A newly uncovered SEO poisoning campaign has ensnared more than 8,500 small and medium-sized businesses (SMBs) between January and April 2025, deploying malware disguised as popular AI and collaboration tools such as ChatGPT, Zoom, Microsoft Outlook, Excel, PowerPoint, Teams, and PuTTY, according to cybersecurity firms Arctic Wolf and Kaspersky.
The malicious actors employed search-engine-optimised advertisements and hijacked search results to promote fake download sites such as updaterputty[.]com, zephyrhype[.]com, putty[.]run, putty[.]bet, and puttyy[.]org. Visitors seeking trusted software were redirected to counterfeit pages hosting trojanized installers—infected with Oyster (also known as Broomstick or CleanUpLoader), Vidar, Lumma, and Legion loader malware.
Malware Installers Use Stealthy Chains to Evade Detection
Once downloaded, the malware establishes persistence by creating scheduled tasks that run every three minutes, loading malicious DLLs disguised as twain_96.dll via rundll32.exe. Campaigns also included complex delivery chains, such as password-protected ZIP archives for Vidar and Lumma, NSIS installers masquerading as large legitimate files, and MSI packages for Legion loader.
Research firm Zscaler noted a rise in fake ChatGPT-themed malware, up 115% to 177 unique malicious files just in early 2025. Attackers even injected phishing pages into search results for trusted help pages, using search parameter injection to display fake support phone numbers.
At-Risk Tools and Growing Sophistication
SMBs Bear the Brunt
Infections hit SMBs hardest—Zoom-themed malware alone accounted for 41% of total unique malicious files; Outlook and PowerPoint each represented 16%, followed by Excel at 12%, Word at 9%, and Teams at 5%. This reflects how widespread reliance on remote work tools has become a vector for cybercrime.
Ad Platforms Weaponised
Both Google and Facebook ad networks were leveraged to serve malicious ads. Some campaigns even targeted users in cryptocurrency communities, pushing fake wallet-recovery apps that dropped spyware capable of stealing crypto keys.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
What Needs to Change?
Security experts advise obtaining software only directly from official vendor sites and verifying file integrity using checksums. They also recommend enabling ad blockers and endpoint security solutions, and instituting scheduled scans for newly installed applications to detect malicious payloads.
In response, cybersecurity providers are urging stricter scrutiny of search advertising, tighter verification standards for app downloads, and greater corporate vigilance. With criminals exploiting trusted brands to reach unsuspecting businesses, awareness and layered defence have become essential to stop SEO poisoners in their tracks.
About the Author – Sahhil Taware is a B.Sc. LL.B. (Hons.) student at National Forensic Sciences University, Gandhinagar, with a keen interest in corporate law and tech-driven legal change.