Researchers disclosed a campaign using SEO poisoning to distribute malware called Oyster, targeting software professionals searching for tools like PuTTY. Fake websites host trojanized software, tricking users into installation. The malware establishes persistence through a scheduled task running every three minutes. Other threats include Vidar and Lumma Stealer being disseminated via mail, employing JavaScript to gather data and redirect victims to phishing pages hosting ZIP archives. Extracted files contain large installers to evade detection, demonstrating the ongoing risk of malicious software delivery tactics.
Upon execution, a backdoor known as Oyster/Broomstick is installed. Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export.
The final download pages in this campaign deliver Vidar Stealer and Lumma Stealer as password-protected ZIP archives, with the password provided on the final downloading page.
Collection
[
|
...
]