Listen to this Post
🧠 Introduction: When Search Results Turn Against You
In an age where we trust search engines to lead us to legitimate downloads and helpful tools, a darker trend is emerging—SEO poisoning. Cybercriminals are now weaponizing search engines by using malvertising and phishing tactics to infect users with stealthy malware, including powerful stealers and loaders like Oyster (aka Broomstick), Vidar, and Lumma. This sophisticated manipulation doesn’t just affect random users—it specifically targets software professionals, SMBs, and crypto holders by impersonating trusted brands like Zoom, Microsoft, ChatGPT, and even Cloudflare.
📑 the Original Report: How Malware Sneaks Through Search Engines
Cybersecurity firm Arctic Wolf has revealed a malicious campaign that leverages search engine optimization (SEO) poisoning to distribute a malware loader known as Oyster, also called Broomstick or CleanUpLoader. Threat actors create fake websites offering trojanized versions of legitimate software tools such as PuTTY and WinSCP, which software professionals often seek via search engines.
Once downloaded and executed, the malware establishes persistence by creating a scheduled task that runs every three minutes. This executes a malicious DLL file (twain_96.dll) via rundll32.exe, a classic trick to ensure the malware stays active on the host system.
Some of the malicious domains include:
`updaterputty[.]com`
`putty[.]run`
`zephyrhype[.]com`
In addition to Oyster, the campaign is also spreading other well-known malware families like Vidar Stealer and Lumma Stealer, often disguised as AI tools. These payloads are embedded in password-protected ZIP archives with bloated file sizes (\~800MB) to appear legitimate and evade antivirus detection.
The method of attack is multilayered:
Initial access is gained via JavaScript-based browser fingerprinting and ad blocker detection.
Victims are redirected through a chain of phishing domains until they download infected installers.
Installers use tools like NSIS or MSI to silently execute scripts and drop malware.
Campaigns extend beyond software installers:
Some spoof brand help pages, such as Netflix, Microsoft, or Facebook, using search parameter injection to trick users into calling fake support numbers.
Others use Google Calendar links and malicious Node.js packages to control malware like PayDay Loader, which targets cryptocurrency wallets.
Facebook is also a hotspot, where attackers use malicious ads to trick users into downloading infected applications or revealing sensitive data.
Romanian firm Bitdefender and Russian company Kaspersky confirmed a dramatic rise in such activities, especially targeting SMBs. In early 2025, over 8,500 SMB users were targeted by malicious software disguised as tools like ChatGPT, Microsoft Teams, and Zoom.
One network named GhostVendors operates over 4,000 fake marketplaces, using brief Facebook ad bursts to avoid Meta’s detection systems. Chinese threat actors are also involved, primarily in phishing campaigns that steal credit card information under the guise of popular shopping platforms.
🧠 What Undercode Say:
🔍 SEO Poisoning is Evolving Fast
The digital landscape is seeing a marked increase in malicious SEO strategies. Rather than relying on traditional phishing emails or exploit kits, cybercriminals are gaming the algorithms behind search engine rankings to distribute malware directly through search results and ads. This makes attacks far more scalable and stealthy, catching even the most cautious users off guard.
🎯 Who’s Being Targeted?
It’s clear that IT professionals, small business owners, and crypto investors are in the crosshairs. These groups are more likely to download tools, interact with AI platforms, or search for cloud services—all avenues through which stealers and loaders are being delivered. The impersonation of tools like OpenAI ChatGPT, Cisco AnyConnect, and Microsoft Office reveals a precise understanding of user behavior.
💼 Enterprise Impact & Brand Trust
Organizations depending on third-party tools now face a double risk: potential infection from trusted-sounding downloads and reputational damage if their brand is spoofed in a scam. Companies like Zoom, Microsoft, and even Google are being used as trojan horses for malware.
🔁 Reuse of Infrastructure
Interestingly, attackers are reusing email accounts, Google Calendar links, and Node.js scripts across campaigns—suggesting that a single actor or coordinated group is responsible for many of these threats. This consolidation increases the efficiency of their operations while making them harder to stop.
🛑 Ads Are No Longer Safe
Whether through Google Ads, sponsored results, or Facebook Marketplace, ad-based delivery of malware is becoming the new normal. Since these platforms rely heavily on automation for moderation, they’ve become playgrounds for well-funded threat actors.
🧩 The Stealth Factor: File Size & Bypass Techniques
The use of 800MB+ NSIS installers, AutoIt scripts, and password-protected archives are all aimed at bypassing endpoint detection. This makes traditional antivirus tools less effective, requiring more advanced behavioral analysis or zero-trust models to stay protected.
💣 The Cross-Platform Reach
From macOS threats like Poseidon Stealer to Windows-based loaders, these campaigns aren’t platform-specific. The line between operating systems has blurred for attackers who now craft modular malware that adapts based on where it’s deployed.
✅ Fact Checker Results:
- True – SEO poisoning is actively used to spread malware, including loaders and stealers, through manipulated search results and fake ads.
- True – Multiple cybersecurity firms (Arctic Wolf, Kaspersky, Bitdefender) confirm a surge in malware targeting AI and productivity tools.
- True – Threat actors use ad platforms like Google and Facebook to bypass traditional phishing defenses and deliver malware stealthily.
🔮 Prediction 🧠
As AI-related searches, remote work tools, and cryptocurrency adoption continue to rise, threat actors will further refine SEO poisoning and malvertising tactics. Expect future attacks to integrate AI-generated content, deepfakes, and malicious browser extensions into their campaigns. Unless major search engines and ad platforms implement real-time verification systems and sandboxed downloads, this form of attack will continue to escalate—targeting both individuals and enterprises on a global scale.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
