ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool PowGoop

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: PowGoop

NamesPowGoop
CategoryMalware
TypeLoader
Description(Palo Alto) The PowGoop downloader has two components: a DLL loader and a PowerShell-based downloader. The PowGoop loader component is responsible for decrypting and running the PowerShell code that comprises the PowGoop downloader. The PowGoop loader DLL that existed in the same environment as LogicalDuckBill had a filename of goopdate.dll that was likely sideloaded by the legitimate and signed Google Update executable. The sideloading process would start with the legitimate GoogleUpdate.exe file loading a legitimate DLL with a name of goopdate86.dll. The sideloading would occur when the goopdate86.dll library loads the goopdate.dll file, which effectively runs the PowGoop loader.
Information<https://unit42.paloaltonetworks.com/thanos-ransomware/>
<https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf>
<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east>
MITRE ATT&CK<https://attack.mitre.org/software/S1046/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop>

Last change to this tool card: 30 December 2022

Download this tool card in JSON format

All groups using tool PowGoop

ChangedNameCountryObserved

APT groups

XMuddyWater, Seedworm, TEMP.Zagros, Static KittenIran2017-Nov 2023X

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]