Windows PowerShell backdoor discovered, mimicking as part of Windows Update process

Windows[German]Security researchers from SafeBreach recently came across a previously unknown PowerShell backdoor in Windows. This uses a malicious Word document to inject the PowerShell scripts. The backdoor can list Active Directory users and remote desktops, and is presumably intended to allow network propagation at a later date.


I became aware of this discovery a few days ago via the following tweet. The title is a bit misleading – the PowerShell backdoor is not "undetectable", otherwise security researchers would not have found it. 

New Windows PowerShell Backdoor

The details have been published in the blog post SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor. The backdoor was installed by a previously unknown attacker and has some special features.

Malicious Word document "Apply Form.docm"
Word document "Apply Form.docm", source: SafeBreach

  • On August 25, 2022, a malicious Word document Apply Form.docm was distributed for the first time (security researchers write something about "uploaded"). The Word document contains a macro code that launches an unknown PowerShell script.
  • From the file's metadata, it appears that this campaign was related to an alleged LinkedIn-based job application spearphishing lure.
  • The macro drops the updater.vbs file on the victim system and creates a scheduled task on Windows that pretends to be part of a Windows update. This task then runs the updater.vbs script from the folder "%appdata%\local\Microsoft\Windows". However, this process imho requires administrative permissions.
  • The updater.vbs script executed from a task then runs a PowerShell script.
  • Before the scheduled task is executed, two PowerShell scripts named Script.ps1 and Temp.ps1 are created. The contents of the PowerShell scripts are stored in text fields within the Word document and in the appdata directory created. Both scripts are obfuscated and are not detected as malicious on Virustotal.

The PowerShell script Script1.ps1 connects to the C2 server to get the commands to execute. The script parses the commands and executes the Temp.ps1 script for each command with the c parameter. The security researchers executed specific commands for victims' systems. The scripts can be used, for example:


  • Retrieve process lists
  • enumerate local users
  • enumerate files in specific folders
  • enumerate the Active Director and RDP client connection

In addition, files can be deleted from public folders, network shares, etc. via script. The security researchers describe further details of the script functions in this article.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *