All news with #powershell abuse tag

🔒 Fortinet FortiGuard Labs reports DPRK-linked actors using GitHub as command-and-control infrastructure in multi-stage LNK-based phishing attacks targeting South Korea. Obfuscated Windows shortcut files drop a decoy PDF and a silent PowerShell script that performs anti-analysis checks, extracts a VBScript, and creates persistence via a scheduled task running every 30 minutes. The script profiles hosts, exfiltrates the data to a GitHub repo under an account such as 'motoralis' with a hard-coded token, and retrieves additional modules or commands from files in the repository to maintain control.

⚠ MicroWorld Technologies confirmed unknown attackers compromised the update infrastructure for its eScan antivirus and pushed a malicious update that deployed a multi-stage downloader to enterprise and consumer endpoints. The rogue update replaced the legitimate reload.exe with a binary signed by a fake or invalid signature; it executes three Base64-encoded PowerShell stages, includes an AMSI bypass and prevents automatic remediation. Kaspersky and Morphisec report hundreds of attempted infections mainly in India and neighboring countries. MicroWorld isolated affected update servers for hours and released a remediation package; impacted customers should contact the vendor for the fix.

🔴 React2Shell (CVE-2025-55182) is an unauthenticated remote code execution flaw in React Server Components and frameworks like Next.js, disclosed on December 3, 2025. A public proof-of-concept on December 4 accelerated automated scanning and exploitation; Shadowserver found 77,664 vulnerable IPs (≈23,700 in the US), and Palo Alto reports more than 30 breached organizations. Observed attacks use PowerShell stages, AMSI bypass and Cobalt Strike; mitigation requires updating React, rebuilding and redeploying apps, and reviewing logs for post-exploitation indicators.

🔒 Sekoia warns of a large-scale phishing campaign targeting hotel staff that uses ClickFix-style pages to harvest credentials and deliver PureRAT. Attackers impersonate Booking.com in spear-phishing emails, redirect victims through a scripted chain to a fake reCAPTCHA page, and coerce them into running a PowerShell command that downloads a ZIP containing a DLL-side‑loaded backdoor. The modular RAT supports remote access, keylogging, webcam capture and data exfiltration and persists via a Run registry key.

🔐 The Russian state-backed Star Blizzard group (aka ColdRiver/UNC4057) has shifted to modular, evolving malware families — NOROBOT, YESROBOT, and MAYBEROBOT — delivered through deceptive ClickFix pages that coerce victims into executing a fake "I am not a robot" CAPTCHA. NOROBOT is a malicious DLL executed via rundll32 that establishes persistence through registry changes and scheduled tasks, stages components (including a Windows Python 3.8 install), and, after iteration, primarily delivers a PowerShell backdoor. Google Threat Intelligence Group and Zscaler observed the transition from May through September and reported that ColdRiver abandoned the previously exposed LostKeys tooling shortly after disclosure. GTIG has published IoCs and YARA rules to help defenders detect these campaigns.

🔍 Acronis researchers warn of a campaign using a FileFix variant to deliver the StealC information stealer via a multilingual, heavily obfuscated phishing site. The lure mimics a Facebook security notice and hijacks the clipboard to implant a multi-stage PowerShell command that victims are tricked into executing through File Explorer. Attackers store encoded payload components as images on Bitbucket, decode them locally with a Go-based loader, and ultimately unpack shellcode that launches StealC. The infrastructure uses junk code, fragmentation and other anti-analysis techniques to evade detection and complicate forensic analysis.

📧 FortiGuard Labs identified a global phishing campaign that uses crafted HTML email attachments and personalized phishing pages to deliver obfuscated JavaScript droppers which stage the UpCrypter loader on Microsoft Windows systems. The attack uses target-specific URL reconstruction, convincing domain and logo spoofing, and prompts victims to run a bundled JavaScript dropper. The dropper decodes and executes a Base64 PowerShell payload that performs anti-analysis checks, loads an MSIL loader directly into memory, and ultimately deploys multiple RATs (PureHVNC, DCRat, Babylon RAT). Organizations should apply layered email filtering, endpoint least-privilege, and script/memory-aware detection to block these artifacts.

🔒 The FortiMail Workspace Security team uncovered a targeted intrusion campaign that abused compromised internal email to deliver a multi-stage, fully PowerShell-based Remote Access Trojan targeting Israeli organizations. Phishing links redirected users to a spoofed Microsoft Teams page that instructed victims to press Windows+R, paste an obfuscated Base64 loader, and execute a PowerShell IEX fetch from a hard-coded C2 (hxxps[:]//pharmacynod[.]com), which in turn staged scripts and a compressed, in-memory RAT. The operation uses layered obfuscation, native Windows APIs, and living-off-the-land techniques to enable remote access, surveillance, persistence, lateral movement, and data exfiltration; Fortinet protections detect and block this activity.