Researchers discovered a new type of hidden malware that uses PowerShell scripts to quietly spy on and control computers, while pretending to be a legitimate Windows update.

Who was behind the attack?

The identity of the hackers is still unknown, but their methods suggest they are experienced and technically skilled.

What was the goal of the attack?

The attackers aimed to quietly gain control of infected systems, gather user and system information, and possibly move laterally within networks.

How many people or organizations were targeted?

About 100 victims have been identified so far, based on how the malware assigns unique IDs to each target.

How did the attack work?

It started with a fake job application email containing a Word document. Opening the document triggered hidden scripts that installed the backdoor and connected to the attacker’s server.

Why were these targets attractive?

Targets were likely chosen because of their access to sensitive data or systems, such as those connected to networks using Active Directory or remote desktop tools.

What should organizations do to protect themselves?

Disable automatic macro execution, monitor PowerShell activity, review scheduled tasks, and inspect network traffic for suspicious connections.

Is this a widespread issue or a targeted one?

This appears to be a targeted attack, not a global outbreak, but it uses techniques that other attackers could easily adopt.

Threats Feed|Unknown|Last Updated 16/05/2025|AuthorCertfa Radar|Publish Date18/10/2022

Sophisticated PowerShell Attack Targets Systems with Spearphishing

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Malicious Macro,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/Low Probability

Threat Overview

The Fully Undetectable (FUD) PowerShell backdoor report details a sophisticated attack beginning with a malicious Word document ("Apply Form.docm") used in a LinkedIn-based spearphishing campaign originating from Jordan. The document contains a macro that launches a PowerShell script, creating a scheduled task to execute further malicious actions. The backdoor communicates with its C2 server, executing various commands such as process list exfiltration, user enumeration, and Active Directory exploration. SafeBreach identified operational security mistakes allowing decryption of the C2 commands. The campaign, involving PowerShell scripts and scheduled tasks, targets systems for data exfiltration and potential lateral movement.

Reference and Credit: SafeBreach - October 2022

SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor

Detected Targets

Type	Description	Confidence
Case	Lumen Technologies Lumen Technologies, Inc. (formerly CenturyLink and Qwest) is an American telecommunications company headquartered in Monroe, Louisiana, that offers communications, network services, security, cloud solutions, voice, and managed services. The company is a member of the Fortune 500 and has been on the S&P 500 index since 1999. Lumen Technologies has been targeted by Unknown with abusive purposes.	Verified
Sector	Information Technology	High
Region	Jordan	High

Extracted IOCs

16007ea6ae7ce797451baec2132e30564a29ee0bf8a8f05828ad2289b3690f55
45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50
54ed729f7c495c7baa7c9e4e63f8cf496a8d8c89fc10da87f2b83d5151520514
bda4484bb6325dfccaa464c2007a8f20130f0cf359a7f79e14feeab3faa62332
45[.]89.125.189
hxxp://45[.]89.125.189/get
hxxp://45[.]89.125.189/put

download

Tip: 7 related IOCs (1 IP, 0 domain, 2 URL, 0 email, 4 file hash) to this threat have been found.

FAQs

What You Need to Know About the New PowerShell Backdoor

: Researchers discovered a new type of hidden malware that uses PowerShell scripts to quietly spy on and control computers, while pretending to be a legitimate Windows update.
: The identity of the hackers is still unknown, but their methods suggest they are experienced and technically skilled.
: The attackers aimed to quietly gain control of infected systems, gather user and system information, and possibly move laterally within networks.
: About 100 victims have been identified so far, based on how the malware assigns unique IDs to each target.
: It started with a fake job application email containing a Word document. Opening the document triggered hidden scripts that installed the backdoor and connected to the attacker’s server.
: Targets were likely chosen because of their access to sensitive data or systems, such as those connected to networks using Active Directory or remote desktop tools.
: Disable automatic macro execution, monitor PowerShell activity, review scheduled tasks, and inspect network traffic for suspicious connections.
: This appears to be a targeted attack, not a global outbreak, but it uses techniques that other attackers could easily adopt.

About Affiliation

Unknown

Associate threats