A recent malware campaign is manipulating search engine results to deliver a loader known as Oyster. Disguised domains mimicking trusted software sources like PuTTY and WinSCP have been used to trick users into deploying malicious installers. Upon execution, the malware creates a persistent backdoor via a DLL launched with rundll32.exe. Domains such as putty[.]run and updaterputty[.]com have been linked to the activity.
Search engine manipulation involving AI-related keywords is being used across multiple active campaigns to deliver Vidar, Lumma, and Legion Loader. Redirect chains are used to identify victims’ browser details before delivering encrypted archives that conceal large NSIS installers. Once launched, the files execute AutoIt routines that drop malicious stealers onto the target system. Legion Loader is regularly distributed via MSI installer files.
In parallel, adversaries are altering branded support search listings by injecting misleading contact information designed to redirect users to fraudulent assistance centers.
Small and medium-sized businesses were heavily targeted. Over 8,400 confirmed infections involved fake versions of common tools like Zoom, Microsoft Teams, Salesforce, and ChatGPT. Zoom variants were the most prevalent.
Elsewhere, malware disguised as Pi Network apps stole login credentials and private keys. Manipulated VPN and AI-based installers were used to implant Poseidon Stealer on Apple systems, whereas Windows users faced threats from Lumma malware delivered through a loader known as PayDay. Some operations adopted less typical tactics, concealing control mechanisms within npm repositories and calendar-based links.
These efforts frequently overlap with larger-scale scams involving fake online storefronts promoted through Facebook ads that disappear shortly after launch, complicating tracking efforts.
