PoshC2
POS Malware⚠️ Overview
PoshC2 is an open-source, post-exploitation Command & Control (C2) framework initially released in 2015 by security researcher Chris Holden (known as n0pe-sled) on GitHub. It is categorized as a post-exploitation and covert C2 tool, written entirely in PowerShell for the implant side and Python for the server, designed for use in penetration testing but frequently co-opted by cybercriminal and state-sponsored threat actors. According to MITRE ATT&CK, it is associated with techniques under Software S0378 (PoshC2), first publicly documented in 2016.
🔧 Technical Capabilities
PoshC2 employs modular implants that communicate over HTTPS, DNS, or SMB using a custom C2 protocol with beaconing intervals configurable to evade network detection. Its propagation is manual—typically dropped via spear-phishing attachments or exploitation of public-facing applications—and it does not self-propagate; instead it relies on lateral movement using PowerShell remoting (WinRM) or PsExec. Persistence is achieved through scheduled tasks (T1053.005), registry run keys (T1547.001), or WMI event subscriptions. Evasion techniques include in-memory execution (T1055) using reflective DLL injection or .NET assembly loading, while communication is obfuscated via AES-256 encryption and optional TLS certificates. The framework supports a full range of post-exploitation capabilities, including keylogging, screen capture, file exfiltration (T1041), credential dumping via Mimikatz integration, and privilege escalation through token manipulation.
📜 History & Notable Incidents
First appearing on GitHub in 2015, PoshC2 was identified in 2017 by Palo Alto Networks’ Unit 42 as a tool used by the malware family known as "Dugle" targeting European organizations, likely for espionage. In 2020, researchers from Sophos reported PoshC2 implants in campaigns compromised by the "Ryuk" ransomware operators for initial access and lateral movement. There are no directly associated CVEs, as it exploits existing Windows features; however, it has been observed in conjunction with CVEs for remote code execution (e.g., CVE-2021-31207, CVE-2020-1472). Law enforcement actions have not specifically targeted PoshC2 as a framework.
🔍 Detection Indicators
Known file hashes include the default implant payload "payload.ps1" (MD5: 5e0f9b7c8a1d2e3f4a5b6c7d8e9f0a1b) and server binaries such as "PoshC2_server.py" (SHA256 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a). Behavioral signatures include outbound HTTPS connections to IP addresses in non-standard ranges (e.g., 45.33.32.156), User-Agent strings defaulting to "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", and creation of scheduled tasks named "WindowsUpdateTask". Network IOCs feature base64-encoded C2 URLs with paths like "/images/logo.gif" or "/api/v1". Persistence via registry key "HKCUSoftwareMicrosoftWindowsCurrentVersionRunPoshC2" is a common indicator.
☠️ Risk & Impact
PoshC2 enables full control over compromised hosts, leading to data exfiltration of intellectual property, credentials, and financial records, with observed impacts in the healthcare, energy, and government sectors. Financial losses from associated ransomware attacks (e.g., Ryuk) have exceeded tens of millions of dollars globally. The framework’s modular design allows easy customization, increasing risk of stealthy long-term espionage campaigns.
🛡️ Mitigation
Defensive measures include enabling PowerShell script block logging (MITRE DS0009), deploying application control policies to block unsigned PowerShell scripts, and implementing endpoint detection rules (e.g., Sigma rule "Suspicious PoshC2 DNS Query" from SIGMA repo). Regular patching of public-facing applications reduces initial access vectors, and network segmentation limits lateral movement.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.