PowerExchange

Description

(Symantec) PowerShell-based malware that can log into an Exchange Server with hardcoded credentials and monitor for emails sent by the attackers. It uses an Exchange Server as a C&C. Mails received with ’@@’ in the subject contain commands sent from the attackers which allows them to execute arbitrary PowerShell commands, write files and steal files. The malware creates an Exchange rule (called ‘defaultexchangerules’) to filter these messages and move them to the Deleted Items folder automatically.

Names

Name
PowerExchange

Type

Backdoor

Information

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government

Mitre Attack

https://attack.mitre.org/software/S1173

Other Information

Uuid

0762792c-0150-4a3c-965d-c3e6d5f23ff1

Last Card Change

2025-06-28

Threat Intelligence Garden

Explorer

PowerExchange

PowerExchange

Description

Names

Category

Type

Information

Mitre Attack

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks