Since early June 2025, Arctic Wolf has observed a search engine optimisation (SEO) poisoning and malvertising campaign promoting malicious websites hosting Trojanized versions of legitimate IT tools such as PuTTY and WinSCP.
These fake sites aim to trick unsuspecting users—often IT professionals—into downloading and executing Trojanized installers. Upon execution, a backdoor known as Oyster/Broomstick is installed. Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism. While only Trojanized versions of PuTTY and WinSCP have been observed in this campaign, it is possible that additional tools may also be involved.
Example of Malicious Sponsored PuTTY Ad on Bing.
Recommendation
Limit Exposure to SEO Poisoning Through Trusted Software Acquisition Practices
Instruct users—especially IT staff—not to rely on search engines to locate and download administrative tools. Instead, require the use of vetted internal repositories or direct navigation to official vendor websites to reduce the risk of SEO poisoning and malicious advertising.
Block Malicious Domains Associated with Ongoing Campaign
Arctic Wolf recommends blocking the following domains observed in connection with the activity outlined in this security bulletin to prevent user access to malicious download sources and reduce exposure to Trojanized tools.
- updaterputty[.]com
- zephyrhype[.]com
- putty[.]run
- putty[.]bet
- puttyy[.]org
Please refer to vendor-specific documentation detailing configuration of your organisation’s firewall devices.
Learn more about the Arctic Wolf Cyber Resilience Assessment.
Take a deep dive into NIST CSF 2.0 with our webinar, NIST CSF 2.0: A Blueprint for Operationalising Risk Management Within Your Security Program.
