{
	"id": "ee08508b-1930-41bd-a91e-59714c4f85e1",
	"created_at": "2026-04-06T00:09:38.139175Z",
	"updated_at": "2026-04-10T13:11:44.86404Z",
	"deleted_at": null,
	"sha1_hash": "2100d875ca73088d11d73375521a2927ef841c57",
	"title": "Like PuTTY in Admin’s Hands",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 913413,
	"plain_text": "Like PuTTY in Admin’s Hands\r\nBy Jeff Kieschnick\r\nPublished: 2025-08-23 · Archived: 2026-04-05 17:42:41 UTC\r\nCo-author: special thanks to Nikki Stanziale for their invaluable contributions to the research, insights, and\r\ndevelopment of this blog. While not listed as a primary author, their expertise and collaboration were instrumental\r\nin shaping the final content.\r\nExecutive Summary\r\nCybersecurity experts often say that humans are the weakest and most easily exploited attack vector. This is\r\nusually in reference to the average end-user, and neglects to mention that administrators and highly privileged\r\nusers can also fall victim to threats.\r\nAs threat actors continue to evolve their methods for initial access and compromise, it is a reminder that we are all\r\nfallible regardless of organizational role or security expertise. This blog underlines the importance of following\r\nbest security practices throughout all levels of the organization without exemption.\r\nRecently, the LevelBlue Managed Detection and Response (MDR) Security Operations Center (SOC) team\r\nhandled several incidents related to compromise stemming from privileged user activity through malvertising,\r\nmasquerading as the legitimate SSH tool PuTTY.\r\nInvestigation\r\nA SentinelOne alert for high-risk indicator detection was received by the LevelBlue SOC within USM Anywhere,\r\nLevelBlue’s Open XDR platform. Initial observations of alarm artifacts displayed a download of file ‘PuTTY.exe’\r\non an endpoint. The SentinelOne threat information indicated the file was signed by ‘NEW VISION\r\nMARKETING LLC’ which raised the first red flag, as this does not align with expectations for legitimate PuTTY.\r\nBehavioral indicators detected by SentinelOne included potential Kerberoasting, suspicious PowerShell execution,\r\nand persistence established via scheduled task.\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 1 of 13\n\nFigure 1: Screenshot of initial SentinelOne alarm received in USM displaying high-risk indicators\r\nWe began reviewing associated storyline activity within SentinelOne which raised additional red flags:\r\n- Traffic from PuTTY.exe to two malicious IP addresses, as confirmed in VirusTotal.\r\n- Creation of two suspicious Dynamic Link Libraries (DLLs) in the user's %appdata% and %temp% directories.\r\n- Establishment of persistence via scheduled task that executed one of the DLLs via \"rundll32.exe\r\nDllRegisterServer\".\r\n- Evidence of hands-on-keyboard (HOK) activity and Kerberoasting.\r\nExpanded Investigation\r\nWe contacted the customer and established that this activity was anomalous and likely malicious. We immediately\r\ntook action to remediate by disconnecting the affected asset from the network via SentinelOne and advising the\r\ncustomer to disable the user account. We used SentinelOne’s Storyline feature to gain a more complete picture of\r\nwhat had occurred. Once downloaded, the fake PuTTY executable created a scheduled task named ‘Security\r\nUpdater’ which was scheduled to run at three-minute intervals and executed malicious DLL ‘twain_96.dll’ via\r\nrundll32.exe.