Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malicious version of PuTTY is spreading in the wild

Bad actors have released a malicious version of the popular open source tool PuTTY to steal access credentials of computers worldwide. Be careful, there is an unofficial version of Putty in the wild and it seals information. This version was compiled from the legitimate source, but isn’t hosted on the official website project, instead, attackers redirect […]

putty

Bad actors have released a malicious version of the popular open source tool PuTTY to steal access credentials of computers worldwide.

Be careful, there is an unofficial version of Putty in the wild and it seals information. This version was compiled from the legitimate source, but isn’t hosted on the official website project, instead, attackers redirect users from a comprised website to their own site with that malicious version.

The malicious version of PuTTY allows attackers to steal information related the connected computer/servers, including credentials used to access those systems.

PuTTY is an open source software that allows any people to contribute or collaborate somehow, normally with the objective of fixing or improving the software in question, but it can be used too for illegal activities. Hackers can recompile the source code by inserting a malicious code like a virus or a spyware:

In the case of PuTTY, the crooks, created a malicious version of PuTTY, since it’s a worldwide used software by millions of system administrators (or anyone that needs to connect to a remote server with encryption) to access by SSH/Telnet/Serial.

Because normally the PuTTY client is used to connect from a Windows machine to a Unix/Linux server, attackers can collect root access credentials from victims.

Another big problem in my opinion is that in corporations PuTTY always is seen as a useful and safe tool, meaning that is whitelisted in firewalls and other security products, so now imagine that you are using the malicious version of PuTTY in your company to access to the company’s server… Huge breach that can cost to the company a lot.

As far as it’s known, the “bad” version of PuTTY it’s in the wild since late 2013, but at the time the diffusion was minimal, but now, one and half year later, we are starting to see more and more cases of people using this dangerous version.

If you have doubts about the authenticity of your PuTTY client it could be useful to check the “About” of software. The “about” of the unofficial version of PuTTY looks like this:

fake PuTTY

When the official version looks like this (version may vary):

official PuTTY

Experts at Symantec have published an interesting post on the case, as they explain, the distribution of the malware appears to occur in the following ways:

  • The victim performs a search for PuTTY on a search engine.
  • The search engine provides multiple results for PuTTY. Instead of selecting the official home page for PuTTY, the victim unknowingly selects a compromised website.
  • The compromised website redirects the user several times, ultimately connecting them to an IP address in the United Arab Emirates. This site provides the user with the fake version of PuTTY to download.

You can also check that the size of the “bad” PuTTY is larger in size than the official one.

When connected to a machine with the “bad” version, the application copies the connection SSH URL and other info and sends a ping with a string to the attacker’s web server, it should look like this:

putty stealer

The URL is encoded with Base64 and uses the User Agent to filter the connection attempts.

If the credentials are sent to the attacker, well you can well say “Game Over”, since the attacker can make a connection to the server (if available over the internet).

To mitigate this, some of the AV available is already detecting the malicious version of Putty, so keep your AV always with the latest updates, but besides that always ensure that you are downloading a software from the official project website.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – PuTTY, malware)