PowerDodder: The Stealthy New Tool That Hides Malware in Your Script Files
PowerDodder is a post-exploitation persistence utility designed to stealthily embed execution commands into existing script files on the host. By leveraging files that are frequently accessed but rarely modified, it targets high-likelihood execution vectors with minimal detection risk.
Background
Traditional persistence methods (e.g., Registry Run keys, scheduled tasks) are often monitored or flagged by EDRs and blue teams. PowerDodder takes a novel approach:
- It hunts for existing script files on disk (
.ps1,.bat,.cmd,.vbs,.js). - It prioritizes those that:
- Have been accessed recently (indicating they’re being executed often).
- Haven’t been modified recently (suggesting they’re not actively edited).
- It lets you choose the target script(s), and then it appends a payload-spawning command using a context-appropriate syntax (PowerShell, VBScript, JScript, etc.).
This allows for low-noise persistence, hitching a ride on legitimate execution paths.
Name Origin
The name Dodder comes from a parasitic vine that attaches itself to host plants, slowly feeding off them without killing them — much like this tool latches onto host scripts for persistent execution.
Scans predefined folders (C:\Users\, C:\Program Files\, C:\Program Files (x86)\, C:\ProgramData\) for promising script files.
You can also target a specific folder:
Optional params:
-LastAccessTimeThreshold: default is 7 days.
-LastModifyTimeThreshold: default is 3 months.
You can set different thresholds like that:
This will:
- Create the appended line of your command based on the relevant template.
- Modify the file by appending the persistence command.
- Restore the original script LastWriteTime attribute to hide the modification.
- Move the infected script to the Infected list.
DodderShow: Lists found candidates and already-infected files.DodderClearCandidates: Empties the current candidates list (useful before rescanning).
