Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat actor attempted data exfiltration and ransomware deployment after gaining elevated access. The analysis provides indicators, MITRE ATT&CK mappings, and detection guidance.

Click for details.