This threat involves a multi-stage attack chain initiated by the installation of a seemingly legitimate disk-cleaning utility that was in fact bundled with malicious PowerShell scripts. These scripts leveraged download cradle techniques to fetch additional payloads from domains such as featherstorage.com and others, executing them in-memory to avoid detection by traditional antivirus solutions. The attack utilized living-off-the-land binaries (LOLBins) and scheduled task abuse (T1053.005) to maintain persistence and evade security controls. The proxyware installation, which was the ultimate payload, would have allowed the compromised system to be used as a proxy node, potentially for illicit traffic routing or anonymization services, impacting network integrity and potentially implicating the victim in malicious activities. The use of PowerShell (T1059.001, T1059.003) and obfuscation techniques (T1027) further complicated detection. The SOC team detected suspicious PowerShell activity early, preventing the final proxyware installation. Indicators include multiple file hashes and suspicious domains linked to the attack infrastructure. No CVE or known exploit is associated yet, but the attack chain demonstrates advanced evasion and persistence tactics. This incident highlights the risks posed by unauthorized software installations and the need for strict application whitelisting and PowerShell execution policies.

For European organizations, this threat poses risks including unauthorized use of computing resources, potential network abuse through proxyware, and exposure to further compromise via persistent backdoors. Proxyware can degrade system performance, cause bandwidth abuse, and implicate organizations in malicious network activities, potentially leading to reputational damage and legal consequences under GDPR if personal data is involved or if the organization is used as a launchpad for attacks. The stealthy nature of the attack, leveraging in-memory execution and living-off-the-land techniques, makes detection difficult, increasing the risk of prolonged undetected presence. Organizations with lax controls on software installation or PowerShell usage are particularly vulnerable. The infection vector via a disk-cleaning utility also highlights supply chain risks and the need for stringent software vetting. The medium severity rating reflects the attack's potential for persistence and resource abuse, though no direct data exfiltration or destructive payload was observed in this case.

European organizations should implement strict application control policies to prevent unauthorized software installations, especially utilities downloaded from untrusted sources. PowerShell execution policies should be hardened to restrict script execution to signed scripts only and monitor for unusual PowerShell activity using endpoint detection and response (EDR) tools. Employ network segmentation and egress filtering to detect and block suspicious outbound connections to known malicious domains such as featherstorage.com and others listed in the indicators. Use threat intelligence feeds to update detection rules with the provided file hashes and domains. Implement scheduled task auditing to detect abuse of task scheduling (T1053.005). Conduct regular software supply chain risk assessments and enforce strict software vetting processes. Educate users about the risks of installing unauthorized utilities. Finally, enable in-memory execution detection capabilities and monitor for living-off-the-land binary usage to detect stealthy attacks early.