Ethical Hacking News
In an increasingly complex digital landscape, a growing threat to SMBs has emerged: SEO poisoning campaigns using AI disguise to deliver malware and commit financial fraud. With over 8,500 targeted users and numerous networks involved in spoofing popular brands, it's essential for businesses to take proactive measures to protect themselves from these sophisticated threats.
Malicious SEO poisoning campaigns target over 8,500 small- and medium-sized businesses (SMBs) with malware disguised as popular AI tools. The campaign uses fake websites hosting trojanized versions of legitimate software to trick users into installing malware-infected tools. A backdoor known as Oyster/Broomstick is installed, with persistence established by creating a scheduled task that runs every three minutes. Researchers have identified several bogus websites associated with this campaign, including sites designed to appear legitimate and collect user information. The final download pages deliver malware-infected tools, such as Vidar Stealer and Lumma Stealer, in password-protected ZIP archives. The campaigns also target Facebook and Google's advertising platforms, serving fake ads for cryptocurrency wallet recovery and spreading malware. Researchers suspect a single threat actor operating parallel fraud schemes on Meta platforms, while others target credit card information and download additional payloads. SMB users must be cautious when searching for software online and stick to trusted sources to prevent falling prey to malicious SEO poisoning campaigns.
SEO poisoning campaigns have become an increasingly sophisticated and insidious threat to small- and medium-sized businesses (SMBs). According to recent data compiled by Arctic Wolf, these malicious campaigns target over 8,500 SMB users with malware disguised as popular AI tools. This phenomenon has been observed in various forms, including the use of fake websites hosting trojanized versions of legitimate software such as PuTTY and WinSCP.
The campaign in question involves using search engine optimization (SEO) poisoning techniques to promote fake websites that mimic well-known brands, aiming to trick users into installing malware-infected tools. Upon execution, a backdoor known as Oyster/Broomstick is installed, with persistence established by creating a scheduled task that runs every three minutes. The malware loader, dubbed Oyster, also leverages DLL registration as part of its persistence mechanism.
Researchers have identified several bogus websites associated with this campaign, including updaterputty[.]com, zephyrhype[.]com, putty[.]run, putty[.]bet, and puttyy[.]org. These sites are designed to appear legitimate, using JavaScript code that checks for the presence of ad blockers and gathers information from the victim's browser before redirecting them to a phishing page hosting a ZIP archive.
The final download pages in this campaign deliver Vidar Stealer and Lumma Stealer as password-protected ZIP archives, which contain an 800MB NSIS installer. This sizeable file is intended to bypass detection systems with file size limitations. The NSIS installer executes an AutoIt script that ultimately launches the stealer payloads.
In addition to targeting SMBs, these SEO poisoning campaigns have also been observed on Facebook and Google's advertising platforms, serving fake ads that phish for cryptocurrency wallet recovery phrases and spread malware in conjunction with Pi2Day, a yearly event linked to the Pi Network community. The malicious payload, spread via an MSI installer, comes equipped with capabilities to steal saved credentials, crypto wallet keys, log user input, and download additional payloads while evading detection.
Researchers from Bitdefender believe that this activity may be attributed to a single threat actor operating parallel fraud schemes on Meta platforms. Other networks spotted by Silent Push researchers are targeting English and Spanish language shoppers with fake marketplace ads designed to steal credit card information entered on payment pages while claiming to process orders.
The presence of Google Calendar links as a dead drop resolver in PayDay Loader, which then acts as a conduit for Lumma Stealer on Windows machines, highlights the sophistication of these malicious campaigns. Furthermore, an email address associated with this activity was also linked to a malicious npm package called "os-info-checker-es6," indicating potential experimentation by Dark Partners actors with different delivery mechanisms.
These campaigns are part of a broader phenomenon where scammers and cybercriminals establish sprawling networks comprising thousands of websites to spoof popular brands and commit financial fraud by advertising real products that are never delivered. Networks such as GhostVendors, which buy Facebook ads space to promote over 4,000 sketchy sites, demonstrate the scope of this threat.
In light of these findings, SMB users must be extremely cautious when searching for software or technical tools online, ensuring they only visit official vendor websites and stick to trusted sources to download necessary software. This awareness is crucial in preventing falling prey to such malicious SEO poisoning campaigns designed to spread malware and financial fraud.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-AI-Disguise-The-Growing-Threat-of-SEO-Poisoning-Campaigns-ehn.shtml
https://thehackernews.com/2025/07/seo-poisoning-campaign-targets-8500.html
Published: Mon Jul 7 13:09:45 2025 by llama3.2 3B Q4_K_M
