Caution: Cybercriminals leverage Google Search to deceive users into downloading malicious software - learn how to avoid it here
In a recent cybersecurity alert, organisations and individuals have been advised to be cautious when downloading PuTTY and WinSCP software from the internet, following reports of a phishing campaign targeting IT professionals.
The phishing campaign, actively reported in early July 2025, involves the creation of SEO-optimized fake landing pages that mimic the legitimate websites of PuTTY and WinSCP. These sites are designed to appear high in Google search results, making them difficult to distinguish visually.
These phishing sites often deliver the actual PuTTY and WinSCP software that functions as expected, but surreptitiously install malware loaders like Oyster (also known as Broomstick or CleanUpLoader) alongside the software. Oyster is a malware that operates in the background, executes code through legitimate Windows processes, and communicates with command servers via encrypted channels to evade detection.
The malware loader Oyster is known to facilitate further compromises such as credential theft and backdoor access. Because the fake sites and downloads function normally, users often do not notice the compromise immediately, increasing the risk of credential theft or additional malware infections.
To protect against these phishing websites, cybersecurity experts recommend several measures. Firstly, users should download software only from official sources, such as the PuTTY official website (chiark.greenend.org.uk/~sgtatham/putty/) or WinSCP's official domain (winscp.net). Users are also advised to verify the website URLs manually before downloading, confirming that the URL matches the official site exactly.
Additionally, users should employ antivirus and endpoint detection tools capable of detecting loaders like Oyster/Broomstick, keep these tools updated regularly, and educate themselves and their teams about this phishing technique. Users should be wary of URLs that look similar but contain extra words, misspellings, or unusual domains.
Furthermore, users should verify the digital signatures of downloaded installers to ensure they are genuine and untampered. They should also monitor their networks and endpoints for unusual activity or the execution of unknown processes after installing these tools, which could signal malware infection.
Users are also advised to leverage browser security features, such as those with phishing and malware detection capabilities, which sometimes warn about suspicious or malicious sites. Lastly, users should report any suspicious sites or downloads to cybersecurity teams or platforms like Google Safe Browsing to help get them taken down quickly.
By strictly adhering to official sources for software downloads, verifying URLs, educating users, and using modern security controls, organisations and individuals can significantly reduce the risk of falling victim to these phishing attacks impersonating PuTTY and WinSCP tools.
Smartphones are essential in today's technology-driven world, but their users should be aware of the potential risks when downloading PuTTY and WinSCP software on mobile browsers. Cybercriminals have been using SEO-optimized fake landing pages that mimic the official websites of PuTTY and WinSCP to spread malware like Oyster, a malware loader that operates covertly and facilitates further compromises such as credential theft and backdoor access. To protect against these threats, smartphone users should follow the same precautions as PC users: download software only from official sources, verify URLs manually before downloading,employ antivirus tools, and keep them updated regularly. Education about this phishing technique and vigilance in detecting suspicious URLs can significantly reduce the risk of falling victim to these attacks.
