A malvertising campaign using sponsored results on Microsoft’s search platform delivered a weaponized PuTTY that established persistence, enabled hands-on keyboard control, and executed Kerberoasting to target Active Directory service accounts.
According to an investigation published by LevelBlue’s MDR SOC and corroborated by independent research tracking Oyster/Broomstick backdoor activity tied to trojanized admin tools distributed via search ads and SEO poisoning.
LevelBlue’s SOC received a SentinelOne high-risk alert in USM Anywhere, flagging a suspicious PuTTY.exe download signed by “NEW VISION MARKETING LLC,” an unexpected signer for legitimate PuTTY and the first red flag on the endpoint.
The analysis highlighted outbound traffic from PuTTY.exe to malicious infrastructure, suspicious DLL creation in %appdata% and %temp%, scheduled-task persistence via rundll32 DllRegisterServer, and HOK activity culminating in Kerberoasting.
Next, the asset was isolated, the account was disabled, and execution chains were reconstructed. This revealed that the fake installer had scheduled a task, “Security Updater,” to run every three minutes, loading a malicious DLL (twain_96.dll). This DLL then dropped “green.dll,” which was used for operator access and reconnaissance.
Weaponized PuTTY to Exploit Kerberos
Fake PuTTY with an anomalous code-signing certificate executed and created a scheduled task persistence, invoking rundll32 with DllRegisterServer at three-minute intervals.
The first-stage DLL (twain_96[.]dll) dropped a second-stage (green[.]dll) that initiated a single outbound 443 connection and spawned cmd[.]exe for discovery commands consistent with ransomware operator TTPs (nltest, net group domain admins, nltest /dclist).
SentinelOne telemetry and VirusTotal classifications mapped the DLLs to the Oyster/Broomstick backdoor family known for hardcoded C2, scheduled-task persistence, and remote command execution.
The final recorded action was an inline PowerShell script performing Kerberoasting, requesting TGS tickets for SPN-bearing accounts and leveraging weak RC4-HMAC if AES enforcement was absent, then extracting ticket bytes in-memory to emit Hashcat-ready $krb5tgs$ material (mode 13100).
The script borrowed from Invoke-Kerberoast patterns, executed fully in-memory without disk writes, and was validated via USM Anywhere events showing RC4-HMAC-encrypted Kerberos service tickets (Event ID 4769). This enabled offline cracking of service account credentials for privilege escalation and lateral movement against AD services.
LevelBlue traced the initial access to malicious sponsored results impersonating putty[.]org and redirecting to typosquatted domains such as puttyy[.]org and puttysystems[.]com that delivered the trojanized installer, with payload hosting observed via heartlandenergy[.]ai and a rotating loader script at putty[.]network pulling from compromised WordPress sites.
The MDR team noted variant payload hashes, multiple code-signing certificates (including NEW VISION MARKETING LLC) to evade hash/signer-based detections, and alternate scheduled-task names such as “FireFox Agent INC” in sandboxed samples.
This activity aligns with broader 2024–2025 malvertising/SEO poisoning trends delivering trojanized PuTTY/WinSCP and Oyster/Broomstick, as reported by Rapid7 and Arctic Wolf.
Here is a consolidated table of the reported IOCs from the LevelBlue investigation into weaponized PuTTY malvertising tied to the Oyster/Broomstick backdoor; add these to blocklists and detection pipelines for rapid containment. The entries below reflect the indicators documented by LevelBlue and aligned open-source reporting on the same campaign.
Below is the consolidated IOC table combining domains, hashes, signers, IPs, URLs, and scheduled tasks linked to the weaponized PuTTY/Oyster malvertising activity. Use these indicators for blocklists, retro-hunting, and detection content.
