249/68 Wednesday, July 9, 2025
Cybersecurity experts from Arctic Wolf and Zscaler have issued warnings about an ongoing SEO poisoning campaign-where cybercriminals manipulate Google search results to lure users, especially small and medium-sized businesses (SMBs), into downloading malware disguised as legitimate software. The primary malware used in this campaign is Oyster Loader (also known as Broomstick or CleanUpLoader), which is embedded in DLL files and configured to run every three minutes to establish a backdoor within the system. Hackers have created spoofed websites that closely resemble legitimate ones for popular tools like PuTTY, WinSCP, and even ChatGPT to trick victims into downloading malware-laced applications.
The attackers are not only faking download sites but are also employing more sophisticated techniques-such as packaging malware inside password-protected ZIP files that contain large executables made to look like legitimate software. These include payloads like Vidar Stealer, Lumma Stealer, RedLine, and Legion Loader. There are also reports of fake CAPTCHA pages mimicking Cloudflare, using a technique called ClickFix to harvest user data. Additionally, the malware is being spread through Facebook ads, specifically targeting users interested in AI tools, VPNs, or popular enterprise applications like Microsoft Teams, Zoom, Salesforce, Google Drive, and Cisco AnyConnect. Over 8,500 victims have been reported in just the first four months of 2025.
The rise of SEO poisoning demonstrates that cybercriminals are continuously evolving their tactics to be more deceptive and technically advanced. One such technique, search parameter injection, is used to convince users that fake phone numbers shown on support pages for major brands like Apple, PayPal, and Netflix are legitimate. Other scams include fake ads on Facebook Marketplace from a fraud network called GhostVendors, which takes payments but never delivers products.
These incidents highlight the urgent need for caution when searching for and downloading software online. Users at all levels should ensure they access tools only from official websites and avoid clicking on ads or suspicious links under any circumstances.
Source https://thehackernews.com/2025/07/seo-poisoning-campaign-targets-8500.html
