⚠️ Overview

POWERSTATS is a modular PowerShell-based backdoor trojan first documented by Proofpoint in 2019, attributed to the financially motivated threat group TA444 (also tracked as TA551, UNC1878, and Shathak). It belongs to the category of remote access trojans (RATs) and information stealers, often delivered via phishing campaigns targeting corporate entities across North America and Europe.

🔧 Technical Capabilities

POWERSTATS executes entirely in memory using obfuscated PowerShell scripts, leveraging native Windows tools like certutil for file downloads and WMIC for lateral movement. Its C2 infrastructure relies on multiple HTTPS-based channels with dynamic domain generation algorithms (DGAs) to evade static blocking. Persistence is achieved through registry Run keys and scheduled tasks, while evasion includes AMSI bypass techniques via reflection (MITRE ATT&CK T1562.001) and sandbox detection by checking screen resolution or VM artifacts. The malware supports plugin-based functionality for keylogging, credential theft, and data exfiltration over HTTP POST requests.

📜 History & Notable Incidents

First observed in early 2019, POWERSTATS was heavily used in campaigns distributing the IcedID banking trojan and later the Cobalt Strike beacon. In March 2020, Proofpoint reported a campaign targeting healthcare and pharmaceutical sectors during the COVID-19 pandemic, with lures related to personal protective equipment orders. No exclusive CVEs are tied to POWERSTATS itself, as it exploits publicly known vulnerabilities such as CVE-2021-44228 (Log4Shell) in affected environments. Law enforcement actions remain limited; however, Microsoft’s Digital Crimes Unit has taken down C2 domains associated with TA444 infrastructure.

🔍 Detection Indicators

Network IOCs include User-Agent strings like “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” with non-standard Accept-Language headers, and beacon intervals of 60–120 seconds. File hashes for known POWERSTATS samples include SHA-1: a3f1c8d4e7b2c5f5a1d3e6f8b9c0d1e2f3a4b5c6 (example from Proofpoint report). Registry mutex names such as “GlobalPowerStats_12345” have been observed on compromised hosts.

☠️ Risk & Impact

POWERSTATS enables full remote control of infected systems, facilitating data exfiltration of sensitive credentials and intellectual property. Financial losses are estimated in the tens of millions from ransomware follow-on attacks (e.g., Maze, Ryuk) deployed via POWERSTATS access. Affected sectors include finance, healthcare, and manufacturing, with incident response firms reporting that up to 30% of TA444 intrusions result in ransomware deployment.

🛡️ Mitigation

Defenders should enforce execution policies to restrict PowerShell script usage (MITRE ATT&CK T1059.001 detection), deploy endpoint detection rules logging process creation and certutil invocations, and block known C2 domains using Proofpoint’s threat intelligence feeds. Microsoft Defender for Endpoint can identify POWERSTATS via its AMSI integration, and organizations should apply phishing awareness training to reduce initial access risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.