Undetectable PowerShell backdoor discovered hiding as Windows update
SafeBreach researchers identified the backdoor, which they say went undetected on all major antivirus programs
Cyber security firm SafeBreach has warned of a fully undetectable (FUD) PowerShell backdoor using a novel attack methodology.
The vulnerability, which researchers discovered in the wild, uses a PowerShell script to create a scheduled task in the victim’s system, disguised as a Windows update. To enhance the deception, the task executes a script named ‘updater.vbs’ from a fake update folder located in the victim’s appdata folder.
RELATED RESOURCE
Solve cyber resilience challenges with storage solutions
Fundamental capabilities of cyber-resilient IT infrastructure
SafeBreach noted that this novel vector of attack makes it particularly dangerous, as antivirus aggregator VirusTotal found the attack was able to bypass all security software tested. The backdoor has thus been marked as FUD in a blog post by SafeBreach.
Attacks originate with a Word document, named ‘Apply Form.docm’, containing a macro code that deploys a malicious PowerShell script. Researchers identified the document as having been created in August 2022 in Jordan. The file’s Metadata, containing the term ‘Linkedin based job application’, suggests a link to the phishing campaigns that have seen a surge on LinkedIn in 2022.
Prior to execution of the updater script, two separate PowerShell scripts titled ‘Script.ps1’ and ‘Temp.ps1’ are created, and their contents are stored in obfuscated form within text boxes in the Word document. Script1.ps1 is used to establish a connection with the malicious operator’s command and control (C2) server, seeking commands to be executed. Commands are sent in the form of Advanced Encryption Standard (AES) 256 CBC encrypted strings, which are then decrypted through the GCHQ-made web app CyberChef.
Commands begin with a value of 0,1 or 2, which each invoke different responses from the Temp.ps1 script. Those that begin with 0 will be executed, with the output then encrypted using the same key, and uploaded to a URL through the C2. Commands that begin with 1 are read from a path designated through the C2 and executed, while those that begin with 2 are written to a designated path and executed.
SafeBreach researchers identified the exact URL the script connects to, using an HTTP GET request. When contacted for the first time, this returns a unique victim ID. The first test run by the team returned the number 70, leading to the conclusion that approximately 69 victims have been affected by the backdoor so far. Through the coding flaw of these predictable IDs, researchers wrote a script acting like each prior victim, and recorded the C2 commands received.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Based on this information, SafeBreach has found that 66% of commands sent thus far have been data exfiltration requests, while a minority have sought to delete files from victims’ public folders, list files in their special folders, or return their IP address.
“Our research team believes this threat is significant because it is fully undetectable and was shown to bypass all the security vendors' scanners under VirusTotal.com,” Tomer Bar, director of security research at SafeBreach told IT Pro.
“We strongly recommend that all security teams use the indicators of compromise (IOCs) we identified to better detect and protect themselves against this threat. We also suggest that the security mistakes we discovered by this threat actor be used by blue teams in their future digital forensics and incident response (DFIR) investigations.”
SafeBreach has added coverage for this backdoor on its security platform, and has listed all of the IOCs and PowerShell scripts it discovered within its blog post declaring the risk.

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.
-
Hackers are posing as Interpol to target small businessNews Small businesses are warned to think twice before clicking on links
-
Forward deployed engineers are big tech’s latest gambit to drive AI adoptionNews With Microsoft and AWS placing their faith in forward deployed engineers, enterprises will gain a helping hand with tricky AI adoption projects
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security