Analysis Summary

The resurfaced Oyster malware, also known as Broomstick or CleanupLoader, has re-emerged in July 2025 with a sophisticated SEO poisoning campaign, targeting IT administrators by disguising itself as trusted software like PuTTY, KeyPass, and WinSCP. Active since at least 2023, Oyster uses fake installers to deploy malicious payloads, often serving as a precursor to ransomware infections such as Rhysida. In a real-world incident investigated by CyberProof, a fake PuTTY executable downloaded from danielaurel[.]tv dropped a malicious DLL (zqin.dll) and executed it using rundll32.exe, thereby installing the Oyster backdoor.

The infection chain begins when users search for legitimate tools, only to encounter SEO-poisoned results redirecting them to malicious domains like updaterputty[.]com, putty[.]run, and putty[.]bet. These fake sites host trojanized installers that appear authentic. Once executed, the installer establishes persistence via a scheduled task named "FireFox Agent INC", running every three minutes to ensure the backdoor survives reboots. This malware is capable of stealing credentials, collecting system information, executing remote commands, and downloading further payloads.

Further investigation revealed that the malicious installer was signed using a revoked digital certificate, a tactic seen in other campaigns abusing tools like ConnectWise ScreenConnect. VirusTotal scans linked multiple files to the same revoked certificate, indicating a coordinated and wide-ranging operation. Proxy logs confirmed the victim’s visit to the malicious sites, and sandbox analysis (via Any.Run) verified the execution of the backdoor components and the creation of persistence mechanisms. While no additional lateral movement or exploitation occurred due to timely detection, the risk of ransomware or data exfiltration was significant.

This campaign emphasizes the increasing danger of malvertising and SEO poisoning targeting trusted IT software. Previously seen impersonating Chrome and Microsoft Teams, attackers have now shifted focus toward admin-centric tools, exploiting the trust placed in familiar programs. To defend against such threats, organizations must educate users on verifying download sources, implement multi-factor authentication, monitor for revoked digital certificates, detect unusual scheduled tasks, and deploy robust EDR solutions. Proactive threat hunting and awareness of ongoing SEO poisoning trends remain critical to preventing initial compromise.

Impact

• Credential Theft
• File Encryption
• Double-Extortion
• Gain Access

Indicators of Compromise

Domain Name

• updaterputty.com

• zephyrhype.com

• putty.run

• putty.bet

IP

• 194.213.18.89
• 85.239.52.99

MD5

• 8eb873ad112121cdfd0cc72688aa229f

• e9861ea770dfb936d8ba55ae01ad9c9b

• 4a34803ac9d86e5a13e7cd4d1fda1409

SHA-256

• 3d22a974677164d6bd7166e521e96d07cd00c884b0aeacb5555505c6a62a1c26

• a8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb

• 3654c9585f3e86fe347b078cf44a35b6f8deb1516cdcd84e19bf3965ca86a95b

SHA1

• 834910945ee39c185366b60fc4161937f468fd80

• e7bba2414ab59b6abf1a86698ba39f48237486f0

• 48e43cf9c76c2a663bf5cf1f7c6868a7d0ced1a2

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Always download software from official vendor websites or trusted repositories to avoid SEO-poisoned fake installers.
• Educate employees, especially IT admins, on spotting phishing attempts, SEO manipulation, and fake download pages.
• Use multi-factor authentication (MFA) across all critical systems to limit the impact of credential theft.
• Deploy endpoint detection and response (EDR) tools to catch behaviors like DLL injection and unauthorized task creation.
• Regularly audit scheduled tasks to detect persistence mechanisms like the "FireFox Agent INC" task.
• Block access to known malicious domains and IP addresses linked to the Oyster campaign.
• Monitor for the use of revoked or suspicious digital certificates in executable files.
• Conduct routine threat hunting to identify signs of malware activity or backdoor communications.
• Analyze suspicious files in a sandbox before allowing execution in live environments.
• Keep all systems, browsers, and security tools updated to prevent exploitation through known vulnerabilities.