MalwareUsed by 3 actors

TookPS

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA505

Using fraudulent GitHub repositories to distribute malicious batch script installers masquerading as legitimate IT and security software, leading to the deployment of the TookPS downloader, which then initiates a multi-stage infection chain to establish persistent remote access using SSH reverse tunnels and RATs like MineBridge RAT (aka TeviRAT).

via the hacker newsthehackernews.com

FIN11

via the hacker newsthehackernews.com

Rift Brigantine

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1189Drive-by CompromiseEvidence1

We identified fraudulent websites mimic official sources for remote desktop and 3D modeling software, alongside pages offering these applications as free downloads.

Execution

1 technique

T1059.001PowerShellEvidence1

Upon infiltrating a victim’s device, the downloader reaches out to its C2 server, whose domain is embedded in its code, to retrieve a PowerShell script.

Stealth

2 techniques

T1027Obfuscated Files or InformationEvidence1

It received the following base64-encoded command from that domain... The variable “$TookEnc” stores an additional base64-encoded data block, also executed in PowerShell.

T1036MasqueradingEvidence1

We identified fraudulent websites mimic official sources for remote desktop and 3D modeling software, alongside pages offering these applications as free downloads.

Lateral Movement

1 technique

T1021.004SSHEvidence1

This command starts an SSH server, thereby establishing a tunnel between the infected device and the remote server.

Command and Control

4 techniques

T1090.002External ProxyEvidence1

This command starts an SSH server, thereby establishing a tunnel between the infected device and the remote server.

T1090.003Multi-hop ProxyEvidence1

...establish persistent remote access using SSH reverse tunnels and RATs like MineBridge RAT (aka TeviRAT).

T1105Ingress Tool TransferEvidence1

These commands sequentially download and execute three PowerShell scripts from the specified URL. The first script downloads “sshd.exe”, its configuration file (“config”), and an RSA key file from the C2 server.

T1219Remote Access ToolsEvidence1

...leading to the deployment of the TookPS downloader, which then initiates a multi-stage infection chain to establish persistent remote access using SSH reverse tunnels and RATs like MineBridge RAT (aka TeviRAT).

INDICATORS OF COMPROMISE

IOCs tracked for this family

36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

18 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

18 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app5 years ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

the hacker newsNews

Apr 28, 2026

Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign

A downloader delivered via fraudulent GitHub repositories and malicious batch installers, used to start a multi-stage infection chain that establishes persistent remote access.

securelistNews

May 13, 2021

TookPS distributed under the guise of UltraViewer, AutoCAD, and Ableton | Securelist

A Trojan downloader that contacts an embedded C2 domain to retrieve and execute PowerShell scripts. Those scripts download and run sshd-based tunneling components and additional backdoors, giving attackers covert and persistent remote access.

securelistNews

May 13, 2021

Stealers and backdoors are spreading under the guise of a DeepSeek client | Securelist

A Trojan downloader delivered via fake DeepSeek websites. When executed, it contacts malicious URLs, receives commands executed via cmd, commonly launches PowerShell with a Base64-encoded script, downloads a second-stage PowerShell script, and enables SSH with attacker-controlled keys for remote access.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching36

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.