Malware Hidden as AI Tools Hits 8,500+ SMBs

Cybersecurity researchers have uncovered a malicious campaign that uses search engine optimization (SEO) poisoning to distribute a malware loader known as Oyster, also referred to as Broomstick or CleanUpLoader. According to Arctic Wolf, the attackers use fake websites that appear to host legitimate software like PuTTY and WinSCP. These websites are designed to mislead software professionals into downloading malware-laced versions of the tools they are searching for.

 

Once executed, the malware installs a backdoor identified as Oyster or Broomstick. To maintain persistence, it creates a scheduled task that runs every three minutes. This task launches a malicious DLL file named twain_96.dll through rundll32.exe using the DllRegisterServer export, showing that DLL registration is being used to maintain access.

Some of the fake websites used in the campaign include:

Investigators believe the attackers may be targeting other IT tools as well, making it crucial for users to only download software from trusted sources or official vendor websites.

 

This revelation coincides with reports of black hat SEO tactics being used to manipulate search results for artificial intelligence-related keywords to distribute malware like Vidar, Lumma, and Legion Loader.

 

The malicious websites contain JavaScript that checks for ad blockers and gathers data from the victim's browser. It then redirects the user to a phishing page that hosts a ZIP archive. According to Zscaler ThreatLabz, the final download pages deliver Vidar Stealer and Lumma Stealer as password-protected ZIP files, with the password displayed on the download page. Once extracted, the files include an 800MB NSIS installer, which is deceptively large to appear legitimate and avoid detection.

 

This installer executes an AutoIt script that launches the stealer malware. In contrast, the Legion Loader is delivered via an MSI installer that runs a batch script. Another related campaign boosts phishing pages in search results for popular web applications. These pages appear to be Cloudflare CAPTCHA checks but use the ClickFix trick to install RedLine Stealer through Hijack Loader.

 

Kaspersky reports that small and medium-sized businesses are being increasingly targeted by malware disguised as tools like ChatGPT, DeepSeek, Cisco AnyConnect, Google Drive, Microsoft Office, Microsoft Teams, Salesforce, and Zoom. Between January and April 2025, roughly 8,500 SMB users were attacked using malware posing as these tools.

 

Zoom made up about 41 percent of the total number of unique malicious files, followed by Outlook and PowerPoint at 16 percent each. Excel accounted for 12 percent, Word 9 percent, and Teams 5 percent. The number of unique malicious files imitating ChatGPT increased by 115 percent in the first four months of 2025, reaching 177.

 

Though manipulating search results to trick users has long been a tactic of threat actors, some new campaigns go further. They hijack searches for tech support pages related to companies like Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal. These attackers present real-looking help pages via sponsored Google results but replace the genuine contact number with their own scam number.

 

According to Malwarebytes, the scammers do this using search parameter injection, which shows a phone number controlled by them in the page’s search bar. This makes it seem like an official support result and tricks users into calling the wrong number. The added parameters are not visible in the sponsored result, so users have no reason to be suspicious.

The issue is not limited to Google ads. On Facebook, attackers have been observed spreading malware and phishing for crypto wallet recovery phrases through fake ads tied to events like Pi2Day, a community celebration by Pi Network. These ads promote a fake update of the Pi Network desktop app for Windows, which is actually malware that steals saved credentials and crypto keys, logs keystrokes, downloads additional malware, and avoids detection.

 

Bitdefender believes the activity is likely conducted by a single threat actor managing multiple fraud schemes through Meta platforms to increase impact and financial returns. Additionally, fraudulent websites pretending to offer AI tools, VPNs, and other software have been found delivering malware like Poseidon Stealer on macOS and PayDay Loader on Windows, which then installs Lumma Stealer. Security researcher g0njxa calls this operation Dark Partners.

 

PayDay Loader uses Google Calendar links as dead drops to retrieve its command-and-control server and run obfuscated JavaScript code that installs the Lumma Stealer malware. The email used to create the calendar events, echeverridelfin@gmail[.]com, was also connected to a malicious npm package named os-info-checker-es6. This suggests the threat actors are testing different delivery methods.

 

The PayDay Loader includes a Node.js module that uses the ADM-ZIP library to gather cryptocurrency wallet data and send it to a fixed command-and-control server. These campaigns are part of a broader trend where attackers create thousands of spoofed websites that impersonate popular brands. They use these to commit fraud, such as advertising real products that are never delivered. One network called GhostVendors, identified by Silent Push, uses Facebook ads to promote over 4,000 suspicious sites. These ads run for only a few days before being taken down, leaving no record in Meta’s Ad Library, which retains ads only for political and social topics.

 

Silent Push researchers confirmed that Meta's limited ad retention policy enables threat actors to quickly cycle through similar ads on different pages. Another network targeting English and Spanish-speaking users with fake marketplace ads is believed to be operated by Chinese actors. These sites aim to steal credit card information during fake purchases, and some even include Google Pay widgets to appear trustworthy.

According to Silent Push, the campaign uses phishing threats that exploit popular brands, organizations, and political figures to mislead consumers.