Check out the results from our first round of ATT&CK Evaluations at!

Power Loader

Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. [1] [2]

ID: S0177
Aliases: Power Loader, Win32/Agent.UAW
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1181Extra Window Memory InjectionPower Loader overwrites Explorer’s Shell_TrayWnd extra window memory to redirect execution to a NTDLL function that is abused to assemble and execute a return-oriented programming (ROP) chain and create a malicious thread within Explorer.exe.[1][2]