Hackers love to exploit the most innocuous tools to infiltrate their targets’ networks, and we all know this.
And in this case, they’re targeting PuTTY , the popular SSH client. It’s like using a disguise to blend in with the “good guys.” Criminal hackers prefer it because it’s like a double agent: it allows them to mix malicious actions with legitimate ones, making it difficult to detect.
A trick to unmask them has been discovered: following the traces left unintentionally in the Windows registry . Attackers are running PuTTY binaries such as plink.exe or pscp.exe to pass from one system to another via SSH tunnels and steal sensitive files without deploying custom malware.
Recently, malware campaigns abusing PuTTY downloads have spread the Oyster backdoor, clearly showing that they can lead to network modifications and data exfiltration through HTTP POST requests.
Security expert Maurice Fielenbach recently reported that despite aggressive log and artifact cleanup, PuTTY stores SSH host keys in the registry under HKCUSoftwareSimonTathamPuTTYSshHostKeys .
The log includes destination IP addresses, ports, and connection signatures, representing a kind of “digital history.” By correlating this data with authentication logs and network flows, investigators can reconstruct the attackers’ paths, even when event logs are insufficient.
Recall that throughout 2025, Windows administrators were targeted by waves of malware involving Trojanized versions of PuTTY, allowing for rapid lateral propagation. Detecting these threats is challenging because PuTTY is part of standard IT workflows; however, malicious tools can often be identified by detecting anomalous RDP scans or irregular SSH traffic following a compromise.
To prevent evasion, it’s crucial for organizations to limit PuTTY use to authorized hosts and regularly rotate SSH keys. Checking for registry keys and SSH activity on non-standard ports should be a priority for security teams.
Additionally, the possibility of exploiting PuTTY vulnerabilities, such as CVE-2024-31497, which allow key recovery and thus improve persistence, can be eliminated by applying the relevant patches.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
