Malvertising and SEO Poisoning Used to Deliver Trojanized PuTTY and WinSCP to IT Professionals
July 11th, 2025
Severity Level: High
Technical Details
Activity: SEO poisoning and Bing malvertising campaigns targeting IT users.
Threat Severity: High.
Delivery Mechanism:
Fake domains serve as lookalike installers for PuTTY and WinSCP.
Downloaded executables include an embedded malware loader (Oyster/Broomstick).
Persistence Technique:
Malware drops twain_96.dll and creates a scheduled task that runs every 3 minutes.
Executed via rundll32.exe using the DllRegisterServer export.
This abuse of DLL registration ensures stealth and persistence on the infected system.
Payload Capabilities:
Secure HTTPS-based command and control.
Process injection, obfuscation, and modular payload loading.
Our Cyber Threat Intelligence Unit has identified an active threat campaign in which cybercriminals leverage malvertising (ads with embedded malware) and SEO poisoning to deliver Trojanized installers of PuTTY and WinSCP. These attacks specifically target IT professionals and system administrators, who frequently rely on these tools for secure access and file transfers. By hijacking search results and placing malicious sponsored ads on platforms like Bing, attackers lure users to fake websites where they unknowingly download malware-laced software. The final payload, a backdoor loader known as Oyster (also referred to as Broomstick), establishes persistent access and opens the door for remote control, data theft, and the deployment of additional malware.
Impact
Compromise of trusted administrative tools.
Remote access and control of infected endpoints.
Credential theft or lateral movement across enterprise networks.
Decrease of operational security in IT environments.
Elevated risk of further compromise if the infected system has privileged access.
Detection Method
Monitor for downloads of PuTTY or WinSCP from unofficial sources or search engine ads.
Inspect task scheduler entries that invoke rundll32.exe with twain_96.dll.
Use DNS/proxy logs to detect traffic to fake domains (listed in IOCs).
Watch for repeated execution of unknown executables every 3 minutes via scheduled tasks.
Configure EDR solutions to detect suspicious DLL behavior and code injection patterns.
Correlate hardware activity with user activity logs to identify abnormal installer downloads by IT personnel.
Indicators of Compromise
Type | Indicator | Description |
Domain | updaterputty[.]com | Fake PuTTY site used in SEO poisoning/malvertising campaign |
Domain | puttyy[.]org | Spoofed site mimicking PuTTY download portal |
Domain | putty[.]run | Malicious download page |
Domain | putty[.]bet | SEO-targeted delivery domain |
Domain | zephyrhype[.]com | Associated malicious redirect |
File (DLL) | twain_96.dll | Malicious loader file dropped to disk |
Process/Task | rundll32.exe | Executes malicious DLL via “DllRegisterServer” |
Recommendations
Avoid Search-Based Downloads: Enforce policy to only download tools from official vendor websites or internal repositories and block sponsored software ads from Bing or Google where feasible.
Block Malicious Domains: Add identified IOCs to DNS filtering, web proxy, and firewall rules.
Harden Task Scheduler Monitoring: Flag and investigate suspicious scheduled tasks invoking rundll32 with DLLs.
Enhance EDR Coverage: Ensure detection rules are in place for DLL injection, rundll32 abuse, and reflective loading.
User Awareness: Train IT personnel and system admins to verify software sources and report suspicious redirects.
Proactive Threat Hunting: Investigate systems for signs of persistence, unusual DLLs, or unexpected scheduled tasks.
Conclusion
This campaign highlights the growing use of malvertising and SEO manipulation to compromise trusted administrative tools and high-privilege users. By distributing backdoored versions of PuTTY and WinSCP through sponsored ads and fake download pages, attackers are exploiting high-trust software pathways to breach corporate environments. This tactic is consistent with recent warnings from the FBI about malicious file converter websites, illustrating a rising trend where threat actors exploit legitimate services to distribute malware.
The use of scheduled tasks, DLL hijacking, and reflective malware loaders enables long-term persistence and evasion of traditional defenses, making this campaign particularly dangerous in environments that rely heavily on software tools. We urge organizations to prioritize endpoint monitoring, implement strict download policies, and educate users about this increasingly effective and stealthy threat. By combining technical safeguards with robust cyber hygiene practices, security teams can reduce the risk of infiltration and prevent downstream compromise across critical systems.