\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 2 of 13\n\nFigure 2: Scheduled task creation 'Security Updater' and parameters\r\nThe second DLL named ‘green.dll’ was dropped into the user’s %temp% folder by ‘twain_96.dll’. This DLL was\r\nrecorded in a single connection event to port 443 of 144.217.206[.]26 and appeared to provide the threat actor\r\nwith hands on keyboard access. This is consistent with VirusTotal results for the file hashes of ‘green.dll’ and\r\n‘twain_96.dll’, which are reporting these files as Broomstick/Oyster malware. Broomstick/Oyster is known to\r\nprovide threat actors remote command execution via cmd.exe, establish persistence via scheduled tasks that use\r\nrundll32.exe, and utilize hardcoded C2 servers – all of which were observed in this incident. The process tree seen\r\nin figure 3 shows cmd.exe spawning from the execution of rundll32.exe with “green.dll” and executing multiple\r\ndiscovery and recon commands via cmd.exe. The following known ransomware operator discovery TTPs were\r\nobserved:\r\n• nltest /trusted_domains\r\n• net group “domain admins” /domain\r\n• nltest /dclist:\r\nThe final action recorded in activity from the threat actor was the execution of an inline PowerShell script used for\r\nKerberoasting.\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 3 of 13\n\nFigure 3: SentinelOne process tree from incident\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 4 of 13\n\nFigure 4: Green.dll connection event in S1\r\nFigure 5: Hands on Keyboard activity by threat actor\r\nKerberoasting Script Analysis:\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 5 of 13\n\nKerberoasting is a well-known attack technique used to attack Active Directory service accounts by exploiting the\r\nKerberos authentication protocol. In a Kerberoasting attack, a threat actor who has access to a valid domain user\r\naccount requests Kerberos service tickets for accounts that have a SPN (Service Principal Name) defined. This is\r\npossible because Active Directory allows any domain user to request a Kerberos service ticket for accounts that\r\nhave a defined SPN. The Kerberos service ticket received is encrypted with a key derived from the service\r\naccount’s password.\r\nAn attacker can then extract the ticket for offline cracking and utilize a tool such as Hashcat to obtain the service\r\naccount’s plaintext password. Active Directory environments that still allow weak RC4-HMAC encryption and are\r\nnot enforcing AES encryption for Kerberos on SPNs are most vulnerable to Kerberoasting attacks. Kerberoasting\r\nis an attractive attack technique as service accounts are frequently granted privileged access in AD environments\r\nand often have weak passwords set. A successful Kerberoasting attack can allow a threat actor to escalate privilege\r\nto a valid account that can then be used for lateral movement in an environment.\r\nThere are many well-known tools that can facilitate a Kerberoasting attack, including Rubeus, Impacket’s\r\nGetUserSPNs.py, and PowerSploit’s Invoke-Kerberoast. The Kerberoasting script used in this incident, depicted in\r\nfigure 6 below, contains components from PowerSploit’s Invoke-Kerberoast, but is streamlined and operates\r\nentirely in memory without making any writes to disk. Its usage highlights how threat actors can adapt known red-team tools and leverage LOLBINs (living-off-the-land-binaries) for malicious activity.\r\nThe PowerShell commands in the observed Kerberoasting script follow this flow:\r\n1. Loading of the .NET assembly System.IdentityModule, which is required in order to access the .NET class\r\nSystem.IdentityModule.Tokens.KerberosRequestorSecurityToken used later in the script.\r\n2. Execution of an LDAP query using the .NET class DirectoryServices.DirectorySearcher to enumerate all Active\r\nDirectory user objects that have a SPN defined.\r\n3. For each user with a SPN, a Kerberos service ticket (TGS) request is made using the .NET class\r\nSystem.IdentityModule.Tokens.KerberosRequestorSecurityToken. Calling this class for the ticket request results\r\nin a ticket that uses weak RC4-HMAC encryption unless AES encryption is enabled for Kerberos authentication\r\nfor the SPN account.\r\n4. In-memory extraction of the raw bytes of returned Kerberos tickets, followed by hex parsing via regex and\r\nformatting the result into a $krb5tgs$ hash that is immediately compatible for usage with the Hashcat cracking\r\ntool (Hash Mode 13100). This output is written directly to the console.