PowerModul
PowerModul is a PowerShell implant/loader identified in GOFFEE intrusions and first observed in early 2024, with documented use in targeted attacks against organizations in Russia during the second half of 2024. Kaspersky attributes the related campaign to GOFFEE with high confidence. The actor targeted Russian organizations in the media, telecommunications, construction, government, and energy sectors.
Observed initial access relied on targeted phishing emails carrying malicious RAR archives. One chain used Microsoft Office documents with malicious VBA macros that displayed garbled text and prompted the victim to enable content. The macro created an HTA file and a PowerShell file in the user directory, persisted execution via HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD, and launched JavaScript that executed the PowerModul payload stored as UserCache.ini. Another related GOFFEE chain used disguised executables such as patched explorer.exe or xpsrchvw.exe, although the content specifically ties PowerModul to the macro/HTA/JavaScript/PowerShell chain.
PowerModul retrieves additional PowerShell payloads from command-and-control infrastructure and executes them. It was classified as a separate malware family from PowerTaskel because it used a distinct protocol, payload types, and C2 server. PowerModul appends an infected-host identifier composed of the computer name, username, and disk serial number to its C2 URL, and it receives XML-formatted responses containing Base64-encoded scripts. It also contains a previously undescribed OfflineWorker() function that decodes and executes embedded content when present.
Observed follow-on payloads delivered by PowerModul include PowerTaskel, FlashFileGrabber, and USB Worm. FlashFileGrabber/FlashFileGrabberOffline steals files from removable media based on a hardcoded extension list, stores copied files under %TEMP%\CacheStore\connect<VolumeSerialNumber>, tracks metadata in ftree.db and internal_profiles.db, and can exfiltrate collected files to C2. USB Worm propagates via removable drives by hiding original files, copying PowerModul as UserCache.ini, and creating hidden VBS, BAT, and shortcut files to execute the malware and open decoy documents.
Known sample identifiers directly mentioned in the content include MD5 60A53D2C653991F086C4E6663D652CF2 and SHA256 BE1D0FAF1C253FAACBA1059971B01D1D646256D7B2E557DA55ED059542AFDBCD for a PowerModul sample stored as UserCache.ini. Related filenames and artifacts include UserCache.ini and UserCacheHelper.lnk.js, and the persistence registry value HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
During the second half of 2024, GOFFEE continued to launch targeted attacks against organizations in Russia, utilizing PowerTaskel, a non-public Mythic agent written in PowerShell, and introducing a new implant that we dubbed “PowerModul”.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
USB Worm is capable of infecting removable media with a copy of PowerModul... The worm renames the files on the removable disk... copies PowerModul... creates hidden VBS and batch files... A shortcut is also created with the original name of the decoy document.
The starting point is typically a phishing email with a malicious attachment... The first infection scheme uses a RAR archive with an executable file masquerading as a document... In the second case, the RAR archive contains a Microsoft Office document with a macro that serves as a dropper.
Execution
5 techniques
Execution
The malicious HTA runs a PowerShell script... The “UserCacheHelper.lnk.js” file launches a PowerShell file named “UserCache.ini”... PowerModul is a PowerShell script capable of receiving and executing additional PowerShell scripts from the C2 server.
it first uses cmd.exe and output redirection to drop a JavaScript file named “UserCacheHelper.lnk.js” onto the disk...
The RAR archive contains a Microsoft Office document with a macro that serves as a dropper... Clicking “Enable Content” activates a macro...
Persistence
1 technique
Persistence
the macro creates two files... and writes the HTA into the registry using the “LOAD” registry value of the “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows” registry key... the programs listed in the “LOAD” value of the registry key are run automatically for the currently logged-on user.
Privilege Escalation
1 technique
Privilege Escalation
the macro creates two files... and writes the HTA into the registry using the “LOAD” registry value of the “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows” registry key... the programs listed in the “LOAD” value of the registry key are run automatically for the currently logged-on user.
Stealth
3 techniques
Stealth
The shellcode... contains an obfuscated Mythic agent... the PowerModul code is embedded in the “UserCache.ini” file as a Base64-encoded string... request payloads are... encoded using XOR... and then converted to Base64.
Lateral Movement
1 technique
Lateral Movement
USB Worm is capable of infecting removable media with a copy of PowerModul... The worm renames the files on the removable disk... copies PowerModul... creates hidden VBS and batch files... A shortcut is also created with the original name of the decoy document.
Command and Control
2 techniques
Command and Control
When accessing the C2, PowerModul appends an infected system identifier string to the C2 URL... The response from the C2 is in XML format...
PowerModul is a PowerShell script capable of receiving and executing additional PowerShell scripts from the C2 server... Initially, it was used to download and launch the PowerTaskel implant... user.txt is another PowerShell script whose task is to extract a payload from a hardcoded address and execute it.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Implant used in targeted attacks against Russian entities across multiple sectors (July-Dec 2024).
Implant referenced in the GOFFEE campaign (H2 2024) alongside a shift to a binary Mythic agent; specific capabilities are not detailed in the provided content.
PowerShell-имплант, способный получать с командного сервера дополнительные PowerShell-скрипты и выполнять их. Использовался как загрузчик для PowerTaskel, FlashFileGrabber и USB Worm; имеет функцию OfflineWorker для выполнения встроенной полезной нагрузки.
A PowerShell script that communicates with a dedicated C2, receives and executes additional PowerShell scripts, and was initially used to download and launch PowerTaskel. It can also carry an offline execution function and deliver other tools such as FlashFileGrabber and USB Worm.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.