PowGoop

PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used byMuddyWater as their main loader.^[1]^[2]

ID: S1046

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Ozer Sarilar, @ozersarilar, STM

Version: 1.0

Created: 29 September 2022

Last Modified: 16 April 2025

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol:Web Protocols	PowGoop can send HTTP GET requests to malicious servers.^[2]
Enterprise	T1059	.001	Command and Scripting Interpreter:PowerShell	PowGoop has the ability to use PowerShell scripts to execute commands.^[1]
Enterprise	T1132	.002	Data Encoding:Non-Standard Encoding	PowGoop can use a modified Base64 encoding mechanism to send data to and from the C2 server.^[2]
Enterprise	T1140		Deobfuscate/Decode Files or Information	PowGoop can decrypt PowerShell scripts for execution.^[1]^[2]
Enterprise	T1573		Encrypted Channel	PowGoop can receive encrypted commands from C2.^[1]
Enterprise	T1574	.001	Hijack Execution Flow:DLL	PowGoop can side-load`Goopdate.dll` into`GoogleUpdate.exe`.^[1]^[2]
Enterprise	T1036		Masquerading	PowGoop has disguised a PowerShell script as a .dat file (goopdate.dat).^[1]
		.005	Match Legitimate Resource Name or Location	PowGoop has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.^[1]

ID	Name	References
G0069	MuddyWater	^[1]