Skip to content

S0685 PowerPunch

PowerPunch is a lightweight downloader that has been used by Gamaredon Group since at least 2021.1

Item Value
ID S0685
Associated Names
Version 1.1
Created 18 February 2022
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell PowerPunch has the ability to execute through PowerShell.1
enterprise T1480 Execution Guardrails -
enterprise T1480.001 Environmental Keying PowerPunch can use the volume serial number from a target host to generate a unique XOR key for the next stage payload.1
enterprise T1105 Ingress Tool Transfer PowerPunch can download payloads from adversary infrastructure.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation PowerPunch can use Base64-encoded scripts.1

Groups That Use This Software

ID Name References
G0047 Gamaredon Group 1