ioc · name

POWERSOURCE

PowerShell-based downloader (a.k.a. heavily modified DNSMessenger) tracked by MITRE ATT&CK as S0145 and attributed to FIN7. Used as a first-stage stager in 2017-era FIN7 phishing campaigns to retrieve the TEXTMATE and Carbanak follow-on payloads.

family: POWERSOURCE
first seen: Jan 31, 2017
publisher: MITRE ATT&CK

source citation