Hackers Using PuTTY for Both Lateral Movement and Data Exfiltration - CyberSecurityNews

Home Cyber Attack News Hackers Using PuTTY for Both Lateral Movement and Data Exfiltration Hackers are increasingly abusing the popular PuTTY SSH client for stealthy lateral movement and data exfiltration in compromised networks, leaving subtle forensic traces that investigators can exploit. In a recent investigation, responders pivoted to persistent Windows registry artifacts after attackers wiped most filesystem evidence.​ Threat actors favor PuTTY, a legitimate tool for secure remote access, due to its “living off the land” nature, blending malicious activity with normal admin tasks. Attackers execute PuTTY binaries like plink.exe or pscp.exe to hop between systems via SSH tunnels and siphon sensitive files without deploying custom malware. Recent campaigns, such as SEO-poisoned PuTTY downloads that deliver the Oyster backdoor, highlight how initial infections enable network pivots and outbound data theft via HTTP POSTs.​ Maurice Fielenbach found that, despite aggressive log and artifact cleanup, PuTTY stores SSH host keys in the registry at HKCU\Software\SimonTatham\PuTTY\SshHostKeys. This location logs exact target IPs, ports, and fingerprints from connections, serving as a “digital breadcrumb trail.” Investigators correlate these entries with authentication logs and network flows to reconstruct attacker paths, even when event logs are sparse.​ Groups like those behind DarkSide ransomware and North Korean APTs have used similar SSH tactics for privilege escalation and persistence. In mid-2025, malware waves, trojanized PuTTY targeted Windows admins, enabling rapid lateral spreads. Detection challenges arise as PuTTY mimics IT workflows, but anomalous RDP scans or irregular SSH traffic post-compromise often tip off tools like Darktrace.​ Security teams should baseline PuTTY usage via endpoint detection platforms, hunting registry keys, and monitoring SSH from non-standard ports. Velociraptor artifacts simplify queries for SshHostKeys, while network telemetry flags unusual exfil patterns. Patching PuTTY vulnerabilities like CVE-2024-31497 prevents key recovery exploits that aid persistence. Enterprises must rotate SSH keys and restrict PuTTY to whitelisted hosts to thwart these evasive ops.​ Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News China-Linked Hackers Breach Southeast Asian Military Systems in Long-Running Spy Campaign Cyber Security News Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads Cyber Security News Mirai-Based Botnets Evolve Into Massive DDoS and Proxy Abuse Threat Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026