Once executed, the installer drops a malicious DLL file, zqin.dll, and runs it via rundll32.exe. This establishes the Oyster backdoor, which collects system information, steals credentials, executes commands, and downloads additional malware, reads the report. This malware, active since at least 2023, tricks users into downloading malicious installers, potentially paving the way for ransomware infections such as Rhysida. This incident highlights the persistent danger of SEO poisoning, where attackers manipulate search rankings to promote malicious sites mimicking legitimate software downloads. The Oyster malware, also known as Broomstick or CleanupLoader, has resurfaced in attacks disguised as popular tools like PuTTY, KeyPass, and WinSCP. Persistence is achieved through a scheduled task called “FireFox Agent INC,” set to run every three minutes, ensuring the malware remains active even after reboots. Oyster campaigns have evolved from impersonating Google Chrome and Microsoft Teams to targeting IT-specific tools, exploiting admins’ trust in familiar software. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. CyberProof Threat Researchers recently uncovered a real-world instance in the second half of July 2025, where an unsuspecting user was lured into installing a fake PuTTY executable. To mitigate, organizations should educate users on verifying downloads, enable multi-factor authentication, and deploy endpoint detection tools. Notably, the installer used a revoked digital certificate, a tactic seen in other recent campaigns like those abusing ConnectWise ScreenConnect. In the CyberProof case, sandbox analysis on Any.Run confirmed the file’s malicious behavior, including DLL execution and task scheduling. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 28 Jul 2025 12:40:29 +0000