OpenSSH
OpenSSH is a legitimate SSH implementation that, in the provided reporting, is repeatedly referenced as being modified, trojanized, or repurposed by threat actors for backdoor access and lateral movement. On compromised Linux hosts, Glacial Panda was reported to deploy trojanized OpenSSH tools to log user authentication events and track remote connections to other hosts, a technique CrowdStrike calls ShieldSlide, supporting credential monitoring and lateral movement. Microsoft and other reporting also state that FIN7 used OpenSSH together with Impacket for lateral movement and to deploy Clop ransomware.
The content also describes Windows-focused malicious variants based on OpenSSH. A sample named spl32.exe is identified as a modified and custom-compiled version of OpenSSH sshd.exe. It listens on TCP port 50501, contains a fixed configuration and three hard-coded cryptokey pairs, and is built as a self-contained executable with OpenSSL built in. Upon accepted inbound SFTP connections, it launches WinSAT.exe, described as an unmodified but custom-compiled OpenSSH sftp-server.exe. Additional detection guidance in the content highlights hunting for modified OpenSSH binaries with non-standard PE metadata and for PE files containing strings such as "Microsoft openSSH client" while excluding legitimate "OpenSSH for Windows," as well as binaries embedding OpenSSH private key material such as "-----BEGIN OPENSSH PRIVATE KEY-----." The reporting associates such modified OpenSSH tooling with TRITON-related tradecraft and with FIN7 and Glacial Panda activity depending on the intrusion set and platform.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Glacial Panda deploys trojanized OpenSSH tools on compromised Linux hosts to log user authentication events and support lateral movement by tracking remote connections to other hosts in a technique CrowdStrike calls ShieldSlide."
...observed the group using OpenSSH and Impacket to move laterally and deploy Clop ransomware.
Looking for modified OpenSSH binaries with non-standard PE metadata, seen used heavily by TRITON actor
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques"obtained and leveraged publicly-available tools for intrusion activities."
"APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting." / "FIN7 has staged legitimate software, that was trojanized...on Amazon S3." / "TeamTNT has uploaded backdoored Docker images to Docker Hub."
Initial Access
2 techniquesThe Trellix article titled A Flyby on the CFO's Inbox details a sophisticated spear-phishing campaign targeting CFOs and finance executives... Attackers impersonated a Rothschild & Co recruiter, sending emails that led recipients through a deceptive CAPTCHA to download a ZIP file containing a malicious VBS script.
Execution
3 techniquesand establishes an SSH backdoor via AdaptixC2 or OpenSSH.
The malicious actor had already gained these administrative privileges to execute the involved VBS script, enabling them to proceed with the installation and NetBird service startup.
Attackers impersonated a Rothschild & Co recruiter, sending emails that led recipients through a deceptive CAPTCHA to download a ZIP file containing a malicious VBS script.
Persistence
2 techniquesThis script installed NetBird and OpenSSH, created a hidden admin account, and enabled Remote Desktop Protocol (RDP), granting attackers persistent access to the victim's system.
Privilege Escalation
1 technique"...allowed an attacker remote access to the root account"
Stealth
1 techniqueThese tasks launched two disguised executables: operagx.exe, which was actually an OpenSSH daemon, and dropbox.exe, which was a Tor server. A third file, safari.exe, acted as an obfs4 traffic obfuscation plugin
Credential Access
1 techniqueCredential theft is a primary objective. The group uses various techniques to perform this core function, including dumping the Local Security Authority Subsystem Service (LSASS) memory and exfiltrating the NTDS.dit Active Directory database, and capturing credentials stored in browsers and SSH clients like PuTTY and OpenSSH.
Lateral Movement
5 techniques“...execute commands and transfer files via RDP, SMB, SFTP, and SSH...”
Critical local ports, including SMB port 445 and RDP port 3389, were mapped to a dark web Onion address... allowing the attacker to connect from anywhere in the world through the Tor network
Critical local ports, including SMB port 445 and RDP port 3389, were mapped to a dark web Onion address... allowing the attacker to connect from anywhere in the world through the Tor network
Seashell Blizzard deployed OpenSSH with a unique public key, allowing them to access compromised systems using an actor-controlled account and credential...
"In June 2002... disclosed a bug in the OpenSSH code implementing challenge–response authentication... allowed an attacker remote access to the root account." | "First official remote security hole - OpenSSH integer overflow"
Command and Control
9 techniquesThese tasks launched two disguised executables: operagx.exe, which was actually an OpenSSH daemon... The SSH daemon was configured to listen only on local loopback port 20321
Using the previously mentioned reverse SSH tunnel to proxy connections through the beachhead host, the threat actors created a connection to the domain controller.
PhantomCore uses external proxy servers to tunnel traffic from infected hosts, leveraging the open-source tools OpenSSH and RSocx, as well as its custom utility PhantomProxyLite
the group used SSH and Tor nested tunneling to build a double-encrypted anonymous channel between the attacker and the compromised host.
HAProxy entscheidet anhand der ersten übertragenen Byte an welchen Deamon die Verbindung weitergeleitet werden soll... Im frontend wird eine acl definiert, die per regulärem Ausdruck SSH-1.0* und SSH-2.0* matched und in diesem Fall das backend sshd als Ziel nutzt.
Once the victim clicked the LNK file, the full attack toolkit deployed silently in the background while the real decoy PDF opened to keep the user distracted from the installation.
"deployment of OpenSSH and NetBird, a legitimate remote access tool for persistent access"
PhantomCore uses nonstandard network ports on C2 servers: ports 80 and 443: OpenSSH service port 81: fake sites ports 8000 and 8080: utility downloads
Der OpenSSH-Client ruft zunächst proxytunnel auf, schiebt dann seine SSH-TCP-Verbindung über STDIN/SDTOUT des proxytunnel-Prozess innerhalb des TLS-Tunnel zum HAProxy-Server.
Exfiltration
1 techniqueA fourth file, obsstudio.exe, served as an SFTP server for silent file transfers.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate OpenSSH binaries/tools are trojanized and deployed on compromised Linux hosts to log authentication events and facilitate lateral movement by monitoring/leveraging remote connections.
A legitimate remote administration utility abused for lateral movement and remote command execution; in this context, used by FIN7 in operations associated with Clop ransomware deployment.
Legitimate SSH tooling abused for remote access/lateral movement as part of the ransomware deployment chain.
Legitimate SSH tooling referenced in the context of modified Windows OpenSSH binaries and binaries containing hard-coded OpenSSH private key material, associated with TRITON tradecraft.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.