Threat Research

New Go loader pushes Rhadamanthys stealer | Malwarebytes

Malwarebytes

A malvertising campaign impersonated the PuTTY website to push a Go-written dropper (named “Dropper 1.3”) that performs IP checks and retrieves a secondary payload via SSHv2, which executes the Rhadamanthys stealer. The infrastructure includes decoy and fake domains and an Ubuntu/OpenSSH server hosting the Rhadamanthys payload. #Rhadamanthys #PuTTY

Keypoints

  • Threat actor used a malicious Google ad impersonating the PuTTY homepage to direct targets to attacker-controlled domains.
  • Victims are redirected through a two-step chain (puttyconnect[.]info → astrosphere[.]world) delivering a Go-based dropper named “Dropper 1.3” (PuTTy.exe).
  • The dropper performs a public IP check against zodiacrealm[.]info (api.php?action=check_ip&ip=…) to verify real victims before continuing.
  • When the IP check matches, the dropper retrieves a follow-up payload (Rhadamanthys) from 192.121.16[.]228 over SSHv2 (OpenSSH on Ubuntu) to make the transfer more covert.
  • Rhadamanthys is executed by the parent PuTTy.exe process and is designed to steal web session cookies and other sensitive data.
  • Malwarebytes detects the fake installer as Trojan.Script.GO; the campaign infrastructure logs IPs and likely performs proxy checks to avoid sandboxes.

MITRE Techniques

  • [T1189] Drive-by Compromise – Ad-based redirect to a malicious site to deliver a dropper (‘the threat actor bought an ad that claims to be the PuTTY homepage and appeared at the top of the Google search results page’)
  • [T1566.002] Spearphishing Link – Use of a deceptive ad mimicking a legitimate site to trick users into downloading a malicious installer (‘the ad looks suspicious … the ad URL points to the attacker controlled domain’)
  • [T1204] User Execution – Victim manually executes the downloaded fake PuTTY installer which acts as a dropper (‘That PuTTy.exe is malware, a dropper written in the Go language’)
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Dropper uses scripting capabilities to retrieve/execute secondary payloads (‘the dropper proceeds to retrieve a follow-up payload’)
  • [T1027] Obfuscated Files or Information – The dropper is written in Go and uses techniques to avoid detection (‘The program is written in the Go language and uses an interesting technique to deploy its follow-up payload’)
  • [T1036] Masquerading – Malware presents itself as the legitimate PuTTY installer to avoid suspicion (‘the fake site … looks and feels exactly like putty.org’)
  • [T1539] Steal Web Session Cookie – The Rhadamanthys stealer is designed to harvest web session cookies (‘the Rhadamanthys stealer … steal web session cookies and other sensitive information’)
  • [T1018] Remote System Discovery – Malware may probe remote systems to identify additional targets within a network (‘the malware may perform remote system discovery to identify other potential targets within the network’)
  • [T1071] Application Layer Protocol – Use of SSHv2 (OpenSSH) to transfer the secondary payload covertly (‘it uses the SSHv2 protocol implemented via OpenSSH on a Ubuntu server’)
  • [T1041] Exfiltration Over C2 Channel – Stolen data is sent back to attacker-controlled servers over a C2 channel (‘the stolen data … is exfiltrated over a command and control (C2) channel to the attacker’s server’)
  • [T1485] Data Destruction – Malware may include routines capable of destroying data on victim machines (‘in some cases, the malware may also be capable of destroying data on the victim’s machine’)

Indicators of Compromise

  • [Domain] decoy/ad and fake sites – arnaudpairoto[.]com (decoy ad domain), puttyconnect[.]info (fake PuTTY site)
  • [Domain] infrastructure and IP-check – astrosphere[.]world (malicious file host), zodiacrealm[.]info (IP check endpoint)
  • [IP:Port] SSH payload host – 192.121.16[.]228:22 (Rhadamanthys host via SSH)
  • [File name] malicious installer/dropper – PuTTy.exe (delivered via Content-Disposition attachment)
  • [File hashes] samples mentioned – 0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d (astrosphere[.]world sample), bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203 (Rhadamanthys sample)

A malvertising campaign purchased search ads mimicking the PuTTY homepage and redirected targeted users through a two-step URL chain (puttyconnect[.]info → astrosphere[.]world) that served a Go-compiled dropper labeled “Dropper 1.3” (delivered as PuTTy.exe). The astrosphere[.]world host returns the executable as an attachment and records/logs the visitor IP and proxy status; the dropper then performs an IP verification call to zodiacrealm[.]info (api.php?action=check_ip&ip=[IP]) to confirm the victim arrived via the malicious ad before proceeding.

When the IP check matches, the dropper retrieves the secondary payload over SSHv2 from 192.121.16[.]228:22 using OpenSSH on an Ubuntu server—likely chosen to make the transfer appear as legitimate SSH traffic. The dropper executes the retrieved payload (Rhadamanthys) as a child of PuTTy.exe; Rhadamanthys contains data-stealing functionality (notably web session cookie theft) and may perform further discovery and exfiltration back to attacker servers.

Technical artifacts to watch for include the decoy and fake domains (arnaudpairoto[.]com, puttyconnect[.]info), the astrosphere[.]world host and its associated sample hash (0caa77…), the IP-check domain zodiacrealm[.]info, and the SSH payload host 192.121.16[.]228:22 with its Rhadamanthys sample hash (bea1d5…). Detection engines flag the fake installer as Trojan.Script.GO; defenders should block the listed domains/IPs, monitor for unusual SSH downloads and parent/child process relationships where PuTTy.exe spawns unknown binaries, and inspect outbound SSH connections for anomalous activity.

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint