A widespread SEO poisoning campaign is actively targeting small and medium-sized businesses (SMBs), affecting over 8,500 users by distributing malware disguised as popular AI and IT tools. Threat actors are manipulating search engine results to lead unsuspecting users to malicious websites, where they are prompted to download trojanized software, ultimately compromising their systems with various stealers and loaders.

Key Takeaways

• Cybercriminals are using sophisticated SEO poisoning and malvertising techniques to distribute malware like Oyster, Vidar, Lumma, and RedLine Stealer.

• The campaign primarily targets SMBs, with malware disguised as legitimate AI and collaboration tools such as ChatGPT, Zoom, Microsoft Office, and popular IT utilities like PuTTY and WinSCP.

• Attackers employ various deceptive tactics, including fake CAPTCHA checks, large file sizes to bypass detection, and even manipulating tech support search results to display scammer phone numbers.

• Persistence mechanisms, such as scheduled tasks and DLL registration, are used to ensure the malware remains active on compromised systems.

• The campaign highlights the critical need for users to download software only from official vendor websites and to be vigilant against suspicious search results and advertisements.

Malicious Tactics Unveiled

Cybersecurity researchers have uncovered a pervasive SEO poisoning campaign designed to trick users into downloading malware. This sophisticated operation leverages search engine optimization (SEO) techniques to push malicious websites to the top of search results for popular software and AI tools. Once users land on these fake sites, they are prompted to download what appears to be legitimate software, but is in fact a trojanized version containing malware.

One prominent malware loader observed in this campaign is Oyster (also known as Broomstick or CleanUpLoader). Upon execution, Oyster establishes persistence by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via .

Bogus websites identified in this campaign include:

• updaterputty[.]com

• zephyrhype[.]com

• putty[.]run

• putty[.]bet

• puttyy[.]org

Targeting AI and Collaboration Tools

The campaign has significantly focused on disguising malware as popular AI and collaboration tools. Kaspersky data reveals that between January and April 2025, approximately 8,500 SMB users were targeted by cyberattacks involving malware disguised as:

• OpenAI ChatGPT

• DeepSeek

• Cisco AnyConnect

• Google Drive

• Microsoft Office (Outlook, PowerPoint, Excel, Word, Teams)

• Salesforce

• Zoom

Zoom accounted for about 41% of the unique malicious files, followed by Outlook and PowerPoint at 16% each. The number of unique malicious files mimicking ChatGPT increased by 115% in the first four months of 2025.

Advanced Deception Techniques

Threat actors are employing increasingly cunning methods to evade detection and trick users:

• Ad Blocker Evasion: Malicious websites include JavaScript code to check for ad blockers and gather browser information before redirecting victims to phishing pages.

• Large File Sizes: Final download pages deliver stealers like Vidar and Lumma as password-protected ZIP archives. Once extracted, these contain NSIS installers as large as 800MB, designed to appear legitimate and bypass detection systems with file size limitations.

• Fake CAPTCHA Checks: Some campaigns elevate phishing pages by directing users to fake Cloudflare CAPTCHA checks that use the ClickFix strategy to drop RedLine Stealer.

• Search Parameter Injection: Attackers manipulate search results for tech support pages (e.g., Apple, Microsoft, PayPal) to display scammer phone numbers within the search bar, making them appear as official contact details.

Broader Malvertising Landscape

The SEO poisoning campaign is part of a larger trend of malvertising. Threat actors are also using platforms like Facebook to spread malware and phish for cryptocurrency wallet recovery phrases. One notable campaign, possibly linked to a single threat actor, involved ads urging users to install a new version of the Pi Network desktop app, which contained credential-stealing and keylogging capabilities.

Furthermore, phony websites impersonating AI, VPN services, and other software brands have been found delivering Poseidon Stealer on macOS and PayDay Loader on Windows. PayDay Loader uses Google Calendar links as a dead drop resolver to extract command-and-control (C2) server information and load Lumma Stealer payloads.

These campaigns underscore the critical importance of cybersecurity vigilance. Users should always download software directly from official vendor websites and exercise extreme caution when encountering suspicious search results or advertisements. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• SEO Poisoning Campaign Targets 8,500+ SMB Users with Malware Disguised as AI Tools, The Hacker News.