DNS Early Detection – Malicious Trojan Installers for WINSCP and PUTTY – Breaking the Kill Chain

Infoblox analyzes a Rapid7-reported malvertising campaign that lures IT personnel to typo-squatted sites hosting trojanized WinSCP and PuTTY installers; the installers side-load a malicious DLL that executes a Sliver beacon, enables persistence (services, scheduled tasks), disables defenses via a vulnerable driver, supports lateral movement and exfiltration, and has been used in attempted ransomware deployments, while Infoblox highlights early DNS-based detection and blocking of the malicious domains.