POWERTON
POWERTON is a custom PowerShell backdoor/dropper written in PowerShell. Reported capabilities and behaviors include command-and-control over HTTP/HTTPS with AES-encrypted C2 traffic, use of WMI for persistence, and the ability to dump password hashes. Microsoft reported that HOLMIUM, now tracked as Peach Sandstorm and overlapping with activity other researchers call APT33, executed POWERTON directly from an Outlook process after abusing the Ruler tool and Outlook Home Page functionality to exploit CVE-2017-11774; the broader intrusion chain also involved password spraying exposed ADFS infrastructure and use of compromised Office 365/Exchange credentials. The malware is associated in the provided content with Iranian threat activity, including HOLMIUM/Peach Sandstorm (also referred to in the content as Refined Kitten), and is described as having been used in targeting including aerospace, defense, chemical, mining, petrochemical-mining, and satellite communications-related victims. High-confidence indicators explicitly mentioned in the content are the domains topaudiobook.net and customermgmt.net, which Microsoft reported were abused in the 2019 HOLMIUM campaign that delivered POWERTON.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Refined Kitten... using custom droppers like POWERTON for satellite communications targeting.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
Persistence
2 techniques
Persistence
Multiple actors and tools (e.g., APT29, APT33, FIN8, Turla, Blue Mockingbird, PoshC2, POSHSPY, RegDuke, SeaDuke) are described as using WMI event subscriptions/filters/consumers to establish persistence, including triggering at system boot or on specific process start (e.g., WINWORD.EXE).
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
2 techniques
Privilege Escalation
Multiple actors and tools (e.g., APT29, APT33, FIN8, Turla, Blue Mockingbird, PoshC2, POSHSPY, RegDuke, SeaDuke) are described as using WMI event subscriptions/filters/consumers to establish persistence, including triggering at system boot or on specific process start (e.g., WINWORD.EXE).
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Command and Control
2 techniques
Command and Control
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom dropper used to deploy additional payloads in targeted intrusions, including campaigns against satellite communications-related targets.
Custom dropper malware used by Peach Sandstorm (APT33) to facilitate further payload delivery and persistence.
Custom PowerShell backdoor executed from the Outlook process after Outlook Home Page exploitation; used to establish persistence (e.g., WMI event subscription, registry autoruns) and enable follow-on payload installation and post-compromise activity.
Backdoor written in PowerShell.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.