\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 6 of 13\n\nFigure 6: The Kerberoasting script executed by the threat actor\r\nFigure 7: USMA events that show the RC4-HMAC encrypted Kerberos service tickets that resulted from the Kerberoasting script\r\nEvidence of this activity was also found within the LevelBlue USM Anywhere platform in Kerberos Service\r\nTicket events (Event ID 4769) that logged RC4-HMAC encrypted tickets. The LevelBlue MDR SOC provided our\r\ncustomer with a list of the SPNs recorded in the ticket requests and recommended resetting credentials for each\r\naccount.\r\nResponse\r\nWhile working with the customer to resolve this incident, additional members of the LevelBlue MDR SOC\r\nperformed a threat hunt across our customer fleet for indicators of compromise (IOCs) observed with this\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 7 of 13\n\ntrojanized PuTTY threat.\r\nOur team reached out to affected customers and helped them to remediate the threat prior to execution.\r\nThe LevelBlue SOC also used these indicators and observed TTPs to create new custom detection rules within\r\nSentinelOne to enhance incident detection and response times.\r\nAdditional Investigation into PuTTY Malvertising\r\nThe MDR SOC investigated further into the malvertising campaign distributing trojanized versions of the PuTTY\r\nterminal emulator. A similar campaign was active in May and June of 2024, and the recent activity appears to\r\nfollow a similar playbook.\r\nThe LevelBlue team found malicious sponsored ads utilized by threat actors via Microsoft’s Bing Search to\r\ndeliver the trojanized PuTTY. When performing searches for “putty download” or “putty plink download”,\r\nsponsored ads including those in figure 8 and 9 below were displayed in Bing Search:\r\nFigure 8: Malicious PuTTY Ad example\r\nFigure 9: Malicious PuTTY Ad example\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 8 of 13\n\nThese ads were masquerading as putty[.]org, a site that is not affiliated with the official PuTTY Project but does\r\ncontain download links to the official PuTTY site www.chiark.greenend.org.uk. Clicking the ad link resulted in a\r\npage setup to imitate putty[.]org but actually used a typosquatted domain such as puttyy[.]org or\r\nputtysystems[.]com. The download links on these pages were used to deliver the trojanized PuTTY. In the case of\r\nputtysystems[.]com, the LevelBlue MDR SOC observed that the domain heartlandenergy[.]ai was being used to\r\nserve the malicious payload via the 'Download PuTTY' link. A subsequent site “putty[.]network” utilized a .js\r\nscript “download-script.js” that was configured to check 3 different domains (ruben.findinit[.]com,\r\nekeitoro.siteinwp[.]com, and danielaurel[.]tv) for payload availability. The MDR SOC found that the websites for\r\nthese 3 domains were all built with WordPress. WordPress vulnerabilities are commonly exploited by threat actors\r\nfor drive by download and other malicious purposes and thus it seems likely the threat actor compromised these\r\nsites for payload delivery purposes.\r\nFigure 10: Trojanized PuTTY download via puttyy[.]org\r\nFigure 11: Trojanized PuTTY download via puttysystems[.]com\r\nBased on the LevelBlue MDR SOC’s observations and research, they identified the following domains involved in the malvertising\r\nactivity. They are all newly registered domains except for those used by the threat actors to facilitate payload delivery.\r\n• puttyy[.]org\r\n• puttysystems[.]com\r\n• updaterputty[.]com\r\n• putty[.]bet\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 9 of 13\n\n• puttyy[.]com\r\n• putty[.]run\r\n• putty[.]lat\r\n• putty[.]us[.]com\r\n• heartlandenergy[.]ai\r\n• putty[.]network\r\n• ruben.findinit[.]com\r\n• ekeitoro.siteinwp[.]com\r\n• danielaurel[.]tv\r\nOur team also observed that the threat actors behind this campaign consistently deployed variant forms of the\r\nmalicious putty.exe payload. Multiple distinct file hashes and code-signing certificates were seen across incidents\r\nand in external research. This technique likely enhanced the campaign’s effectiveness by circumventing hash-based blocklists and signature-based detection rules that relied on previously observed indicators. Additionally, a\r\ndifferent scheduled task name was also observed in sandbox detonation of some samples – a task named \"FireFox\r\nAgent INC\" was observed in samples found in research after the initial incident.