Full Report
A regionally targeted PowerShell-based campaign used phishing lures, obfuscation, and RAT delivery to infiltrate Israeli organizations. Learn how the attack chain worked—and how Fortinet blocked it.
Analysis Summary
# From ClickFix to Command: A Full PowerShell Attack Chain
A targeted PowerShell-based campaign targeting Israeli firms uses obfuscation, RAT delivery, and MuddyWater-like tactics.
## Key Points
- The campaign used a multi-stage infection chain requiring no external executables.
- Obfuscated payloads were retrieved from actor-controlled infrastructure.
- Evidence of lateral movement and surveillance activity was observed.
- Potential overlap with MuddyWater campaigns, but attribution remains inconclusive.
## Threat Actors
- Attribution is inconclusive due to the complexity of the campaign.
## TTPs
- Full PowerShell-based delivery chain.
- Obfuscation methods: Double GZip compression, Base64 encoding, string reversal, and URL-safety replacement (+ with _).
- Use of Invoke-WebRequest to retrieve payload data from the attacker's server.
- Execution of a secondary PowerShell script to deploy a Remote Access Trojan (RAT).
## Affected Systems
- Windows platforms.
## Mitigations
- FortiGate firewalls with IPS detect and block malicious C2 traffic and related HTTP/S beaconing behavior.
- FortiGuard DNS Filtering and Web Filtering services prevent access to known malicious infrastructure.
- FortiAnalyzer and FortiSIEM provide centralized visibility and threat correlation.
- FortiNDR provides additional coverage through advanced analytics and machine learning.
## Conclusion
This campaign highlights the increasing sophistication of PowerShell-based attacks. Organizations are advised to monitor their environments for signs of lateral movement and surveillance activity, and to implement robust security measures to detect and respond to such threats.