Vibe-Coded Malware Caught in Active Directory Attack
Huntress found a threat actor using vibe-coded PowerShell to map an Active Directory network
PowerShell is Microsoft's task-automation shell and scripting platform, whose capabilities affect endpoint administration, abuse, and security controls.
Search across headline titles and summaries.
Background for this topic.
PowerShell is a command-line shell and scripting language for automating administration and configuration. It began as a Windows technology and is also available on Linux and macOS; its security-relevant features include access to operating-system APIs, scripting, and remote management. Administrators and defenders use it for tasks such as configuration enforcement, log analysis, and investigation.
Because PowerShell can download, decode, and execute scripts and use trusted administrative interfaces, attackers may abuse it for execution, persistence, credential access, or lateral movement, especially after obtaining valid permissions. PowerShell itself is not inherently malicious or a universal antivirus bypass. Useful controls include applying updates to the relevant PowerShell edition and its runtime, limiting script and remoting privileges, and enabling detailed logging such as script-block and transcription logs. Security teams can correlate those records with process, authentication, and network telemetry; controls such as application allowlisting and constrained language mode can further reduce abuse, while preserving required administrative workflows.
Weekly headline count for the current query.
Huntress found a threat actor using vibe-coded PowerShell to map an Active Directory network
FortiGuard Labs detailed a PureLogs campaign using JavaScript, PowerShell and process hollowing
Ontinue uncovers fake Claude Code installer pushing PowerShell stealer abusing Chrome's IElevator2
LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration
A new campaign has been observed using malicious Windows shortcuts in credential-themed ZIP files to deploy PowerShell script
FileFix campaign hides PowerShell script and encrypted EXEs in JPGs via multilingual phishing
A multi-stage attack delivered via USB devices has been observed installing cryptomining malware using DLL hijacking and PowerShell
An ongoing malware campaign has been observed using malvertising to deliver PS1Bot, a PowerShell-based framework
A stealthy fileless PowerShell attack using Remcos RAT bypassed antivirus by operating in memory
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT via malicious PowerShell commands, according to HP
LummaC2, a C-based MaaS tool first identified in 2022, has resurfaced to exfiltrate credentials and personal data
TA453, also known as Charming Kitten, launched a targeted phishing attack using PowerShell malware BlackSmith
The OneDrive campaign uses social engineering to trick users into executing a PowerShell script
Walmart detailed findings about an unknown PowerShell backdoor, which was potentially utilized alongside a new Zloader variant
Proofpoint said it is the first time this threat actor has been seen using LLM-generated PowerShell scripts
Aqua Nautilus exposed naming policy, ownership verification and module exposure vulnerabilities
Adlumin said the malware combines elements of off-the-shelf threats and APT tactics
The attackers modified the Blast Secure Gateway component of the application using PowerShell code