AIRDRY backdoor distributed by a malicious app called PuTTY

AIRDRY Backdoor Malicious App PuTTY SSH Terminal

An alleged threat actor from North Korea has been attributed to a recently used novel spear-phishing campaign that deploys the AIRDRY backdoor. Cybersecurity research revealed that the primary vector for this backdoor is trojanised versions of the PuTTY SSH and Telnet client.

In addition to the vectors, the backdoor is disseminated through numerous fake job offers that the alleged threat actors fabricated.

Based on reports, the newly discovered threat campaign is linked with an up-and-coming malicious group dubbed UNC4034, which is an alleged North Korean-sponsored entity. This threat group is notorious for spreading fake job baits to distribute the AIRDRY malware.


The AIRDRY backdoor has been terrorising numerous individuals from different countries worldwide.


Recently, the AIRDRY backdoor has been frequently used by North Korean-sponsored threat groups in multiple attacks against the United States, Latvia, and a rival nation, South Korea.

The North Korean hackers were also clever with their attacks, dropping the backdoor through the CUTELOOP downloader. This downloader was attached to the malicious documents that the threat actors disseminated among its targets.

UNC4034 starts its attacks through an initial contact over email, followed by a file sent on WhatsApp. The malicious file is an ISO archive that behaves like an Amazon Assessment feature as part of a potential job application.

In addition, the file contains a text file that includes login credentials and an IP address. This archive also comes with a modified version of PuTTY loader that loads a dropper to launch a new and improved AIRDRY malware variant.

Experts claimed that the North Korean threat group deceived its targets into running a PuTTY session using the credentials given in the TXT file to link to the remote host that will launch the infection process.

Now, researchers are wondering if Microsoft’s decision to block the VBA macros and Excel 4.0 played a massive factor in the threat actors’ abuse of the ISO files. Therefore, using identical ISO files for initial access may see a significant surge soon.

Organisations should ensure they are equipped with behavioural-based detection solutions aside from the standard protective features to increase protection against such attacks.

About the author

Leave a Reply