Malwarebytes Labs recently published a report on the latest Nitrogen malware campaign that has been targeting system administrators using fake ads in the guise of Google sponsored search results. According to the security analysts, the victims are currently limited to North America.

Nitrogen comes disguised as a PuTTY (a Secure Shell [SSH] and telnet client for Windows) or FileZilla (a File Transfer Protocol [FTP] solution) installer. When installed, the malware enables threat actors to gain initial access to target networks to steal data or install ransomware like BlackCat.

The Malwarebytes security analysts identified 13 indicators of compromise (IoCs) in their report comprising 11 domains and two IP addresses. The Threat Intelligence Platform (TIP) research team used these 13 IoCs as jump-off points for an expansion analysis that led to the discovery of:

• 18 email-connected domains
• 13 additional IP addresses, 10 of which were malicious
• 457 IP-connected domains
• 12 string-connected domains
• 9,999 registrant-connected domains, 273 of which were malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Facts about the Nitrogen IoCs

Before we attempt to find other traces of the Nitrogen campaign’s infrastructure in the DNS, let us take a closer look at the 13 IoCs first.

The WHOIS records of the 11 domains classified as IoCs revealed that:

• Namecheap, Inc., which administered three domain IoCs, topped the list of registrars. Internet Domain Service BS Corp., which accounted for two domain IoCs, took the second place. Finally, CentralNIC Canada, Inc.; Dreamscape Networks International Pte. Ltd.; GoDaddy.com LLC; Launchpad.com, Inc.; PDR Ltd.; and The Registrar Company B.V. rounded out the list of registrars with one domain IoC each.

  

• The Nitrogen campaign operators used a combination of old and new domains for their attacks. In fact, the 11 domain IoCs were created between 2010 and 2024. One domain IoC each was created in 2010, 2012, 2015, 2016, 2021, 2022, and 2023. Four domain IoCs were newly registered, created in 2024.

  

• Iceland topped the list of registrant countries, accounting for five domain IoCs. The U.S. took the second spot with two domain IoCs. Armenia, Bulgaria, and the Netherlands accounted for one domain IoC each. Finally, one domain IoC’s registrant country was redacted from its current WHOIS record.

  

• It is also worth noting that four domain IoCs had public current WHOIS record details, specifically:
  • amplex-amplification[.]com, file-zilla-projectt[.]org, and puuty[.]org had retrievable registrant organization data
  • newarticles23[.]com had public registrant name and organization information

Next, we looked at the IP records of the two IP addresses named as IoCs and found that both were geolocated in the Netherlands and administered by Limenet.

Artifacts That Could Be Connected to the Ongoing Nitrogen Campaign

An in-depth investigation of the historical WHOIS records of the 11 domains categorized as IoCs provided 41 unique email addresses, 10 of which turned out to be public. They also appeared in the current WHOIS records of 18 domains after duplicates and the IoCs were filtered out.

A closer look at the DNS records of the 11 domains tagged as IoCs showed that they resolved to 13 unique IP addresses after duplicates and the IoCs were removed.

Further investigations into the DNS records of the 13 additional IP addresses revealed that:

• The additional IP addresses were scattered across five countries led by the U.S., which accounted for eight IP addresses. Two IP addresses were geolocated in the Netherlands. Finally, Germany, Finland, and Iceland accounted for one IP address each. Two of the additional IP addresses shared the geolocation country—Netherlands—of the two original IP address IoCs.

  

• Cloudflare, Inc. led the list of ISPs, accounting for six IP addresses. Finally, one IP address each was administered by Advania Island EHF, Hetzner Online GmbH, Limenet, OVH SAS, Tier.net Technologies LLC, TransIP BV, and Unified Layer. One of the additional IP addresses had the same ISP as the two IP address IoCs.

  

• Ten of the additional IP addresses were associated with various threats, specifically:
  • Four were used in phishing and generic threats
  • Two were connected to malware and generic threats
  • Two were utilized in spamming and other attacks
  • One was related to malware and other attacks
  • One was associated with four threat types—phishing, malware, attacks, and suspicious activities
• Seven of the 15 IP addresses (two identified as IoCs and 13 additional) could be dedicated hosts. In fact, 457 domains were also hosted on the seven IP addresses after filtering out duplicates, the domain IoCs, and the email-connected domains.

We then scoured the DNS for domains starting with the same text strings found among the 11 domains classified as IoCs and found that six strings—hosting-hero., kunalicon., pputy., puttyy., puuty., and recovernj.—also appeared in 12 other domains after removing duplicates, the domain IoCs, and the email- and IP-connected domains.

The registrant email address, name, and organizations obtained from the current WHOIS records of four of the domains named as IoCs also appeared in the historical WHOIS records of 9,999 other domains, 273 of which were associated with various threats, such as phishing, attacks, malware, spamming, command and control (C&C), generic threats, and suspicious activities. Specifically:

• 260 were associated with one threat type each
• One was connected to six threat types
• 12 were related to two threat types each

Could Other Threats Be Abusing PuTTY and FileZilla?

The Malwarebytes report mentioned that the threat actors utilized fake PuTTY and FileZilla installers in their attacks. We searched for domains that could be typosquatting on the popularity of the two open-source applications, which led to the discovery of 292 domains. Note that we filtered out a good number of putty.-containing domains, particularly those that may be related to wall putty and similar products. Five of them turned out to be associated with threats. Specifically, four brand-containing domains were connected to malware, while one was related to generic threats.

Our deep dive into the most recent Nitrogen malware attack using 13 IoCs as starting points allowed us to uncover 10,499 artifacts comprising 18 email-connected domains, 13 additional IP addresses, 457 IP-connected domains, 12 string-connected domains, and 9,999 registrant-connected domains. We also discovered that 283 of the web properties, specifically 10 IP addresses and 273 registrant-connected domains were malicious.

Our investigation also led to the discovery of domains that could figure in other attacks banking on the popularity of PuTTY and FileZilla. We already found five that have already been weaponized.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.