\r\nThe LevelBlue MDR SOC reported the malicious ad to Microsoft Advertising and received a response stating that\r\nthe ad had been removed from their advertising network. While the ad did appear to have been removed, within\r\nseveral days our team uncovered new trojanized PuTTY payloads exhibiting the same behavior. This recurrence\r\nsuggests that the threat actors are likely abusing multiple advertising platforms. It also underscores the broader\r\nissue that major advertising networks seem to lack robust verification mechanisms capable of preventing\r\npersistent abuse.\r\nConclusion\r\nWe recommend ensuring that all users throughout your organization undergo routine training about safe practices\r\nand device utilization. IT and Security staff should remain up-to-date on emerging threats and ensure information\r\nis appropriately disseminated to highly-privileged users.\r\nAdditionally, it is important to ensure that both in-house staff and privileged vendor accounts are using authorized\r\nand vetted administrative tools. We recommend developing a trusted repository for use within your organization\r\nand ensuring these are regularly updated and validated.\r\nLastly, please review the list of IOCs compiled below and add these domains to your organizational blocklist.\r\nIOCs\r\nDomains:\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 10 of 13\n\n• puttyy[.]org\r\n• puttysystems[.]com\r\n• updaterputty[.]com\r\n• putty[.]bet\r\n• puttyy[.]com\r\n• putty[.]run\r\n• putty[.]lat\r\n• putty[.]us[.]com\r\n• heartlandenergy[.]ai\r\n• putty[.]network\r\n• ruben.findinit[.]com\r\n• ekeitoro.siteinwp[.]com\r\n• danielaurel[.]tv\r\nFile Hashes (SHA256):\r\n• 0b85ad058aa224d0b66ac7fdc4f3b71145aede462068cc9708ec2cee7c5717d4\r\n• e9f05410293f97f20d528f1a4deddc5e95049ff1b0ec9de4bf3fd7f5b8687569\r\n• d73bcb2b67aebb19ff26a840d3380797463133c2c8f61754020794d31a9197d1\r\n• dd995934bdab89ca6941633dea1ef6e6d9c3982af5b454ecb0a6c440032b30fb\r\n• 03012e22602837132c4611cac749de39fb1057a8dead227594d4d4f6fb961552\r\n• a653b4f7f76ee8e6bd9ffa816c0a14dca2d591a84ee570d4b6245079064b5794\r\n• e02d21a83c41c15270a854c005c4b5dfb94c2ddc03bb4266aa67fc0486e5dd35\r\n• 80c8a6ecd5619d137aa57ddf252ab5dc9044266fca87f3e90c5b7f3664c5142f\r\n• 1112b72f47b7d09835c276c412c83d89b072b2f0fb25a0c9e2fed7cf08b55a41\r\n• 3d22a974677164d6bd7166e521e96d07cd00c884b0aeacb5555505c6a62a1c26\r\n• e8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb\r\n• eef6d4b6bdf48a605cade0b517d5a51fc4f4570e505f3d8b9b66158902dcd4af\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 11 of 13\n\nFile Signers:\r\n• THE COMB REIVERS LIMITED\r\n• NEW VISION MARKETING LLC\r\n• PROFTORG LLC\r\n• LLC Fortuna\r\n• LLC BRAVERY\r\n• LLC Infomed22\r\nIPs:\r\n• 45.86.230[.]77\r\n• 185.208.159[.]119\r\n• 144.217.207[.]26\r\n• 85.239.52[.]99\r\n• 194.213.18[.]89\r\nURLs:\r\n• hxxp[:]/185.208.158[.]119/api/jgfnsfnuefcnegfnehjbfncejfh\r\n• hxxp[:]/185.208.158[.]119/api/kcehc\r\n• hxxp[:]/45.86.230[.]77:443/reg\r\n• hxxp[:]/45.86.230[.]77:443/login\r\n• hxxp[:]/85.239.52[.]99/api/jgfnsfnuefcnegfnehjbfncejfh\r\n• hxxp[:]/85.239.52[.]99/api/kcehc\r\n• hxxp[:]/194.213.18[.]89:443/reg\r\n• hxxp[:]/194.213.18[.]89:443/login\r\nScheduled Task Creations:\r\n• Security Updater\r\n• FireFox Agent INC\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 12 of 13\n\nSource: https://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nhttps://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands"
	],
	"report_names": [
		"like-putty-in-admins-hands"
	],
	"threat_actors": [],
	"ts_created_at": 1775434178,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2100d875ca73088d11d73375521a2927ef841c57.pdf",
		"text": "https://archive.orkl.eu/2100d875ca73088d11d73375521a2927ef841c57.txt",
		"img": "https://archive.orkl.eu/2100d875ca73088d11d73375521a2927ef841c57.jpg"
	}
}