Threatmon researchers discovered a PowerShell backdoor attack from Chinese cyber espionage group APT41 (aka Wicked Panda). The targeted malware allows the group to execute commands, download and upload files, and collect information on Windows platforms. The group has also utilized custom malware, supply chain attacks, and other software vulnerabilities previously to attack high-profile targets.

The PowerShell backdoor allows APT41 to covertly monitor targets over long periods of time. The malware often serves as a secondary package in targeted attacks, which highlights the need for strengthened security measures. PowerShell executes itself by placing payloads in the Windows Registry, the first of which is titled “forfiles.exe.” The final payload can infect removable devices and establishes Telegram as a C2 server. This allows the backdoor to transmit information to the C2 server by utilizing ip-API.

Read More: