In a recent investigation, responders pivoted to persistent Windows registry artifacts after attackers wiped most filesystem evidence.
Threat actors favor PuTTY, a legitimate tool for secure remote access, due to its “living off the land” nature, blending malicious activity with normal admin tasks.
Attackers execute PuTTY binaries like plink.exe or pscp.exe to hop between systems via SSH tunnels and siphon sensitive files without deploying custom malware.
Recent campaigns, such as SEO-poisoned PuTTY downloads that deliver the Oyster backdoor, highlight how initial infections enable network pivots and outbound data theft via HTTP POSTs.
Maurice Fielenbach found that, despite aggressive log and artifact cleanup, PuTTY stores SSH host keys in the registry at HKCUSoftwareSimonTathamPuTTYSshHostKeys.
This location logs exact target IPs, ports, and fingerprints from connections, serving as a “digital breadcrumb trail.” Investigators correlate these entries with authentication logs and network flows to reconstruct attacker paths, even when event logs are sparse.
Groups like those behind DarkSide ransomware and North Korean APTs have used similar SSH tactics for privilege escalation and persistence.
In mid-2025, malware waves, trojanized PuTTY targeted Windows admins, enabling rapid lateral spreads. Detection challenges arise as PuTTY mimics IT workflows, but anomalous RDP scans or irregular SSH traffic post-compromise often tip off tools like Darktrace.
Security teams should baseline PuTTY usage via endpoint detection platforms, hunting registry keys, and monitoring SSH from non-standard ports. Velociraptor artifacts simplify queries for SshHostKeys, while network telemetry flags unusual exfil patterns.
Patching PuTTY vulnerabilities like CVE-2024-31497 prevents key recovery exploits that aid persistence. Enterprises must rotate SSH keys and restrict PuTTY to whitelisted hosts to thwart these evasive ops.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Using PuTTY for Both Lateral Movement and Data Exfiltration appeared first on Cyber Security News.
Tyler Peterson and his son Heron had tried baseball, soccer, kayaking and all sorts of…
Culture Shock in Rockford hosted its 19th annual Record Store Day event Saturday, featuring new…
Warning! Spoilers for Invincible on Prime Video follow.Fans of Prime Video’s Invincible have started debating…
The community of Lena has launched a widespread recovery and debris cleanup effort following significant…
Lena Brewing Company in Lena, located on Highway 20, is currently operating on a generator…
Marvel Studios mastermind Kevin Feige has opened up about the decision to bring Robert Downey…
This website uses cookies.