Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 20:42:53 UTC
Home > List all groups > List all tools > List all groups using tool PowerPunch
 Tool: PowerPunch
Names PowerPunch
Category Malware
Type Downloader, Loader
Description
(Microsoft) PowerPunch is executed from within PowerShell as a one-line command,
encoded using Base64. These binaries also exhibit features that rely on data from the
compromised host to inform encryption of the next stage. PowerPunch also provides an
excellent example of this. The VolumeSerialNumber of the host serves as the basis for a
multibyte XOR key. The key is applied to an executable payload downloaded directly
from adversary infrastructure, allowing for an encryption key unique to the target host.
Ultimately, a next-stage executable is remotely retrieved and dropped to disk prior to
execution.
Information
MITRE ATT&CK Last change to this tool card: 30 December 2022
Download this tool card in JSON format
All groups using tool PowerPunch
Changed Name Country Observed
APT groups
 Gamaredon Group 2013-Feb 2025
1 group listed (1 APT, 0 other, 0 unknown)
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2653faee-fcff-4add-8934-b0ae27606c61
Page 1 of 2

Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2653faee-fcff-4add-8934-b0ae27606c61
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2653faee-fcff-4add-8934-b0ae27606c61
Page 2 of 2

APT groups Gamaredon Group 2013-Feb 2025 
1 group listed (1 APT, 0 other, 0 unknown) 
   Page 1 of 2