PSLoaderDLL
PowerShell loader DLL using WMI (process call create) to launch PowerShell with -executionpolicy bypass -nop -w hidden. HTTP multipart POST with macOS Chrome 102 User-Agent camouflage. Fake Origin/Referer: null.jsbin.com. Creates custom .tpp0/.tpp1 files. WebKit form boundary for file uploads.
Threat Profile
Type
Loader
Programming LanguageC/C++
C2 ProtocolHTTP
First Seen2024
Targets
Kuresel
Purpose / Capabilities
- Loader/Dropper
No C2 servers have been identified for this family yet.
Research Reports (1)
PSLoaderDLL 05c72e77 -- WMI PowerShell bypass nop hidden Execution HTTP Multipart POST macOS Chrome User-Agent null.jsbin.com Fake Origin tpp0 tpp1 Custom Extension | Yuksek
PSLoaderDLL 05c72e77 PE32 DLL x86 413KB. WMI process call create PowerShell -bypass -nop -hidden. HTTP POST multipart macOS Chrome UA. Origin: null.jsbin.com. .tpp0/.tpp1 extensions.
Read Report →