PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.[1]

ID: S1012
Platforms: Windows
Version: 1.0
Created: 01 June 2022
Last Modified: 02 June 2022

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

PowerLess can encrypt browser database files prior to exfiltration.[1]

Enterprise T1217 Browser Bookmark Discovery

PowerLess can use a .NET browser information stealer module.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PowerLess is written in and executed via PowerShell without using powershell.exe.[1]

Enterprise T1005 Data from Local System

PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

PowerLess can stage stolen browser data in C:\\Windows\\Temp\\cup.tmp and keylogger data in C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

PowerLess can use base64 and AES ECB decryption prior to execution of downloaded modules.[1]

Enterprise T1573 Encrypted Channel

PowerLess can use an encrypted channel for C2 communications.[1]

Enterprise T1105 Ingress Tool Transfer

PowerLess can download additional payloads to a compromised host.[1]

Enterprise T1056 .001 Input Capture: Keylogging

PowerLess can use a module to log keystrokes.[1]

Groups That Use This Software

ID Name References
G0059 Magic Hound