In a recent surge of cyber threats, attackers have been leveraging Search Engine Optimization (SEO) poisoning techniques to distribute malware disguised as legitimate artificial intelligence (AI) tools. This campaign has predominantly targeted small and medium-sized businesses (SMBs), with over 8,500 users affected between January and April 2025.
Understanding SEO Poisoning
SEO poisoning involves manipulating search engine algorithms to elevate malicious websites in search results. By embedding popular keywords into these sites, cybercriminals increase the likelihood of users clicking on harmful links, believing them to be trustworthy sources. This method exploits the inherent trust users place in top search results, making it a potent tool for distributing malware.
The Mechanics of the Attack
Cybersecurity firm Arctic Wolf has identified that attackers are promoting counterfeit websites hosting trojanized versions of widely-used tools such as PuTTY and WinSCP. Unsuspecting software professionals searching for these utilities may inadvertently download and execute these compromised versions. Upon execution, a backdoor known as Oyster (also referred to as Broomstick or CleanUpLoader) is installed on the victim’s system. To maintain persistence, the malware creates a scheduled task that runs every three minutes, executing a malicious DLL file via the rundll32.exe process.
Notable Malicious Domains
Several deceptive domains have been identified in this campaign, including:
– updaterputty[.]com
– zephyrhype[.]com
– putty[.]run
– putty[.]bet
– puttyy[.]org
These domains mimic legitimate software sites, increasing the likelihood of users downloading malicious files.
Expansion to AI-Related Keywords
The campaign has evolved to exploit the growing interest in AI tools. By targeting AI-related keywords, attackers have managed to spread malware such as Vidar, Lumma, and Legion Loader. These malicious websites incorporate JavaScript code that detects ad blockers and gathers browser information. Subsequently, users are redirected through a series of pages, ultimately landing on phishing sites that host ZIP archives containing the malware.
Delivery Mechanisms
The final download pages in this campaign deliver Vidar Stealer and Lumma Stealer as password-protected ZIP archives, with the password provided on the final downloading page. Once extracted, they contain an 800MB NSIS installer, a deceptively large size intended to appear legitimate and bypass detection systems with file size limitations. The NSIS installer is then used to execute an AutoIt script that’s ultimately responsible for launching the stealer payloads. The delivery mechanism for Legion Loader, in contrast, leverages an MSI installer to deploy the malware via a batch script.
Broader Implications for SMBs
Data from cybersecurity company Kaspersky indicates a significant rise in attacks targeting SMBs through malware disguised as popular AI and collaboration tools. Between January and April 2025, approximately 8,500 SMB users encountered such threats. Notably, Zoom accounted for about 41% of the total number of unique malicious files, followed by Outlook and PowerPoint at 16% each, Excel at 12%, Word at 9%, and Teams at 5%. The number of unique malicious files mimicking ChatGPT increased by 115% to 177 in the first four months of 2025.
Mitigation Strategies
To protect against SEO poisoning attacks, organizations and individuals should adopt the following measures:
1. Download Software from Official Sources: Always obtain software directly from official vendor websites or trusted repositories to minimize the risk of downloading compromised versions.
2. Verify Website Authenticity: Before downloading any software, ensure the website’s URL is correct and check for signs of legitimacy, such as HTTPS certification and accurate domain names.
3. Implement Robust Security Solutions: Utilize comprehensive security software that can detect and block malicious downloads and websites.
4. Educate Employees: Conduct regular training sessions to inform staff about the dangers of SEO poisoning and the importance of cautious online behavior.
5. Monitor Search Engine Presence: Regularly review your organization’s search engine rankings and be alert to any sudden changes that could indicate malicious activity.
Conclusion
The exploitation of SEO poisoning by cybercriminals underscores the evolving nature of cyber threats. By manipulating search engine results, attackers can effectively distribute malware to a broad audience, particularly targeting SMBs. Staying informed about these tactics and implementing proactive security measures are essential steps in safeguarding against such sophisticated attacks.
