Cybersecurity experts warn of a campaign using fake, SEO-optimized websites impersonating legitimate tools like PuTTY and WinSCP to spread malware.
These convincing fake pages appear in Google searches, tricking IT and cybersecurity professionals into downloading trojanized versions of the software.
While the downloaded tools function normally, they secretly install the Oyster malware loader (also known as Broomstick or CleanUpLoader) onto Windows systems.
Oyster establishes persistence via scheduled tasks running every 3 minutes and uses techniques like process injection and obfuscation to evade detection.
This stealthy loader acts as a backdoor, enabling command-and-control via HTTPS and facilitating the delivery of additional malicious payloads in multi-stage attacks.
Fake domains involved include updaterputty[.]com, zephyrhype[.]com, putty[.]run, putty[.]bet, and puttyy[.]org; other tools could be compromised similarly.
The move addresses rising demand for domain-centric AI operations unlocking strategic client value.
Users are strongly advised to download software only from official, trusted sources and manually type URLs instead of clicking top Google results.