Weaponized PuTTY: Leveraging Malicious Bing Ads to Exploit Kerberos and Target Active Directory Services

A malvertising campaign exploited sponsored results on Microsoft’s search platform to deliver a weaponised version of PuTTY, which established persistence, enabled hands-on keyboard control, and executed Kerberoasting to target Active Directory service accounts. An investigation published by LevelBlue’s MDR SOC, corroborated by independent research tracking Oyster/Broomstick backdoor activity, revealed that trojanised admin tools were distributed via search ads and SEO poisoning. The search results prominently featured a sponsored link for downloading PuTTY, illustrating the malvertising tactics employed in the campaign. LevelBlue’s SOC received a high-risk alert from SentinelOne in USM Anywhere, flagging a suspicious PuTTY.exe download signed by “NEW VISION MARKETING LLC,” an unexpected signer for legitimate PuTTY, marking the first red flag on the endpoint.

The analysis uncovered outbound traffic from PuTTY.exe to malicious infrastructure, alongside suspicious DLL creation in %appdata% and %temp%. Scheduled-task persistence was established via rundll32 DllRegisterServer, culminating in hands-on keyboard activity and Kerberoasting. Following this, the asset was isolated, the account was disabled, and execution chains were reconstructed. This process revealed that the fake installer had scheduled a task named “Security Updater” to run every three minutes, loading a malicious DLL (twain_96.dll). This DLL subsequently dropped “green.dll,” which facilitated operator access and reconnaissance. The weaponised PuTTY exploited Kerberos, executing a scheduled task persistence that invoked rundll32 with DllRegisterServer at three-minute intervals, leading to further malicious activities. 

Categories: Malvertising Campaign, Cybersecurity Threats, Active Directory Exploitation 

Tags: Malvertising, PuTTY, Kerberoasting, Active Directory, Backdoor, DLL, Scheduled Task, Ransomware, PowerShell, Credential Cracking