<ciso brief/>
Tag Banner

All news with #powershell tag

all tags →

Mon, August 11, 2025

Full PowerShell RAT Campaign Targets Israeli Organizations

#Active Exploitation #Backdoor Found #Data Exfil via Tools #PowerShell

🔒 The FortiMail Workspace Security team uncovered a targeted intrusion campaign that abused compromised internal email to deliver a multi-stage, fully PowerShell-based Remote Access Trojan targeting Israeli organizations. Phishing links redirected users to a spoofed Microsoft Teams page that instructed victims to press Windows+R, paste an obfuscated Base64 loader, and execute a PowerShell IEX fetch from a hard-coded C2 (hxxps[:]//pharmacynod[.]com), which in turn staged scripts and a compressed, in-memory RAT. The operation uses layered obfuscation, native Windows APIs, and living-off-the-land techniques to enable remote access, surveillance, persistence, lateral movement, and data exfiltration; Fortinet protections detect and block this activity.

read more →

Thu, August 7, 2025

New DarkCloud Stealer Infection Chain Uses ConfuserEx

#ConfuserEx #Infostealer #Obfuscation #Phishing #PowerShell #VB6

🔒 Unit 42 observed a new DarkCloud Stealer infection chain in early April 2025 that employs ConfuserEx-based obfuscation and a final Visual Basic 6 payload. Phishing TAR/RAR/7Z archives deliver obfuscated JavaScript or WSF downloaders which retrieve a PowerShell stage from open directories and drop a ConfuserEx-protected executable. The loaders are heavily protected with javascript-obfuscator and the variant follows prior AutoIt-based deliveries. Palo Alto Networks notes that Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, Cortex XDR and XSIAM can help detect and mitigate these stages and recommends contacting Unit 42 for incident response.

read more →

Wed, August 6, 2025

BadSuccessor: dMSA Privilege Escalation in Windows Server

#Active Directory #IAM #Microsoft #PAM #PowerShell #Service Accounts

🔒 Unit 42 details BadSuccessor, a critical post-Windows Server 2025 attack vector that abuses delegated Managed Service Accounts (dMSAs) to escalate privileges in Active Directory. The write-up explains how attackers who can create or modify dMSAs may set msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState to impersonate superseded accounts and obtain elevated rights. It provides practical detection guidance using Windows Security auditing and offers hunting queries and mitigation recommendations. Palo Alto Networks solutions such as Cortex XDR and XSIAM are highlighted as able to detect this activity when auditing is enabled.

read more →