| Type | Indicator | Context/Notes |
|---|---|---|
| Domain | puttyy[.]org | Typosquat used to deliver trojanized PuTTY installers. |
| Domain | puttysystems[.]com | Malvertising landing used to impersonate PuTTY download. |
| Domain | updaterputty[.]com | Newly registered domain associated with campaign flow. |
| Domain | putty[.]bet | Campaign-associated domain registration. |
| Domain | puttyy[.]com | Typosquat tied to delivery infrastructure. |
| Domain | putty[.]run | Campaign-associated domain registration. |
| Domain | putty[.]lat | Campaign-associated domain registration. |
| Domain | putty[.]us[.]com | Campaign-associated domain registration. |
| Domain | heartlandenergy[.]ai | Observed hosting payload behind “Download PuTTY.” |
| Domain | putty[.]network | Loader page rotating mirrors via JS for payload checks. |
| Domain | ruben.findinit[.]com | Compromised WordPress site used to serve payloads. |
| Domain | ekeitoro.siteinwp[.]com | Compromised WordPress site used to serve payloads. |
| Domain | danielaurel[.]tv | Compromised WordPress site used to serve payloads. |
| File hash (SHA256) | 0b85ad058aa224d0b66ac7fdc4f3b71145aede462068cc9708ec2cee7c5717d4 | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | e9f05410293f97f20d528f1a4deddc5e95049ff1b0ec9de4bf3fd7f5b8687569 | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | d73bcb2b67aebb19ff26a840d3380797463133c2c8f61754020794d31a9197d1 | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | dd995934bdab89ca6941633dea1ef6e6d9c3982af5b454ecb0a6c440032b30fb | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | 03012e22602837132c4611cac749de39fb1057a8dead227594d4d4f6fb961552 | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | a653b4f7f76ee8e6bd9ffa816c0a14dca2d591a84ee570d4b6245079064b5794 | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | e02d21a83c41c15270a854c005c4b5dfb94c2ddc03bb4266aa67fc0486e5dd35 | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | 80c8a6ecd5619d137aa57ddf252ab5dc9044266fca87f3e90c5b7f3664c5142f | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | 1112b72f47b7d09835c276c412c83d89b072b2f0fb25a0c9e2fed7cf08b55a41 | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | 3d22a974677164d6bd7166e521e96d07cd00c884b0aeacb5555505c6a62a1c26 | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | e8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb | Malicious PuTTY/Oyster-related sample. |
| File hash (SHA256) | eef6d4b6bdf48a605cade0b517d5a51fc4f4570e505f3d8b9b66158902dcd4af | Malicious PuTTY/Oyster-related sample. |
| File signer | THE COMB REIVERS LIMITED | Abused code-signing certificate on trojanized installers. |
| File signer | NEW VISION MARKETING LLC | Anomalous signer on fake PuTTY[.]exe observed. |
| File signer | PROFTORG LLC | Abused certificate on malicious samples. |
| File signer | LLC Fortuna | Abused certificate on malicious samples. |
| File signer | LLC BRAVERY | Abused certificate on malicious samples. |
| File signer | LLC Infomed22 | Abused certificate on malicious samples. |
| IP | 45.86.230[.]77 | C2/registration/login endpoints observed. |
| IP | 185.208.159[.]119 | Malicious API host observed in activity. |
| IP | 144.217.207[.]26 | Outbound 443 connection (green.dll). |
| IP | 85.239.52[.]99 | Malicious API host observed in activity. |
| IP | 194.213.18[.]89 | C2 registration/login endpoints observed. |
| URL (defanged) | hxxp[:]//185.208.158[.]119/api/jgfnsfnuefcnegfnehjbfncejfh | Malicious API path. |
| URL (defanged) | hxxp[:]//185.208.158[.]119/api/kcehc | Malicious API path. |
| URL (defanged) | hxxp[:]//45.86.230[.]77:443/reg | C2 registration endpoint. |
| URL (defanged) | hxxp[:]//45.86.230[.]77:443/login | C2 login endpoint. |
| URL (defanged) | hxxp[:]//85.239.52[.]99/api/jgfnsfnuefcnegfnehjbfncejfh | Malicious API path. |
| URL (defanged) | hxxp[:]//85.239.52[.]99/api/kcehc | Malicious API path. |
| URL (defanged) | hxxp[:]//194.213.18[.]89:443/reg | C2 registration endpoint. |
| URL (defanged) | hxxp[:]//194.213.18[.]89:443/login | C2 login endpoint. |
| Scheduled task | Security Updater | Persistence via rundll32 DllRegisterServer at 3‑minute intervals. |
| Scheduled task | FireFox Agent INC | Alternate task name seen in sandboxed samples. |
Recommendations include blocking the identified domains, enforcing AES for Kerberos on SPN accounts, rotating credentials for affected SPNs, and restricting software acquisition to vetted repositories and official vendor sites.
Security teams should deploy custom detections for rundll32 DllRegisterServer misuse, three-minute recurring scheduled tasks, in-memory Kerberoasting patterns, and storyline correlations linking fake admin tools to DLL drops and cmd.[]exe reconnaissance.
Continuous user training for privileged staff and rapid MDR-led threat hunting across fleets can reduce dwell time and blunt credential theft-to-ransomware escalation paths.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
