PART 2 - From a New Year's surprise to a bag of coal - Analysis of mystery PowerShell (Never trust LLMs)

PART 2 - From a New Year's surprise to a bag of coal - Analysis of mystery PowerShell (Never trust LLMs) Get link Facebook X Pinterest Email Other Apps January 12, 2026 As shown in my last blog , I took the time to analyze a very complicated, annoying and heavily obfuscated PowerShell that resulted in a payload that the LLM i was using as my intern indicated that it might be related to Red Team or Offensive Security course. This did not sit well with me and was even cemented more when one of my trusted friends also nudged me about the domains that dropped this PowerShell. Sooooo, this blog will be short but it is more to share the full picture and probably ask the community to see if they have seen these types of files and what could they be, are they associated with a certain campaign. The rabbit hole was deeeeeeep and with many tentacles here as the more i looked into it, the more it was complicated and cumbersome. Let us recap: 1- The initial PS script according to VT is being dropped from [random_sub_domain] .fd-api-iris-s-mn-com/.in/.net . 2- Once it is run, it goes through a multi layer of deobfuscation that we explained in the previous blog ending with the~94KB payload from a byte array that was embedded in the last layer of obfuscation. 3- I currently do not have an environment to analyze these samples and dynamically look at them and based on my limited knowledge, all attempts at manual static analysis is failing. I am probably missing something but based on the fact the these are raw shellcode, i imagine they need to be run dynamically to actually get to the configuration and any IoCs. But i am happy to be informed and educated, I will attach hashes to these files and also upload them to VT. Re-visiting this, allowed me to find some potential missing pieces to the puzzle. for example I was able to find another simple PS script that seem to be the one to grab the first level PowerShell. See below, you can see the obfuscated and the deobfuscated. The deobfuscated code shows you that the script use a bit of randomness to specify the subdomain to use Having said that, i am not conclusive if this is the one to grab the initial PS or this delivers a different PS as the VT results below shows different size and type of PS than the one I have been analyzing So, let's recap again and provide some hashes for folks to go and dive into this or expand the hunts Initial PowerShell from the first blog and similar samples are below : 8bab6fbed08c3d8d45512b09126dc39bbf02eca8c5a92655baca7ae7dbfb1b4a - this is the sample from the previous blog 58a5fef2a2dac66bffca6c3c189dd14da4180e204f14919513cea0fa2fd6127d 0e00d1e3c49a9fd8170593561dfdaf8b0ff197144c41343b326d6823fd72268c 3bb9104274526d19c0452ae05e1e09960486dce8789a04b48f92ff2b3f1d99e4 9c35e9f637365706c00acaa050a4510adfcb47e7052b870c6d07f6d4464ac2d2 - this the latest one to trigger my rule and is slightly modified in layer 2 and does not take advantage of Base64 and rely solely on byte array and XOR obfuscation. Payload hashes/Raw Shellcode output from the above scripts ( HELP NEEDED ) : 18dad9cb91fb97a817e00fa0cd1cb9ab59f672b8ddab29f72708787f19bf6aa1 abc191cb82bf00922dc53257de0e6957f642f4e3c006838a7c1e0871d294da23 1ca0b3da2b04789d9efb227d8aca949a28abda850b576c3a5275e063d3016077 VT searches for additional artifacts name:ce7604801a0fcc415f78e576cf1be929 name:f3aa41ea3704b453e7d012f9dd1d3d1d - note two of the files (size ~6.7MB) in here i think are different and not directly related. quick look into them could be leading to GuLoader vs what the above files are trying to deliver entity:url url:f3aa41ea3704b453e7d012f9dd1d3d1d - this search shows you the different subdomains content:"0AYwBvAG0ALgBpAG4ALgBuAGUAdAA" entity:url url:8f0b3df4e0aadf775c9bc934f53b2d17 Domains & URLS (there are probably more) int-api527-service75-discovery2-registry782-72core-xp03[.]in[.]net q67j6c2zqxim4zgugydc-api-svc-fd[.]state-manager-cache-mn02[.]in[.]net 4e0aadf775c9md5kcgmjzj3md5r[.]engine10-authz-prd[.]in[.]net mp[.]fd147-api5-control-plane80-routing-mesh-prd-az1[.]in[.]net jsgmjzj3md5kcr[.]152api-svc5-fd8-telemetry-metrics-collector-node050[.]in[.]net jsgmjzj3mdax2i9hcbm5re9a2e52hhv4jp5kcr[.]152api-svc5-fd8-telemetry-metrics-collector-node050[.]in[.]net int-api527-service75-discovery2-registry782-72core-xp03[.]in[.]net fd147-api5-control-plane80-routing-mesh-prd-az1[.]in[.]net [random_sub_domain] .fd-api-iris-s-mn-com/.in/.net Hashes of other PowerShell Script that I do NOT think is associated with this but share similar obfuscation 7bd8b9056db12f79cfd1c61f233c7798339e8bde2a2b831352a870e65f7de0c6 5664cc8ddbdea1b722ef0dfe2e9557c25d2fb5c76810aa634bbc90ad3d8946a6 0ceedc8bf1f4aa605ac2006bf6d56deb6349e2c0c50a50ddd028c13906735cc1 90e0e7f0ed8bbf842e2628957ec5612c269b8551b7b42f60c2532055aa59fb3f 01f380dd02debe88f51f3de68a228fccaa2f1cea64c211b93ca35a820f4da341 If anyone is able to let me know what these shellcode do, are they a cobaltstrike Loader or something else, an extract the configuration, please hit me up on X and feel free to share with the community. Get link Facebook X Pinterest Email Other Apps Comments Post a Comment