{
	"id": "d0e9738b-72b7-44b2-988e-32a1addf6b7c",
	"created_at": "2026-04-06T00:10:34.41915Z",
	"updated_at": "2026-04-10T03:24:39.844611Z",
	"deleted_at": null,
	"sha1_hash": "2a48898b93e0132087b055be144e42771e3bd328",
	"title": "Server-side polymorphism \u0026 PowerShell backdoors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1735838,
	"plain_text": "Server-side polymorphism \u0026 PowerShell backdoors\r\nBy G DATA Security Center\r\nPublished: 2019-07-17 · Archived: 2026-04-05 16:25:41 UTC\r\n07/16/2019\r\nReading time: 4 min (1010 words)\r\nMalware actors very rarely stick to the same script for extended periods of time. They constantly modify and\r\nupdate their attack methods. Recently we have observed malware that uses server-side polymorphism to hide its\r\npayload, which consists of a backdoor fully written in PowerShell.\r\nLast year, we blogged about the Rozena malware and how this backdoor incorporated PowerShell to execute its\r\nshellcode. However, malware authors are not sticking to the same script, constantly modifying and updating their\r\nattack methods. This time we’ve observed a new malware that used server-side polymorphism to hide its payload,\r\nwhich is a backdoor that is fully written in PowerShell.\r\nInitial Attack Vector\r\nhttps://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors\r\nPage 1 of 7\n\nInception and attack workflow (click to enlarge)\r\nThe sample was obtained as a malicious Visual Basic Script (VBS) attachment from an email, with the file named\r\nas “INAIL_Comunica_133113944054522074634191697732.vbs”. By the looks of its filename, it claims to be a\r\nhttps://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors\r\nPage 2 of 7\n\nnotice from an Italian organization for workplace safety insurance called the Istituto Nazionale Assicurazione\r\nInfortuni sul Lavoro (INAIL).\r\nUpon execution, this malicious VBS will invoke a downloader written in PowerShell that downloads two files\r\nfrom its command and control (CNC) servers:\r\nhxxp://adm.esurf.info/api?wead (SkypeApp64.exe)\r\nhxxp://space.4fallingstar.info/12.php?vid=pec5 (SearchI32.js)\r\nWhile the URL of the file SkypeApp64.exe was already down as of analysis, the sample remains malicious even\r\nwithout the executable. The CNC server that hosts the file SearchI32.js has server-side polymorphism, in which\r\nthe hosted JavaScript (JS) files are modified each time they are accessed, making static detection difficult.\r\nThe file SearchI32.js is an obfuscated JS that invokes another PowerShell downloader that will again download\r\ntwo files, which are both saved in the default Windows temporary folder %temp%:\r\nhxxp://green.4107irishivy.info/cryptbody2.php (SearchI32.txt)\r\nhxxp://green.4107irishivy.info/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php (SearchI32.js)\r\nBackdoor Downloads\r\nPowerShell Extractor Analyzer’s decoded script block of the backdoor (Click to enlarge)\r\nSearchI32.js downloads and executes a new version of itself as a form of persistence. At first glance, the file\r\nSearchI32.txt looks like junk. However, it is decrypted and executed by the JS file, and is the main PowerShell\r\nbackdoor.To skip several deobfuscation stages for unveiling the backdoor, we used the PowerShell Extractor\r\nAnalyzer (PEA), a publicly-available tool developed within G DATA  to analyze SearchI32.js.\r\nThe first part of the code consists of evasion techniques. The backdoor will first try to check if the infected\r\nsystem’s language is Russian, Ukrainian, Belarusian, or Chinese, and if the system is running under VirtualBox or\r\nVMWare (suggensting it is analyzed in a virtual environment - a technique often employed by malware analysts),\r\nterminating the execution if either check is matched:\r\nhttps://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors\r\nPage 3 of 7\n\nBackdoor evasion techniques: checking the system language and whether it is run in a VM\r\nAs part of its persistence, it also adds a shortcut file on the startup folder. The shortcut links to the downloaded\r\nSearchI32.js, with a description of “Windows Indexing Service” to throw off the user from its malicious behavior.\r\nThe command-line script host cscript.exe is then used to execute the Searchi32.js.\r\nCredential and information grabbing (click to enlarge)\r\nThe backdoor will then create a System.Net.CredentialCache object to store the obtained information from the\r\nuser. This object will be used as for downloading commands from the CNC server and at the same time posting\r\nthe victim’s information. The collected information is comprised of:\r\n$bot_id– Created ID for the victim that contains the computer name, computer model, and disk drive\r\nsignatures\r\n$bot_os– Operating system build version\r\n$ver– Backdoor version\r\n$psver– PowerShell version\r\nThe backdoor will use the DownloadString method to obtain the body of the CNC server site, parsing the content\r\nfor its backdoor commands. The CNC server site body is expected to contain the commands in this form:\r\n[command]|[URL for the malicious PowerShell script]\r\nThe backdoor will repeatedly access its CNC server and wait for one of the following the commands:\r\nhttps://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors\r\nPage 4 of 7\n\nm1  – Single command execution. Downloads a single string of URL from the CNC and executes it.