Threat Intelligence: The PuTTY Client Malvertising Campaign

Malvertising is a cyber threat tactic that involves embedding malicious code within digital advertisements, effectively using the online advertising infrastructure to distribute malware. This method exploits the ubiquity and effectiveness of online ads to reach unsuspecting users, bypassing many traditional security measures by hiding within legitimate advertising networks. A recent example of this threat in action is the malvertising campaign involving the widely-used PuTTY software.

The PuTTY Malvertising Campaign

The recent PuTTY malvertising campaign, documented by MalwareBytes, is a prime example of this threat in action. In the campaign, attackers placed ads on Google that appeared legitimate and linked to a fake PuTTY website, designed to trick users into downloading a version of PuTTY that was actually malware. The malicious software served was not just any malware, but a loader designed to execute further malicious payloads selectively. This strategy ensured that the attackers could deploy additional malware based on the specifics of the compromised system, all while flying under the radar of conventional antivirus solutions.

Tactics and Techniques

Upon clicking the deceptive ad, domain name “,” users were redirected to a crafted phishing site, an almost perfect clone of the legitimate PuTTY homepage. This site’s primary purpose was to dupe users into downloading a malicious executable, disguised convincingly as the PuTTY software. The execution of this counterfeit software initiated a multi-layered attack chain, starting with an IP verification process to filter out potential analysis tools or cybersecurity defenses aiming to identify and neutralize the threat.

Malware Deployment Strategy

Successful verification led to the deployment of the “Rhadamanthys stealer,” a payload designed for data exfiltration. This malware component was engineered to bypass traditional detection mechanisms by employing stealth techniques, including the use of legitimate protocol communications (SSH) to blend in with normal network traffic, thus evading network-based anomaly detection systems.

The Threat Actors’ Expertise

The threat actors behind this campaign demonstrated a profound understanding of both cybersecurity defenses and user interaction patterns. They exploited the inherent trust users place in top search engine results and leveraged sophisticated social engineering tactics to facilitate the delivery of their malware. By impersonating a widely trusted and used software like PuTTY, the attackers targeted a specific demographic—system administrators and IT professionals—whose compromised systems could provide deeper network access and more valuable data. The implications of malvertising-based attacks are far-reaching, impacting not only individual users but also organizations at large. Malvertising campaigns often deliver infostealer malware, such as IcedID and Aurora Stealer, setting the stage for more severe attacks like ransomware. These stolen credentials can then circulate in the criminal underworld, facilitating further breaches.

Impact and Reach of Malvertising Attacks in 2024

The Avast Q4/2023 Threat Report offers further insight into the trends of the year, highlighting a continued rise in phishing and malvertising attacks. Notably, the final quarter of 2023 saw an increase in phishing activities, especially in the post-holiday period, with over 4,000 fake e-shops mimicking popular brands detected. Moreover, the financial repercussions of these attacks continue to alarm, with estimated losses potentially reaching as high as $19 billion annually. This financial impact highlights the significant challenge in both predicting and mitigating the costs associated with malvertising. The driving force behind a vast majority of these cybercrimes remains financial gain, with an estimated 76% of all cybercrimes motivated by the prospect of monetary extortion, according to ProPrivacy.

Malvertising Prevention

To defend against malvertising, a multi-layered security approach is essential. This includes utilizing web protection applications to block connections to malicious servers, implementing ad blockers, and keeping systems and browsers updated to mitigate vulnerabilities. Despite these measures, the dynamic nature of malvertising means that new malicious websites emerge daily, necessitating constant vigilance and the adoption of advanced security tools to detect and prevent attacks.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

Copyright © Netizen Corporation. All Rights Reserved.