Severity
High
Analysis Summary
Attackers are increasingly leveraging the legitimate PuTTY SSH client to conduct stealthy lateral movement and data exfiltration within compromised networks. By using trusted administrative tools like PuTTY, threat actors exploit the “living off the land” approach, blending their malicious actions with normal IT operations. They often execute binaries such as plink.exe or pscp.exe to traverse systems via SSH tunnels and siphon sensitive data, avoiding the deployment of custom malware and leaving minimal filesystem evidence. Recent incidents show that responders often need to pivot to persistent Windows registry artifacts to trace attacker activity after conventional logs and files are wiped.
According to the Researcher, one key forensic artifact is PuTTY’s storage of SSH host keys in the Windows registry at HKCU\Software\SimonTatham\PuTTY\SshHostKeys, which logs the exact target IPs, ports, and fingerprints. Investigators can use this as a “digital breadcrumb trail” to reconstruct attacker paths, correlating entries with authentication logs and network traffic even when event logs are sparse. This registry-based insight has proven critical in investigations of campaigns delivering malware like the Oyster backdoor via SEO-poisoned PuTTY downloads, where initial infections enable lateral movement and exfiltration over HTTP POSTs.
Notable threat groups, including DarkSide ransomware operators and North Korean APTs, have utilized SSH-based tactics for privilege escalation, persistence, and rapid lateral spreads. In mid-2025, trojanized PuTTY versions specifically targeted Windows administrators, exploiting trust in IT workflows to evade detection. While tools like PuTTY mimic legitimate administration, unusual RDP scans or anomalous SSH traffic patterns often trigger alerts in security platforms such as Darktrace, highlighting deviations from baseline behavior.
To mitigate these risks, organizations should baseline PuTTY usage using endpoint detection tools, continuously monitor SSH activity from non-standard ports, and hunt for registry artifacts like SshHostKeys using platforms such as Velociraptor. Patching vulnerabilities such as CVE-2024-31497, rotating SSH keys, and restricting PuTTY connections to whitelisted hosts are essential steps to prevent attackers from exploiting key recovery mechanisms and maintain network security. By combining proactive monitoring with forensic analysis, enterprises can detect stealthy lateral movement and reduce the risk of data exfiltration.
Impact
- Gain Access
Remediation
- Track and document normal PuTTY usage across endpoints to identify anomalies.
- Inspect SSH connections on non-standard ports and unusual traffic patterns.
- Regularly query HKCU\Software\SimonTatham\PuTTY\SshHostKeys for unexpected entries using tools like Velociraptor.
- Apply updates to PuTTY, including fixes for CVE-2024-31497, to prevent key recovery exploits.
- Limit PuTTY connections to whitelisted servers only.
- Change SSH keys periodically to prevent unauthorized access from compromised keys.
- Monitor for unusual RDP scans or multiple SSH hops indicative of lateral movement.
- Educate administrators on the risks of trojanized PuTTY binaries and phishing campaigns delivering malicious versions.
- Deploy EDR solutions to flag anomalous execution of plink.exe, pscp.exe, or other PuTTY components.
- Combine registry artifacts with authentication logs and network telemetry to reconstruct potential attacker paths.