From a New Year's surprise to a bag of coal - Analysis of mystery PowerShell
On December 29, 2025 one of my VT hunt rules fired off. I got super excited as that rule was created on the back of a specific PowerShell script from an incident back in the summer and this was the first time it fired off since I created it. VT Link - https://www.virustotal.com/gui/search/8bab6fbed08c3d8d45512b09126dc39bbf02eca8c5a92655baca7ae7dbfb1b4a Low detection and still is (3/63) as the writing of this post. I was EXCITED. Is this related to that incident? Is the same actor behind this? Is this an evolution from the one I analyzed in the summer? Well, I got to work. The script was heavily obfuscated with tons of garbage code as well as tons of integer to character substitutions. But as you scroll down you will be faced with a big byte array that is coded as integers. Starting to manually analyze the code while tedious, was fruitful as it was a straight integer to character substitution. However, in order to move to the next layer, the byte array had to go through some de-obfuscat...