{
	"id": "f72a23be-e0dd-4cdb-8ccd-0f1fe5df96a9",
	"created_at": "2026-04-06T00:11:03.890653Z",
	"updated_at": "2026-04-10T03:21:34.133907Z",
	"deleted_at": null,
	"sha1_hash": "ecc2d32db11c3fc5266b435e3b0446d635da68e5",
	"title": "Sload hits Italy. Unveil the power of powershell as a downloader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 432582,
	"plain_text": "Sload hits Italy. Unveil the power of powershell as a downloader\r\nArchived: 2026-04-05 20:22:11 UTC\r\nHi everyone, here is Matteo Lodi, Threat Intelligence Analyst in Certego.\r\nRecently, we saw a particular new spam campaign targeting italian users with the focus of delivering a\r\ndownloader known as Sload.\r\nNowadays, attackers are trying harder and harder to make difficult the analysis and the detection. The most\r\ncommon tool misused in this way is Powershell: it's installed by default in every recent version of Windows and is\r\ncommonly used to perform administrator tasks.\r\nThe infection chain\r\nLet's dig in the infection chain:\r\nhttps://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/\r\nPage 1 of 8\n\nhttps://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/\r\nPage 2 of 8\n\n1. A user receives an email with subject \"\u003cTARGET_COMPANY_NAME\u003e Emissione fattura\r\n\u003crandom_number\u003e\" containing a reference to a fake invoice.\r\nThe user is tricked to click on the malicious link that points to a randomly generated domain hosted with HTTPS\r\nin 91.218[.]127.189. The following is an example:\r\n2. Once downloaded, if the user opens the archive, it would find two files. The first one is a legit image, while the\r\nsecond one is a .lnk file. We have already seen the misuse of shortcut files with powershell to perform the\r\ndownload of malicious samples. But this time it seemed different: in fact, the .lnk points to the following\r\ncommand:\r\n3. Where is the download? At first glance, that seemed very strange: what is the aim of this execution? After\r\nhaving analyzed the command, the trick was clear. The attackers wants to call \"Invoke-Expression\" command to\r\nrun a string hidden inside the zip itself!! But where?\r\nAs we can see in the following image, at the end of the original downloaded zip file we can see readable strings\r\nthat are the real first stage downloader!!\r\nhttps://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/\r\nPage 3 of 8\n\nThe zip file is still a legit and correctly working archive! Powershell commands are written after the EOCD (End\r\nof central directory) which determines the end of a zip file.\r\nThis clever trick can deceive many signatures-based detection tools.\r\n4. The extracted command is the following:\r\nhttps://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/\r\nPage 4 of 8\n\n5. The result is the download and the execution of another powershell script from a server hosted in\r\n185.17[.]27.108. We saw different domains used but, in the last week, the Dropzone IP never changed.\r\nAlso, we noted that the CnC server was blocking requests without the \"Microsoft BITS/7.5\" User-Agent to\r\nprevent unwanted download by non-infected machines.\r\nThis script was very well detected by antivirus engines as you can see in the following image!\r\nHow funny was I? Static analysis is completely useless in such cases.\r\nGoing forward, the malware drops the following items before deleting itself:\r\nTherefore it registers a task called \"AppRunLog\" to maintain persistence\r\nhttps://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/\r\nPage 5 of 8\n\n6. At the end, it calls the registered task. This will execute the dropped Visual Basic Script file that, in turn, will\r\nexecute the dropped Powershell script:\r\nThis script parses arguments and it won't execute properly in case they are not what it expects. It needs the\r\nnumbers from 1 to 16 as arguments because, in fact, they are the key to decrypt the last stage.\r\n7. The final payload is decrypted from the \"config.ini\" file and is called with \"Invoke-Expression\". It's loaded\r\ndirectly in memory: this makes very difficult for antivirus products to detect the threat. At the moment, this\r\nexecution method is widely known as \"fileless\" because, indeed, the malware is never written on disk.\r\nThe payload is the last (finally) powershell script: it is the real Sload downloader which performs various\r\nmalicious steps that were already explained in details in the article written by Proofpoint.\r\nhttps://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/\r\nPage 6 of 8\n\nIn few words, Sload can:\r\n1. Load external binaries\r\n2. Take screenshots\r\n3. Update configuration and CnC servers\r\n4. List running processes\r\n5. Detect Outlook usage\r\nThe variant we spotted in the last week uses the following CnC domains, which resolve in the same IP used by the\r\nsecond downloader stage (185.17[.]27.108)\r\nHowever, we expect that this configuration won't last long, because, as we said before, Sload is able to update his\r\nCnC servers at any time.\r\nConclusion We had a fantastic journey that made us understand, hopefully, how powerful can be Powershell and\r\nhow attackers are misusing this tool to evade analysis detection.\r\nWe analyzed 5 different powershell scripts and that was only the \"downloader\" phase of the infection.\r\nhttps://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/\r\nPage 7 of 8\n\nIn case of a successfull one, Sload was seen to download known malware like Ramnit, Gootkit, DarkVNC or\r\nUrsnif (reference: Proofpoint). At that stage the threat would be really important.\r\nCertego is monitoring the campaign and it's updating its signatures to correctly detect possible infections.\r\nIOC\r\nSource: https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/\r\nhttps://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/"
	],
	"report_names": [
		"sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434263,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ecc2d32db11c3fc5266b435e3b0446d635da68e5.pdf",
		"text": "https://archive.orkl.eu/ecc2d32db11c3fc5266b435e3b0446d635da68e5.txt",
		"img": "https://archive.orkl.eu/ecc2d32db11c3fc5266b435e3b0446d635da68e5.jpg"
	}
}