Click-to-Compromise: PowerShell-Only RAT Campaign Targets Israeli Organizations
Ddos 
Attack flow chart | Image: Fortinet
The FortiMail Workspace Security team has uncovered a targeted intrusion campaign against multiple Israeli organizations, exploiting compromised internal email systems to distribute phishing messages. The operation, which the team says “relied entirely on PowerShell” for both delivery and execution, used no external executables—making detection significantly more challenging.
The attack began with convincing phishing emails disguised as invitations to “a mentoring session on handling wartime conditions and the use of medical and pharmaceutical supplies.” By urging recipients to share the information internally, the attackers increased the likelihood of rapid lateral spread.
Clicking the embedded link led victims to a spoofed Microsoft Teams landing page. From there, they were instructed to press Windows + R, paste a copied string, and hit Enter—a form of social engineering designed to execute an obfuscated PowerShell command without arousing suspicion.
The initial payload, dubbed ClickFix, was Base64-encoded and split across three strings within the phishing page’s HTML. Once decoded, it executed:
This triggered the download of a secondary PowerShell script, which reconstructed the final payload—a Remote Access Trojan (RAT)—from binary-encoded chunks hidden in an HTML file.
Once deployed, the RAT connected to its hardcoded C2 server (hxxps[:]//pharmacynod[.]com/), registering each victim with compressed and obfuscated system details. It then entered a persistent polling loop—sleeping for random intervals to evade detection—while awaiting commands.
The C2 instruction set included:
- 7979 – Reinitialize and re-register the victim.
- 5322 – Download and save remote payloads.
- 4622 – Adjust C2 polling intervals.
- 2474 – Execute arbitrary PowerShell commands, compressing and exfiltrating the output.
While the campaign’s regional focus, lateral movement tactics, and scripting style suggest a link to the Iranian-aligned MuddyWater group, the FortiMail team stops short of firm attribution. As the report notes, “This new activity is just a single point… it might fit the square hole—but it could easily belong to another actor.” Deviations include avoiding Remote Management Tools (RMMs) and relying exclusively on PowerShell-based tooling.
The attackers employed layered obfuscation—GZip compression, Base64 encoding, and string reversal—to hinder analysis. On the network side, they used native .NET HTTP requests, set a legitimate User-Agent, leveraged default Windows credentials, and respected system proxy settings to blend in with normal traffic.
Organizations should:
- Enforce strict PowerShell logging and execution policies.
- Deploy behavior-based detection to spot unusual PowerShell activity.
- Conduct phishing awareness training to counter social engineering tactics like ClickFix.
As FortiMail warns, “Continued monitoring of similar patterns and proactive use of detection signatures is essential for organizations in high-risk sectors.”
Related Posts:
- Israel suffers largest DDoS attack ever: Many government websites go offline
- Israeli cyber security is among the top five in the world
- Iranian APT hacker organisation falsifies Israeli security companies official website to implement phishing activities
- Microsoft released the PowerShell Core that support MacOS/Linux OS
- Microsoft is Removing PowerShell 2.0 from Windows 11
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
