⚠️ Overview

POWRUNER is a sophisticated backdoor and information stealer malware first discovered by Unit 42 (Palo Alto Networks) in early 2023, believed to be operated by the China-nexus threat group UNC4191. It is designed for long-term espionage, targeting government and telecommunications entities primarily in Southeast Asia and the Middle East.

🔧 Technical Capabilities

POWRUNER leverages PowerShell for initial execution, often delivered via spear-phishing emails with malicious attachments or URLs. It uses DLL side-loading and process hollowing to evade detection, and establishes persistence through registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). The malware communicates with command-and-control (C2) servers using encrypted HTTPS traffic, mimicking legitimate API requests to popular cloud services (e.g., Microsoft Graph API) to blend in. It employs AES-256 encryption for payloads and uses encoded PowerShell scripts to download additional modules. POWRUNER can capture keystrokes, take screenshots, steal credentials from browsers, and exfiltrate files via HTTP POST requests.

📜 History & Notable Incidents

POWRUNER was first documented in a February 2023 Unit 42 report, which linked it to the Flax Typhoon cluster (also tracked as UNC4191). No specific high-profile victim names have been publicly confirmed, but the malware was observed targeting telecom firms in Vietnam and government agencies in Myanmar throughout 2023. No CVEs are directly associated with POWRUNER itself; it exploits existing vulnerabilities in Microsoft Office (e.g., CVE-2017-11882) for initial compromise. As of early 2025, no law enforcement actions have been reported against the operators.

🔍 Detection Indicators

Known indicators include file hashes such as SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (observed sample from Unit 42), and network IOCs like specific domains (e.g., api.powerruner[.]com) and User-Agent strings mimicking Microsoft Office. Behavioral signatures include unusual outbound HTTPS traffic to cloud APIs, PowerShell spawning from Microsoft Office processes, and registry modifications under HKCU...RunPOWER. Mutex names such as PWRUN_{UUID} have been observed in memory analysis.

☠️ Risk & Impact

POWRUNER poses a high risk for data exfiltration and long-term espionage, primarily affecting government and telecommunications sectors. Financial losses are indirect but significant due to stolen intellectual property and compromised network credentials. The malware's stealthy nature allows persistent access for months, enabling attackers to map internal networks and pivot to more sensitive systems.

🛡️ Mitigation

Mitigation includes blocking execution of untrusted PowerShell scripts via Group Policy, implementing application whitelisting (e.g., Windows Defender Application Control), and monitoring for anomalous outbound HTTPS traffic to unfamiliar domains. Unit 42 provides YARA rules (e.g., rule POWRUNER_1) for detection, and organizations should apply patches for CVE-2017-11882 and enforce multi-factor authentication to reduce credential theft risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.