Full Report
Cybersecurity researchers have disclosed a malicious campaign that leverages search engine optimization (SEO) poisoning techniques to deliver a known malware loader called Oyster (aka Broomstick or CleanUpLoader). The malvertising activity, per Arctic Wolf, promotes fake websites hosting trojanized versions of legitimate tools like PuTTY and WinSCP, aiming to trick software professionals
Analysis Summary
As a malware analyst and TTPs specialist, here is the summary compiled from the provided context, focusing on the malware, tools, techniques, and associated MITRE ATT&CK mappings observed in the described campaigns.
# Tool/Technique: Oyster (Broomstick/CleanUpLoader)
## Overview
Oyster (also known as Broomstick or CleanUpLoader) is a backdoor malware delivered via malvertising and SEO poisoning campaigns. It aims to infect software professionals searching for legitimate tools like PuTTY and WinSCP by hosting trojanized versions of these applications on compromised or fraudulent websites.
## Technical Details
- Type: Malware Family (Backdoor Loader)
- Platform: Windows
- Capabilities: Establishes persistence via scheduled tasks, executes malicious DLLs.
- First Seen: Recent campaign disclosed around June 2024.
## MITRE ATT&CK Mapping
This mapping focuses on the persistence mechanism described for Oyster:
- **TA0003 - Persistence**
- T1053 - Scheduled Task/Job
- T1053.005 - Scheduled Task
## Functionality
### Core Capabilities
- Installation of a backdoor upon execution of the trojanized initial payload.
- Establishing persistence through the creation of a scheduled task that executes every three minutes.
### Advanced Features
- Uses the `rundll32.exe` binary to execute a malicious DLL (`twain_96.dll`) by calling the `DllRegisterServer` export function, leveraging DLL registration for execution.
## Indicators of Compromise
- File Hashes: [Not available in context]
- File Names: `twain_96.dll`
- Registry Keys: [Associated with scheduled task creation - details not provided]
- Network Indicators: [C2 infrastructure not detailed for Oyster in this context]
- Behavioral Indicators: Execution of `rundll32.exe` calling `DllRegisterServer` export from a suspicious DLL; creation of a recurring scheduled task (3-minute interval).
## Associated Threat Actors
- Threat actors employing black hat SEO poisoning to distribute this loader. (Specific group attribution not provided for Oyster in this segment).
## Detection Methods
- Signature-based detection: Signatures targeting the malicious DLL (`twain_96.dll`).
- Behavioral detection: Monitoring for the creation of highly frequent scheduled tasks (3-minute intervals) that launch `rundll32.exe` with custom exports.
- YARA rules: [Not available in context]
## Mitigation Strategies
- Sticking strictly to trusted sources and official vendor websites for software downloads.
- Monitoring scheduled task creation for suspicious processes or high-frequency execution times.
## Related Tools/Techniques
- SEO Poisoning (Delivery Vector).
- Techniques used by campaigns distributing Vidar, Lumma, and Legion Loader (similar delivery vector).
***
# Tool/Technique: Vidar Stealer
## Overview
Vidar is an information-stealing malware often distributed in recent black hat SEO poisoning campaigns targeting downloads of legitimate tools or AI-related keywords.
## Technical Details
- Type: Malware Family (Information Stealer)
- Platform: Windows
- Capabilities: Steals sensitive information (e.g., passwords, browser data).
- First Seen: [Not specified, but active in recent 2025 campaigns mentioned.]
## MITRE ATT&CK Mapping
Based on general stealer functionality:
- **TA0009 - Collection**
- T1552 - Credentials Access
- T1552.001 - Credentials from Web Browsers
## Functionality
### Core Capabilities
- Extraction and exfiltration of credentials and sensitive data from compromised systems.
### Advanced Features
- Delivered via complex multi-stage installers (e.g., large 800MB NSIS installer followed by an AutoIt script).
- Delivered within password-protected ZIP archives.
## Indicators of Compromise
- File Hashes: [Not available in context]
- File Names: Contained within a large NSIS installer file.
- Network Indicators: [C2 details not provided]
- Behavioral Indicators: Execution chains involving NSIS installers running AutoIt scripts.
## Associated Threat Actors
- Threat actors leveraging AI-related SEO poisoning campaigns.
## Detection Methods
- Detection of large, unexpected NSIS installers followed by AutoIt execution.
- Detection of credential exfiltration network traffic patterns.
## Mitigation Strategies
- Using endpoint protection that analyzes installer contents and execution chains.
- Avoiding execution of scripts/installers downloaded from unofficial search results.
## Related Tools/Techniques
- Lumma Stealer, Legion Loader (Distributed via similar SEO poisoning methods).
***
# Tool/Technique: Lumma Stealer
## Overview
Lumma is an information-stealing malware associated with modern black hat SEO poisoning campaigns, often distributed alongside Vidar Stealer.
## Technical Details
- Type: Malware Family (Information Stealer)
- Platform: Windows
- Capabilities: Information theft.
- First Seen: [Not specified, but active in recent 2025 campaigns mentioned.]
## MITRE ATT&CK Mapping
Based on general stealer functionality:
- **TA0009 - Collection**
- T1552 - Credentials Access
- T1552.001 - Credentials from Web Browsers
## Functionality
### Core Capabilities
- Information stealing capabilities targeting user data.
