Posts

PART 2 - From a New Year's surprise to a bag of coal - Analysis of mystery PowerShell (Never trust LLMs)

Image
As shown in my last blog , I took the time to analyze a very complicated, annoying and heavily obfuscated PowerShell that resulted in a payload that the LLM i was using as my intern indicated that it might be related to Red Team or Offensive Security course. This did not sit well with me and was even cemented more when one of my trusted friends also nudged me about the domains that dropped this PowerShell. Sooooo, this blog will be short but it is more to share the full picture and probably ask the community to see if they have seen these types of files and what could they be, are they associated with a certain campaign. The rabbit hole was deeeeeeep and with many tentacles here as the more i looked into it, the more it was complicated and cumbersome. Let us recap: 1- The initial PS script according to VT is being dropped from [random_sub_domain] .fd-api-iris-s-mn-com/.in/.net . 2- Once it is run, it goes through a multi layer of deobfuscation that we explained in the previous blog en...
Post a Comment
Read more

From a New Year's surprise to a bag of coal - Analysis of mystery PowerShell

Image
On December 29, 2025 one of my VT hunt rules fired off. I got super excited as that rule was created on the back of a specific PowerShell script from an incident back in the summer and this was the first time it fired off since I created it. VT Link - https://www.virustotal.com/gui/search/8bab6fbed08c3d8d45512b09126dc39bbf02eca8c5a92655baca7ae7dbfb1b4a Low detection and still is (3/63) as the writing of this post. I was EXCITED. Is this related to that incident? Is the same actor behind this? Is this an evolution from the one I analyzed in the summer? Well, I got to work. The script was heavily obfuscated with tons of garbage code as well as tons of integer to character substitutions. But as you scroll down you will be faced with a big byte array that is coded as integers. Starting to manually analyze the code while tedious, was fruitful as it was a straight integer to character substitution. However, in order to move to the next layer, the byte array had to go through some de-obfuscat...
Post a Comment
Read more