Threat actors have been exploiting search engine optimization poisoning techniques to promote bogus utility websites that facilitate Oyster malware loader distribution as part of a new malvertising campaign, according to The Hacker News.
Malicious websites with trojanized iterations of utilities including updaterputty[.]com, putty[.]bet, puttyy[.]org, putty[.]run, and zephyrhype[.]com not only execute the Oyster backdoor, also known as CleanUpLoader or Broomstick, but also establish a scheduled task that runs a nefarious DLL ensuring persistence on the compromised system, reported Arctic Wolf researchers. Such findings follow a Zscaler ThreatLabz study detailing another SEO poisoning campaign involving the use of artificial intelligence-related keywords to deliver the Lumma, Vidar, and Legion Loader payloads. Meanwhile, malware masquerading as widely used AI and collaboration tools, including OpenAI's ChatGPT, Microsoft Teams, Google Drive, and Zoom, were reported by Kaspersky to have compromised almost 8,500 small and medium-sized businesses during the first four months of 2025.
Malicious websites with trojanized iterations of utilities including updaterputty[.]com, putty[.]bet, puttyy[.]org, putty[.]run, and zephyrhype[.]com not only execute the Oyster backdoor, also known as CleanUpLoader or Broomstick, but also establish a scheduled task that runs a nefarious DLL ensuring persistence on the compromised system, reported Arctic Wolf researchers. Such findings follow a Zscaler ThreatLabz study detailing another SEO poisoning campaign involving the use of artificial intelligence-related keywords to deliver the Lumma, Vidar, and Legion Loader payloads. Meanwhile, malware masquerading as widely used AI and collaboration tools, including OpenAI's ChatGPT, Microsoft Teams, Google Drive, and Zoom, were reported by Kaspersky to have compromised almost 8,500 small and medium-sized businesses during the first four months of 2025.



