Attention Linux admins: Fake PuTTY client installing Rhadamanthys stealer detected!

Home/Internet Security, Linux Malware, malicious cyber actors, Malware, Mobile Security, Security Advisory, Security Update/Attention Linux admins: Fake PuTTY client installing Rhadamanthys stealer detected!

Attention Linux admins: Fake PuTTY client installing Rhadamanthys stealer detected!

A malvertising campaign distributing a fake PuTTY client has been discovered, aiming to deploy the dangerous Rhadamanthys stealer malware.

Fake PuTTY client installing Rhadamanthys stealer

This campaign cleverly exploits the trust in the widely used SSH and Telnet client, PuTTY, by presenting a counterfeit website through malicious ads at the top of Google search results.

It highlights the mechanics of the attack, including malware loaders and the subsequent deployment of the Rhadamanthys stealer, emphasizing the need for heightened vigilance among Linux administrators.

Malware loaders, also known as droppers or downloaders, play a crucial role in the cybercriminal ecosystem.

Their primary function is to infiltrate a machine and deploy additional payloads while evading detection.

A sophisticated loader delivers malware and ensures the victim is legitimate, maximizing the attack’s impact.

The loader discussed in this campaign is particularly noteworthy for its use of the Go programming language and an innovative technique to deploy the Rhadamanthys stealer.

According to Malwarebytes, the latest version of the Go loader is being used to distribute the Rhadamanthys stealer malware.

This new variant is actively distributed and poses a significant threat to organizations and individuals.

The Malvertising Campaign

The campaign starts with a deceptive ad posing as PuTTY’s official homepage.

malicious ads

Placed strategically above the official site in Google search results, this ad directs unsuspecting users to a domain controlled by the attackers, arnaudpairoto[.]com. Its unrelated nature to PuTTY serves as a red flag, emphasizing the need to carefully examine domain names in ads.

Crawler, sandbox, or scanner, will see this half-finished blog

Victims from the US are redirected to a counterfeit site that mirrors, with the critical difference being the download link.

This link initiates a two-step redirection process, ultimately leading to downloading a malicious PuTTY executable from the astrosphere[.]world domain.

This server performs checks for proxies and logs the victim’s IP address, setting the stage for the delivery of the Rhadamanthys stealer.

Cybertron Technologies recently tweeted about a malvertising campaign that leverages the Go Loader to deploy the Rhadamanthys Stealer.

Rhadamanthys Stealer

Upon execution, the fake PuTTY client, dubbed “Dropper 1.3” by its author, verifies the victim’s IP address to ensure the malware was downloaded through the deceptive ad.

Successful verification triggers the retrieval of the Rhadamanthys stealer from another server, utilizing the SSHv2 protocol for a covert download. Once executed, the Rhadamanthys stealer poses a significant threat by stealing sensitive information from the compromised system.

This highlights the critical nature of the loader-malvertising combo, in which the threat actor meticulously manages the entire deployment process, from ad to loader to final payload.

The discovery of this malvertising campaign serves as a stark reminder of the constant vigilance required in the digital age, especially for system administrators who must remain wary of seemingly legitimate tools and websites as cybercriminals continue to find innovative ways to breach defenses.


Decoy ad domain


Fake site




IP check




‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!