PowerShower PowerShell Backdoor

POWERSHOWER is a newly observed PowerShell-based backdoor believd to have been created by the Inception group, an advanced persistent threat targeting government organisations throughout Europe.

Inception uses a complex two stage spear phishing process to deliver POWERSHOWER. Initially, a reconnaissance email with a Microsoft Word attachment is sent to the user. This attachment contains a malicious Microsoft Word Remote Template. When opened, the attachment contacts a command and control (C2) server which sends a secondary email containing a malicious RTF document with exploits for two Word vulnerabilities. These exploits will then execute a VBScript script that downloads and installs POWERSHOWER.

Remote templates are a feature of Microsoft Word which allow a document to load a template to be used in a document – this template can be externally hosted, either on a file share, or on the internet.

Once installed, POWERSHOWER will create registry entries to maintain persistence and ensure future PowerShell instances appear off-screen by default, before terminating Word processes and removing all files and registry entries associated with its installation. It will then send system information to the C2 server and await further instructions.

Affected Platforms

Microsoft Windows – All versions

Indicators of Compromise

Remote Template Documents where we have the matching payload
Remote templates analyzed.
PowerShower sample
Other related templates and exploit documents from 2018


51.255.139[.]194 Remote template host

188.165.62[.]40 Remote template host

200.122.128[.]208 POWERSHOWER C2

108.170.52[.]158 Remote template host

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: