A campaign to spread malicious code through malicious advertising is on the rise in July 2025, targeting IT employees and system administrators directly. The objective was to release a dangerous backdoor named Oyster, which was known under aliases as Broomstick or CleanupLoader.

1753779198144.png

According to experts from Arctic Wolf and CyberProof, the Oyster malware had returned with a more sophisticated tactic. It masquerades as popular tools (which are software that IT administrators download regularly), such as: PuTTY, KeePass, WinSCP, etc..

The attacker uses SEO poisoning and false advertising to put the poisoned links on top of Google or Bing, making it easy for users to click wrong.

A typical case is discovered when a user downloads the “PuTTY-setup.exe” file from the “danielaurel” page. tv. ” Although it looks like a legitimate file, it’s actually implanted with malware.

In the sandbox analysis environment (ANY.RUN), researchers found:

  • File signed with digitization proof has been revoked so that many systems still trust the file without issuing a warning.
  • When it runs, it adds a malicious DLL file (“zqin.dll”) to the system and is activated using rundll32.exe, a technique commonly used to avoid detection by antivirus software.
  • The malicious code also creates a fake Scheduled Task called “FireFox Agent INC” that reruns the DLL every 3 minutes, ensuring that it stays active even when the user shuts down or log out.

Once infected, Oyster may:

  • Steal your login information and password.
  • Load another load of malicious code.
  • Open the remote shell.
  • Send sensitive data to the hacker’s server.

Not only is this spyware, Oyster is also a stepping stone to larger attacks, e. g., deploying ransomware like Rhysida after breaking into the system.

One worrying point is that the attacker abuses the digital signature certificates that have been revoked, but are still accepted by some security software. This is an increasingly popular tactic that makes it easier for malicious code to “get past” primary protection. This suggests that many organizations still do not have a system for testing the reliability of digital signatures adequately, especially with conventional endpoints.

This operation is not just a sporadic one. Reportedly, the Oyster infection system was further exploited to steal data and spread ransomware, causing significant damage to both businesses and individuals.

When the target is an IT Admin, a single wrong click can cause the entire internal network to crash.

Experts offer a series of prevention recommendations:

  • Never download software from an ad or search engine link, even if it seems reasonable.
  • Only use the official website of your software provider or a verified internal repository.
  • The company should reconfigure the ID authentication system to ensure that the revoked certificate is no longer trusted.
  • Periodic monitoring of unknown Scheduled Task and processes such as rundll32.exe running DLLs off the system.
  • Endpoint Detection & Response (EDR) is capable of detecting DLL side-loading or abnormal behavior.

Operation Oyster saw increasingly sophisticated hackers actively reaching skilled users through seemingly secure paths: advertising, searching, familiar tools.

This is a huge wake – up call for both individuals and organizations, so don’t let your habit of downloading “quick – to – use” software become a doorway for hackers to take over your system.

WhiteHat