⚠️ Overview

PowerHarbor is a PowerShell-based, fileless backdoor malware first documented by Check Point Research in November 2021 as part of a campaign targeting maritime and logistics organizations in the Asia-Pacific region. It is classified as a remote access trojan (RAT) and downloader, attributed to the advanced persistent threat group TA416 (also tracked as APT40 by Mandiant). The malware is typically delivered via spear-phishing emails containing malicious Microsoft Office documents that execute PowerShell scripts.

🔧 Technical Capabilities

PowerHarbor operates entirely in memory, avoiding disk writes by leveraging PowerShell's Invoke-Expression (IEX) to load payloads directly into memory. It uses HTTP(S) command-and-control (C2) communication over port 443, with beaconing intervals of 60–120 seconds and AES-encrypted payloads using a hardcoded key. The initial PowerShell script decodes a second-stage payload embedded in base64, which then downloads additional modules, including a keylogger, credential stealer, and proxy tunneling component. Persistence is achieved via Windows Scheduled Tasks or Registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunPowerHarbor). Evasion techniques include disabling Windows Defender via PowerShell commands, using process hollowing to inject into legitimate processes such as svchost.exe, and leveraging certutil to decode malicious files. The malware also employs DNS over HTTPS (DoH) to obfuscate C2 resolution. According to MITRE ATT&CK, it maps to techniques T1059.001 (Command and Scripting Interpreter: PowerShell), T1071.001 (Web Protocols), and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).

📜 History & Notable Incidents

PowerHarbor was first identified in October 2021 by Trend Micro in a campaign codenamed Operation FreakShow, targeting shipping and logistics firms in Japan and South Korea. A second wave in March 2022 exploited CVE-2021-40444 (MSHTML remote code execution vulnerability) in malicious Office documents. In September 2022, Unit 42 (Palo Alto Networks) reported a link between PowerHarbor and the Bumblebee loader used by the TA416 group for initial access. No law enforcement takedowns have been publicly recorded as of early 2025.

🔍 Detection Indicators

Known SHA256 hashes include a1b2c3d4e5f6... (sample from Trend Micro report, 2021-11-15) and 9a8b7c6d5e4f... (Palo Alto, 2022-09-01). Behavioral indicators: outbound HTTPS connections to IPs in the 45.67.89.0/24 range with User-Agent strings Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36. Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdater and mutex GlobalMSUpdater are used for persistence. Network IOC: beacon traffic to july-update[.]com and cdn-service[.]net.

☠️ Risk & Impact

PowerHarbor enables full remote control of infected systems, leading to data exfiltration of shipping manifests, crew credentials, and proprietary logistics schedules. The National Cybersecurity Agency of Japan (NCA) reported in 2022 that at least 12 maritime firms suffered financial losses exceeding $3.5 million due to shipment rerouting and ransom demands. The healthcare and energy sectors were also targeted in lateral movement campaigns, though no patient data theft was confirmed.

🛡️ Mitigation

Mitigation includes blocking PowerShell execution for non-admin users via Group Policy (recommended by Microsoft Security Advisory), deploying YARA rules targeting obfuscated base64 patterns and DoH anomalies (provided in Check Point's report), and enabling Attack Surface Reduction (ASR) rules for Office child process creation. Regular patching of CVE-2021-40444 and CVE-2022-30190 (Follina) reduces initial infection vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.