\r\nm   – Multiple command execution. Downloads multiple strings of URL from the CNC and executes each\r\nstring.\r\nu     – Downloads and executes an updated version of SearchI32.js and SearchI32.txt from the CNC server.\r\nFor the m1 and m commands, the URL being downloaded will contain the PowerShell script to be executed for its\r\nmalicious activity.\r\nWe encountered the backdoor updating several times through its commands, like \r\nu| hxxp://green.4107irishivy.info/cryptbody2.php|hxxp://green.4107irishivy.info/l2.php\r\nand \r\nm1| hxxp://red.340airport.com/u2\r\nThe latter of which was the latest URL as of writing, where the JS decryptor/loader and PowerShell backdoor\r\nscripts were completely updated. The CNC server domains were updated during analysis\r\n(e.g. hxxp://green.4107irishivy.info/ to hxxp://green.4107irishivy.info/), making this campaign difficult to detect.\r\nThe updated version of the backdoor is still similar on how it receives its commands from the CNC server, but had\r\nsome several updates in its script:\r\nAdds the updated JS file to the scheduled tasks using the Windows task scheduler (schtasks.exe), for\r\npersistence.\r\nDropping location of downloaded files has been changed from %temp% to\r\n%appdata%\\Roaming\\Microsoft\r\nUsage of a domain generation algorithm (DGA) when it fails to connect to the main CNC server.\r\nhttps://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors\r\nPage 5 of 7\n\nUpdated JS decryptor and Backdoor\r\nDefense is easy\r\nSince this malware uses email attachments as the initial attack vector like many other types of malware, it always\r\npays to be safe by validating the source of any emails sent to you that contains attachments or links to downloads.\r\nNever open attachments or links from unvalidated email addresses. Always keep your anti-virus and operating\r\nsystems up to date, to ensure your systems are protected against these new types of malware.\r\nIf you are interested to know more of the in-depth analysis of this backdoor campaign, you may visit the following\r\nlink: \r\nIndicators of Compromise\r\nURL that attempts to download the executable:\r\nhxxp://adm.esurf.info/api?wead\r\nJS script:\r\nSample hashes:\r\nhttps://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors\r\nPage 6 of 7\n\nd3089f023d0715058773ea0cec037f92a5ce52958fdfe56b53ab291b343cee4f (Initial\r\ndownload of SearchI32.js)\r\n20317970e11e1dbdc3142b1c4fdf7258ec2d6cb29ac7d2a5ec21ef8eff38ebcc (Succeeding\r\ndownload of SearchI32.js)\r\nURLs:\r\nhxxp://space.4fallingstar.info/l2.php\r\nhxxp://green.4107irishivy.info/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php\r\nhxxp://red.1407cty13pec.com/l2.php\r\nhxxp://sad.childrensliving.com/l2.php\r\nObfuscated PS1 backdoor:\r\nSample hash:\r\n1c9d3bcea90d3ac24cef4302fa081d8f6e50a580a74d204923ee9491f0008c6e (SearchI32.txt)\r\nURLs\r\nhxxp://space.4fallingstar.info/cryptbody.php\r\nhxxp://green.4107irishivy.info/cryptbody2.php\r\nhxxp://red.1407cty13pec.com/cryptbody.php\r\nhxxp://sad.childrensliving.com/cryptbody2.php\r\nOther URLs that were used by the malware:\r\nhxxp://stats.emeraldsurfwatermanagement.com\r\nhxxp://green.dddownhole.com\r\nhxxp://green.nogel.tech\r\nhxxp://red.340airport.com\r\nhxxp://wws.rheovesthr.com\r\nhxxp://red.1407cty13pec.com\r\nRelated articles:\r\nShare Article\r\n Content\r\nInitial Attack Vector\r\nBackdoor Downloads\r\nDefense is easy\r\nIndicators of Compromise\r\nRelated articles\r\nSource: https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors\r\nhttps://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors\r\nPage 7 of 7\n\n https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors     \nInception and attack workflow (click to enlarge)    \nThe sample was obtained as a malicious Visual Basic Script (VBS) attachment from an email, with the file named\nas “INAIL_Comunica_133113944054522074634191697732.vbs”.    By the looks of its filename, it claims to be a\n   Page 2 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors"
	],
	"report_names": [
		"35061-server-side-polymorphism-powershell-backdoors"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434234,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a48898b93e0132087b055be144e42771e3bd328.pdf",
		"text": "https://archive.orkl.eu/2a48898b93e0132087b055be144e42771e3bd328.txt",
		"img": "https://archive.orkl.eu/2a48898b93e0132087b055be144e42771e3bd328.jpg"
	}
}