### Advanced Features
- Delivered in password-protected archives alongside Vidar via NSIS installers executed via AutoIt scripts.
## Indicators of Compromise
- File Hashes: [Not available in context]
- Network Indicators: [C2 details not provided]
- Behavioral Indicators: Similar multi-stage delivery via NSIS/AutoIt chain.
## Associated Threat Actors
- Threat actors leveraging AI-related SEO poisoning campaigns.
## Mitigation Strategies
- Strict application control over NSIS and AutoIt executions from untrusted sources.
## Related Tools/Techniques
- Vidar Stealer, Legion Loader.
***
# Tool/Technique: Search Parameter Injection (Support Page Hijacking)
## Overview
An ingenious technique where threat actors hijack search results for official tech support pages (e.g., Apple, Microsoft) using sponsored results. They inject search parameters designed to make the compromised domain display the attacker’s scam phone number within the site’s search bar results, masquerading as the official contact number.
## Technical Details
- Type: Technique (Social Engineering/Delivery)
- Platform: Web browsers interacting with search engines (e.g., Google Ads leading to legitimate brand sites).
- Capabilities: Deceiving users into calling fraudulent support hotlines.
- First Seen: Recent observation in 2025.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access** (Leveraging search results for social engineering)
- **TA0011 - Command and Control** (Used to receive subsequent calls)
## Functionality
### Core Capabilities
- Displaying attacker-controlled content (phone numbers) on a seemingly legitimate domain via URL parameters that manipulate the site's display fields.
### Advanced Features
- The malicious parameters are added to the URL but are often not visible in the rendered sponsored search result snippet, increasing deception.
## Indicators of Compromise
- File Hashes: N/A
- Network Indicators: N/A
- Behavioral Indicators: Users navigating through sponsored search results linking to official help centers, only to find an anomalous phone number presented as official support contact information.
## Associated Threat Actors
- Scammers targeting users seeking technical support for major brands.
## Mitigation Strategies
- Always verify contact information by navigating directly to the brand's known homepage or TLD (Top-Level Domain) rather than relying solely on search results displayed phone numbers.
## Related Tools/Techniques
- Traditional Phishing, Sponsored Result Abuse.
***
# Tool/Technique: GhostVendors (Fake Marketplace Network)
## Overview
GhostVendors is a sprawling network of thousands of fraudulent commercial websites designed to spoof popular brands. These sites advertise real products but are intended to steal credit card information or process payments for goods that are never delivered.
## Technical Details
- Type: Infrastructure Campaign / Criminal Network
- Platform: Web-based (E-commerce/Marketplace imitation)
- Capabilities: Financial fraud, PII/payment data theft.
- First Seen: Ongoing campaign observed in 2024/2025.
## MITRE ATT&CK Mapping
- **TA0010 - Exfiltration** (Collecting payment data)
- **TA0006 - Credential Access** (If payment pages capture credentials)
## Functionality
### Core Capabilities
- Creating thousands of temporary websites mimicking legitimate sellers.
- Using Facebook ads to rapidly promote these sites over a few days, then stopping the ads to erase traces from the Meta Ad Library.
### Advanced Features
- Exploiting Meta Ad Library retention policies (which only retain ads on social issues, elections, and politics for long periods) by rapidly cycling ad campaigns.
- Incorporating Google Pay widgets for payment processing.
## Indicators of Compromise
- File Hashes: N/A
- Network Indicators: High volume of rapidly deployed and retired domains spoofing popular brands.
- Behavioral Indicators: Ads being purchased and terminated in short sprints on social media platforms.
## Associated Threat Actors
- Chinese threat actors suspected in the English/Spanish targeting network.
## Mitigation Strategies
- Consumers should exercise extreme caution with social media marketplace ads promoting unexpected high-value items or deals.
- Utilizing secure payment methods that offer strong buyer protection.
## Related Tools/Techniques
- Traditional E-commerce Phishing, Brand Impersonation.
***
# Tool/Technique: PayDay Loader
## Overview
PayDay Loader is a Node.js utility capable of finding, packing, and exfiltrating wallet information from compromised systems by leveraging the `adm-zip` library. While mentioned in the context of the broader fraud ecosystems, its direct link to the SEO delivery campaigns is secondary to its capability description.
## Technical Details
- Type: Tool/Malware Loader
- Platform: Node.js environment
- Capabilities: Enumerates and packs wallet information for C2 exfiltration.
- First Seen: [Not specified in context, but used recently.]
## MITRE ATT&CK Mapping
- **TA0009 - Collection**
- T1552 - Credentials Access
- T1552.001 - Credentials from Web Browsers (Specific to Cryptocurrencies/Wallets)
## Functionality
### Core Capabilities
- Utilizes the `adm-zip` Node.js library to compress and archive target data (specifically wallet information).
- Sends collected and packed data to a hard-coded Command and Control (C2) host.
## Mitigation Strategies
- Monitoring unusual Node.js processes executing file compression operations (`adm-zip`).
- Implementing strict egress filtering to prevent exfiltration to hard-coded C2 addresses.
## Related Tools/Techniques
- Other loaders that focus heavily on cryptocurrency theft.