Hackers are increasingly abusing the popular PuTTY SSH client for stealthy lateral movement and data exfiltration in compromised networks, leaving subtle forensic traces that investigators can exploit.
In a recent investigation, responders pivoted to persistent Windows registry artifacts after attackers wiped most filesystem evidence.
Threat actors favor PuTTY, a legitimate tool for secure remote access, due to its “living off the land” nature, blending malicious activity with normal admin tasks.
Attackers execute PuTTY binaries like plink.exe or pscp.exe to hop between systems via SSH tunnels and siphon sensitive files without deploying custom malware.
Recent campaigns, such as SEO-poisoned PuTTY downloads that deliver the Oyster backdoor, highlight how initial infections enable network pivots and outbound data theft via HTTP POSTs.
Maurice Fielenbach found that, despite aggressive log and artifact cleanup, PuTTY stores SSH host keys in the registry at HKCU\Software\SimonTatham\PuTTY\SshHostKeys.
This location logs exact target IPs, ports, and fingerprints from connections, serving as a “digital breadcrumb trail.” Investigators correlate these entries with authentication logs and network flows to reconstruct attacker paths, even when event logs are sparse.
Groups like those behind DarkSide ransomware and North Korean APTs have used similar SSH tactics for privilege escalation and persistence.
In mid-2025, malware waves, trojanized PuTTY targeted Windows admins, enabling rapid lateral spreads. Detection challenges arise as PuTTY mimics IT workflows, but anomalous RDP scans or irregular SSH traffic post-compromise often tip off tools like Darktrace.
Security teams should baseline PuTTY usage via endpoint detection platforms, hunting registry keys, and monitoring SSH from non-standard ports. Velociraptor artifacts simplify queries for SshHostKeys, while network telemetry flags unusual exfil patterns.
Patching PuTTY vulnerabilities like CVE-2024-31497 prevents key recovery exploits that aid persistence. Enterprises must rotate SSH keys and restrict PuTTY to whitelisted hosts to thwart these evasive ops.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
