S1012: PowerLess
PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.[1]
Analyst context for executives and security teams
PowerLess matters because ATT&CK describes it as a Windows, PowerShell-based modular backdoor associated with Magic Hound use since at least 2022. For leaders, the practical issue is not the malware name itself; it is whether the organization can see and contain PowerShell-driven execution, local data collection, credential capture through keylogging, staging/archiving of data, and encrypted command-and-control activity on Windows systems.
Executive priority
Treat this as a validation point for Windows endpoint visibility, PowerShell governance, and incident response readiness. The ATT&CK relationships show behaviors tied to execution, discovery, collection, credential access, local staging, tool transfer, and encrypted C2. Executives should ask whether SOC teams can produce evidence for PowerShell activity, suspicious file staging/archive creation, browser-data discovery, and outbound encrypted communications from endpoints, especially for users or business units where espionage-driven data access would create material risk.
Technical view
ATT&CK provides no dedicated detection text for PowerLess, so defenders should build coverage from the related techniques: T1059.001 PowerShell, T1056.001 Keylogging, T1005 Data from Local System, T1217 Browser Information Discovery, T1074.001 Local Data Staging, T1560 Archive Collected Data, T1105 Ingress Tool Transfer, T1140 Deobfuscate/Decode Files or Information, and T1573 Encrypted Channel. Because the malware platform is listed as Windows, prioritize Windows endpoint telemetry, script logging, process lineage, file activity, and network egress review. Hunt for behavior chains rather than a single indicator: PowerShell execution followed by local discovery or browser-related access, file aggregation or archive creation, decoding/deobfuscation activity, tool download/transfer, and encrypted outbound communication.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell script block/module/transcription logs where enabled
- Parent-child process relationships involving PowerShell and user applications
- File system activity showing collection, staging directories, archive creation, or encoded/decoded artifacts
- Browser profile, history, credential store, or configuration access events where available
Detection direction
- Validate that PowerShell logging and endpoint command-line capture are enabled on Windows systems and retained long enough for investigations.
- Correlate PowerShell execution with subsequent collection behaviors such as local file access, browser information discovery, data staging, and archive creation.
- Tune for suspicious sequences and context rather than generic PowerShell alone, because administrative use can create false positives.
- Review blind spots around encrypted C2: TLS or other encrypted traffic may hide content, so rely on endpoint context, destination reputation, frequency, and unusual process-to-network behavior.
- Confirm whether endpoint tooling can surface keylogging-like behavior; absence of this visibility should be treated as a coverage gap, not evidence of absence.
Mitigation priorities
- Reduce unnecessary PowerShell exposure and enforce approved administrative patterns on Windows systems.
- Improve script execution control, logging, and alert triage before relying on detections for this malware family.
- Harden endpoints against unauthorized tool transfer, decoding/deobfuscation utilities used in suspicious contexts, and unapproved archive creation in sensitive locations.
- Apply least privilege and protect credentials because the related behaviors include keylogging and collection activity.
- Segment and monitor sensitive systems so local collection and staging are more likely to be noticed before exfiltration-related activity.
Analyst notes and limits
This take is based on the official ATT&CK software object for PowerLess, its Windows platform field, the official description identifying it as a PowerShell-based modular backdoor, and the supplied relationships to Magic Hound and related ATT&CK techniques. The most useful defensive value comes from validating telemetry and control coverage across the related behavior chain rather than treating PowerLess as a standalone signature problem.
ATT&CK provides no official detection guidance, aliases, labels, or malware tactics for this object. Relationship technique platform lists include non-Windows platforms, but the PowerLess software object itself is listed for Windows; platform-specific conclusions here are therefore limited to Windows for this malware. Local environment data is required to assess actual exposure, detection coverage, and incident relevance.
PowerLess
PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | PowerLess can use a module to log keystrokes.CitationCybereason PowerLess February 2022 |
| Enterprise | T1217 | Browser Information Discovery | PowerLess has a browser info stealer module that can read Chrome and Edge browser database files.CitationCybereason PowerLess February 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | PowerLess can download additional payloads to a compromised host.CitationCybereason PowerLess February 2022 |
| Enterprise | T1005 | Data from Local System | PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines.CitationCybereason PowerLess February 2022 |
| Enterprise | T1573 | Encrypted Channel | PowerLess can use an encrypted channel for C2 communications.CitationCybereason PowerLess February 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | PowerLess can stage stolen browser data in `C:\\Windows\\Temp\\cup.tmp` and keylogger data in `C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK`.CitationCybereason PowerLess February 2022 |
| Enterprise | T1560 | Archive Collected Data | PowerLess can encrypt browser database files prior to exfiltration.CitationCybereason PowerLess February 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | PowerLess is written in and executed via PowerShell without using powershell.exe.CitationCybereason PowerLess February 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PowerLess can use base64 and AES ECB decryption prior to execution of downloaded modules.CitationCybereason PowerLess February 2022 |
Groups, software, and campaigns
G0059: Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 95dda2379bdf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason PowerLess February 2022
Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
Open source URL -
[2]
mitre-attack S1012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.