Cybersecurity researchers have disclosed a malicious campaign using search engine optimization (SEO) poisoning techniques to deliver known malware loaders. The campaign, which leverages fake websites hosting trojanized versions of legitimate tools, aims to trick software professionals into installing the malware.
The malware loader, called Oyster (aka Broomstick or CleanUpLoader), installs a backdoor that creates a scheduled task to run every three minutes, executing a malicious DLL via rundll32.exe. The threat actors are suspected to be targeting other IT tools to deliver the malware, emphasizing the importance of sticking to trusted sources and official vendor sites.
The campaign is part of a broader trend of abusing fake search engine listings to take advantage of users’ implicit trust in popular brands. The attackers use techniques like search parameter injection to display scammy phone numbers on help/support pages, deceiving unsuspecting users into calling them.
The malicious activity has been linked to various platforms, including Google, Facebook, and Meta, with threat actors serving fake ads to phish for cryptocurrency wallet recovery phrases and spreading malware in conjunction with Pi2Day. The campaign is codenamed Dark Partners by security researcher g0njxa, and it appears to be the work of a single threat actor running parallel fraud schemes.
The attackers have used various delivery mechanisms, including Google Calendar links, to extract command-and-control (C2) servers and load malware payloads. They have also used malicious npm packages and Facebook Marketplace ads to spread malware. The campaign highlights the ongoing threat of fake search engine listings and phishing pages, emphasizing the need for users to be cautious when searching for software or services online.
In summary, the Dark Partners campaign demonstrates the creativity and persistence of cybercriminals in exploiting vulnerabilities in user trust. As AI-related tools become increasingly popular, it is essential to remain vigilant against these types of threats and prioritize cybersecurity awareness.
Source: https://thehackernews.com/2025/07/seo-poisoning-campaign-targets-8500.html