Cybercriminals have hijacked search results to trick over 8,500 small‑business users into downloading malware disguised as genuine software.

Cybersecurity researchers have uncovered a major scam targeting thousands of small and medium‑sized businesses. Hackers manipulated search engine results – with the assistance of poisoned SEO – to redirect users to fake download pages which mimicked genuine tools. But instead of legitimate software like PuTTY or WinSCP, victims ended up downloading malware.

Software is an integral part of modern business, and downloading new software is a regular occurrence. But, as this attack will demonstrate, you need to be cautious when clicking that download button.

Malware in Disguise: The Tactics Explained

The threat actors behind this scam started their attack by setting up a series of malicious sites. While these may have appeared to be genuine sites – with names such as updaterputty – they were far from the real deal. However, with visibility in search engine results on their side, links to these malicious sites would easily be reaching a huge audience of potential clicks. And, to unsuspecting visitors who were keen to download the necessary software, they wouldn’t have batted an eyelid before downloading what as on offer.

Unfortunately, instead of downloading tools required for file transfers or remote access, they were downloading the Oyster trojan. Once installed, Oyster would set about installing a hidden backdoor to allow remote access. Its next step involved creating a scheduled task to runs every three minutes, loading a malicious DLL (twain_96.dll) through Windows’ legitimate rundll32 executable. The result? A persistent strain of malware which gave its creators deep system access to infected PCs.

And it wasn’t just Oyster which was at the heart of the attack. Variations of the campaign found the attackers involving numerous other malware variants such as Vidar Stealer and Lumma Stealer. It was also observed, in some instances, that victims were encouraged to download huge zip files containing a multitude of malware installer. By April 2025, it was estimated by Kaspersky that over 8,5000 small and medium-business users had been impacted by the attack.

This malware is notable as it targets a specific demographic of users due to vulnerabilities associated with their organizations. Small and medium-sized businesses (SMBs) generally lack the advanced cybersecurity measures of larger organizations. Also, many PC users trust the top results in search engines, making this threat particularly dangerous when people are in a rush.

Don’t Get Fooled and Outsmart the Scam

 

It’s easy to fall victim to attacks such as the above, but it’s just as easily avoided. By following these simple steps, you can reduce your risk of introducing malware into your IT infrastructure:

• Only Download from Official Sites: Always go straight to the developers website or a trusted download site when you need new software. All you need to do is a quick Google and some basic verification – such as checking a URL in Google to see what people are saying about it – to confirm you’re heading somewhere legitimate.
• Use Antivirus Tools and Keep Them Updated: Modern antivirus tools do an excellent job at detecting suspicious websites and scanning incoming files, but you need to make sure you have one installed. Additionally, make sure they’re kept up to date to cope with all the latest threats.

For more ways to secure and optimize your business technology, contact your local IT professionals.