephyrhype[.]com, and puttyy[.]org.

How is persistence achieved in this attack?

The malware sets up a scheduled task named "FireFox Agent INC" to run every 3 minutes, ensuring it stays active.

Are revoked certificates being used?

Yes, attackers used revoked digital certificates to sign malicious installers, a technique observed in similar campaigns.

Who reported this malware activity?

CyberProof Threat Researchers uncovered the campaign in July 2025. Earlier variants were also tracked by Arctic Wolf.

Is sandbox analysis effective against this malware?

Yes, tools like Any.Run confirmed the file's malicious behavior during sandbox testing, which helped detect it early.

How can organizations protect against Oyster malware?

They should verify download sources, use endpoint detection tools, monitor for unusual scheduled tasks, and check for revoked certificates.

What is Rhysida ransomware?

Rhysida is a type of ransomware often associated with backdoors like Oyster, capable of encrypting files and demanding ransom payments.

What are some known hashes related to this malware?

One known hash is a8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb, among others.

Can regular antivirus tools detect Oyster malware?

Not always, especially if the malware uses signed but revoked certificates. Advanced EDR tools are more effective.

How do attackers manipulate search results?

They use black-hat SEO tactics to rank malicious sites higher for searches like "download PuTTY" or "KeyPass latest version."

Are IT admins specifically targeted?

Yes, the malware campaign targets IT admins because of their access to sensitive systems and credentials.

What is the role of scheduled tasks in this attack?

Scheduled tasks ensure the malware executes periodically, maintaining access even after system reboots.

How does the malware communicate with attackers?

Through backdoor channels, it can send data, receive commands, and fetch additional malicious payloads.

What should you do if you suspect infection?

Isolate the system immediately, analyze recent downloads, and check scheduled tasks and certificate logs.

Are these fake tools hosted on known malicious sites?

Yes, domains like updaterputty[.]com and putty[.]run are known malicious sources hosting trojanized installers.

What is zqin.dll?

It's the malicious DLL dropped by the installer, which is executed to run the Oyster backdoor.

What is the SHA256 hash of the fake PuTTY installer?

The malicious file’s SHA256 is a8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb.

How can organizations detect SEO poisoning campaigns?

By analyzing proxy logs, monitoring DNS queries, and identifying traffic to suspicious or newly registered domains.

What is Broomstick in the context of this malware?

Broomstick is an alternate name for the Oyster malware.

Can this malware be linked to ransomware attacks?

Yes, backdoors like Oyster often precede ransomware deployments like Rhysida.

What does the name “FireFox Agent INC” refer to?

It’s the name of the scheduled task used by the malware to maintain persistence.

What makes this malware campaign different?

It uses a combination of SEO poisoning, revoked certificates, and trusted tool impersonation to deceive even advanced users.

What kind of user was infected in the July 2025 case?

An unsuspecting IT admin downloaded a fake PuTTY installer, leading to malware installation.

How does Any.Run help in analysis?

Any.Run sandboxing helps simulate malware behavior in real-time to confirm threats like DLL execution and persistence tactics.

Join Our Upcoming Class!

Tags