Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools – Arctic Wolf
Delivering security operations outcomes.
Collect, enrich, and analyze security data at scale.
Leverage the power of scale and AI expertise.
Ecosystem integrations and technology partnerships.
Tailored security expertise and guided risk mitigation.
Security experts proactively protecting you 24×7.
Meet the security experts working alongside you and your team.
Learn how our IR team stops attacks and swiftly restores your organization to pre-incident operations.
Build a resilient business by embracing Security Operations.
Map your security posture against industry standard frameworks.
Receive end-to-end IR coverage for one incident, no matter the incident type.
Engage and prepare employees to recognize and neutralize social engineering attacks.
Discover, assess, and harden your environment against digital risks.
AI-driven prevention, detection, and response to stop endpoint threats before they disrupt your business.
Quickly detect, respond, and recover from advanced threats.
Recover quickly from cyber attacks and breaches, from threat containment to business restoration.
Stay covered at no cost with up to $3M in financial assistance for cybersecurity incidents.
Increase the likelihood of insurability, and potentially lower your rates.
Access a complimentary suite of tools to reduce risk and improve insurability.
Helping Solution Providers scale their business with a comprehensive portfolio of products and services.
Arctic Wolf provides the Insurance Partner Program for Brokers and Carriers to support them within the Cyber JumpStart portal.
Ecosystem integrations and technology partnerships.
Grow your business and solve your customers’ cybersecurity challenges with industry-leading turnkey security operations.
Arctic Wolf OEM Solutions enable ISVs, MSSPs, U.S. Federal Agencies, and security companies.
Since early June 2025, Arctic Wolf has observed a search engine optimization (SEO) poisoning and malvertising campaign promoting malicious websites hosting trojanized versions of legitimate IT tools such as PuTTY and WinSCP.
These fake sites aim to trick unc;;/suspecting users—often IT professionals—into downloading and executing trojanized installers. Upon execution, a backdoor known as Oyster/Broomstick is installed. Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism. While only trojanized versions of PuTTY and WinSCP have been observed in this campaign, it is possible that additional tools may also be involved.
Example of Malicious Sponsored PuTTY Ad on Bing.
Instruct users—especially IT staff—not to rely on search engines to locate and download administrative tools. Instead, require the use of vetted internal repositories or direct navigation to official vendor websites to reduce the risk of SEO poisoning and malicious advertising.
Arctic Wolf recommends blocking the following domains observed in connection with the activity outlined in this security bulletin to prevent user access to malicious download sources and reduce exposure to trojanized tools.
Please refer to vendor-specific documentation detailing configuration of your organization’s firewall devices.
Learn more about the Arctic Wolf Cyber Resilience Assessment.
Take a deep dive into NIST CSF 2.0 with our webinar, NIST CSF 2.0: A Blueprint for Operationalizing Risk Management Within Your Security Program.
July 1, 2025
June 26, 2025
June 25, 2025
June 23, 2025
GLOBAL HEADQUARTERS
Solutions
Company
Partners
Resources
