A malvertising campaign has been discovered using trojanized installers for popular software to drop a backdoor known as Oyster [2]. Threat actors are redirecting users to malicious websites after searching for software on search engines [2].


The malvertising campaign utilizes trojanized installers for popular software like Google Chrome and Microsoft Teams to deliver the Oyster backdoor [2]. Oyster [1] [2], also known as Broomstick and CleanUpLoader [1], gathers information [2], communicates with a command-and-control address [2], and supports remote code execution [2]. It is associated with the Russia-linked group ITG23 and is being deployed directly in the latest attack chains [2]. The malware also installs legitimate Microsoft Teams software to avoid detection and establishes persistence on the system [2]. Additionally, the cybercrime group Rogue Raticate is using email phishing campaigns with PDF decoys to distribute NetSupport RAT [2]. A new phishing-as-a-service platform called ONNX Store has been identified, enabling customers to conduct phishing campaigns using QR codes in PDF attachments [2]. The platform offers Bulletproof hosting [2], RDP services [2], and a 2FA bypass mechanism to intercept authentication requests from victims [2].


The malvertising campaign and phishing activities pose significant threats to cybersecurity. Organizations and individuals should remain vigilant, update their security measures, and educate themselves on the latest tactics used by threat actors. Collaboration between cybersecurity experts and law enforcement agencies is crucial to combatting these evolving cyber threats.


[1] https://www.krofeksecurity.com/index.php/2024/06/21/oyster-backdoor-how-trojanized-popular-software-downloads-are-spreading-it/
[2] https://thehackernews.com/2024/06/oyster-backdoor-spreading-via.html