{"id":70313,"date":"2023-06-06T15:52:44","date_gmt":"2023-06-06T14:52:44","guid":{"rendered":"https:\/\/www.n-able.com\/?p=70313"},"modified":"2025-08-28T10:38:50","modified_gmt":"2025-08-28T09:38:50","slug":"powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry","title":{"rendered":"PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry"},"content":{"rendered":"

The Adlumin Threat Research Team recently discovered and analyzed a new type of malware targeting the U.S. aerospace defense industry. The discovery comes at a time when more research and investment are put into missile programs as the war in Ukraine continues, and partners around the world remain on high alert.<\/p>\n

\u201cPowerDrop\u201d is the name our researchers have given the malware they found implanted in the network of a domestic aerospace defense contractor in May 2023. The name is derived from the tool, Windows PowerShell, used to concoct the script, and \u201cDrop\u201d from the DROP (DRP) string used in the code for padding.<\/p>\n

The threat was detected by the Adlumin platform\u2019s machine learning-based algorithms which analyze PowerShell commands and arguments at run-time.<\/p>\n

Upon reverse engineering, our team found that the malware was made up of a new PowerShell and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT). The code sends Internet Control Message Protocol (ICMP) echo request messages as a trigger for the malware\u2019s command-and-control (C2), along with similar ICMP ping usage for data exfiltration.<\/p>\n

In essence, researchers concluded that the malware is being used to run remote commands against victim networks after gaining initial access, execution, and persistence into servers.<\/p>\n

The usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but what is novel about this malware is that another code like it hasn\u2019t surfaced before, and it straddles the line between a basic \u201coff-the-shelf-threat\u201d and the advanced tactics used by Advanced Persistent Threat (APTs) Groups.<\/p>\n

We have not yet identified the threat actor behind the malware, but nation-state aggressors are suspected.<\/p>\n

Kevin O\u2019Connor, who heads the Adlumin Threat Research Team said that the malware uses triggers and exfil patterns which are easily flagged by intrusion detection systems, but that the malware also appears to be a \u201ccustom\u201d development, using advanced techniques to evade detection such as deception, encoding, and encryption.<\/p>\n

\u201cOur Threat Research Team believes this malware presents a real threat as it has been able to evade detection by some commonly deployed EDR software, likely due to its practice of encoding the PowerShell command line arguments and the use of WMI for persistence,\u201d O\u2019Connor added.<\/p>\n

Threat Analysis<\/strong><\/span><\/h2>\n

Our team first identified the PowerDrop malware based on a machine learning detection which looks at the content of executed PowerShell scripts versus the command line arguments typically analyzed by other security software.<\/p>\n

\u201cThis allowed our detection algorithms to see through the encoded layer enabling machine learning-based detection on the actual content of the script which is acting as a backdoor or RAT,\u201d O\u2019Connor said.<\/p>\n

The malware is a PowerShell command that is executed by the WMI service. The \u201cscript,\u201d passed as a single command line argument to the native Window\u2019s binary and subsystem. PowerShell is encoded using Base64 and UTF-16 Little Endian and is not persisted on disk as a .ps1 script file.<\/p>\n

Sample of Base64 UTF-16LE encoded PowerShell payload:<\/p>\n

\"\"<\/h3>\n

Execution and Persistence<\/strong><\/span><\/h2>\n

We analyzed the PowerShell process execution context to identify that the malicious PowerShell script\/implant was being executed by the WMI service using previously registered WMI event filters and consumers.<\/p>\n

The WMI event filter and consumer registrations were created by the malware during the initial installation of the PowerDrop implant.<\/p>\n

The WMI event filter and consumer registrations are created using the WMI command line tool \u2018wmic.exe\u2019 and are executed using the \u2018wmic.exe\u2019 command line tool.<\/p>\n

PowerDrop registers itself as a WMI event filter and consumer as observed in these Windows Event Logs:<\/p>\n

\"\"<\/p>\n

The WMI event filter triggers the PowerShell command queries for updates made to the WMI class Win32_PerfFormattedData_PerfOS_System in the root\\cimv2 namespace.<\/p>\n

The Win32_PerfFormattedData_PerfOS_System class is the Windows Management Instrumentation (WMI) class that contains performance counters which monitor the performance of the Windows operating system.<\/p>\n

The WMI event filter is triggered when the WMI class is updated, which then triggers the execution of the PowerShell script. Triggering by the filter is throttled to\u00a0<\/span>once every 120 seconds<\/em>\u00a0<\/span>so long as the WMI class has been updated. In Windows, this WMI class is regularly updated with information such as processes, threads, queue length, and system calls per second, and therefore execution every 120 seconds is reliable and guaranteed on most systems.<\/p>\n

WMI filter and consumer registrations for persistence and execution of PowerShell payloads have been seen in many other malware families as has the usage of the PerfOS_System WMI class as a reliable trigger for execution.<\/p>\n

The EventFilter and CommandLineEventConsumer are both registered under the name, SystemPowerManager.<\/p>\n

The WMI event consumer is a CommandLineEventConsumer which executes the PowerShell command line with the encoded PowerShell script as a command line argument.<\/p>\n

We were unable to identify the source of the WMI event filter and consumer registrations, but we believe that the malware is likely using a previously known exploit to gain initial access to the victim\u2019s computer such as a phishing email or drive-by download and execution through wscript.exe and that the command line filter and consumer registrations are created by the malware during the initial installation of the PowerDrop implant through a wmic.exe command line execution.<\/p>\n

The Script\/Implant<\/strong><\/span><\/h2>\n

Once decoded the PowerShell script is a single line of PowerShell code made up of multiple statements, functions, and usually static variables.<\/p>\n

Analysis of the decoded content shows that the script is a backdoor\/RAT, which can execute remote PowerShell commands against the victim computer and exfiltrate the results of those commands.<\/p>\n

Initially, PowerDrop attempts to reach out to a hard-coded IP address over an ICMP Echo Request message.<\/p>\n

\"\"<\/p>\n

This request is originated by Windows PowerShell and has detectable attributes such as the ICMP Type and Code (8 and 0), the IPv4 Time to Live (TTL) being 128 as natively seen on Windows devices, the ICMP Identification number is set to \u20180x0001\u2019 and the ICMP payload.<\/p>\n

The ICMP trigger payload is a UTF16-LE encoded string that is not obfuscated, obscured, or encrypted. Observed examples used the simple string \u201c!\u201d as the trigger for the malware C2 beacon. We believe this simply signifies to the command-and-control infrastructure that this is a malware implant beacon and not a randomly received probe, which are common occurrences against Internet-facing devices.<\/p>\n

Once the beacon has been sent, the victim machine waits 60 seconds for a response. This 60-second dwell time is varied from the typical default 10-second request timeout for ICMP Echo Request messages on Windows. This is likely to ensure that the malware can receive a response from the C2 server even if the network is experiencing high latency or packet loss especially given that there is no guaranteed delivery or acknowledgment for the ICMP Echo Request message.<\/p>\n

\"\"<\/p>\n

In response to the PowerDrop beacon, the command-and-control server responds with an encrypted payload that is also padded with static data at the beginning and end of the message.<\/p>\n

PowerDrop uses AES encryption with a 128-bit key and a 128-bit initialization vector (IV) to encrypt the payload. The AES key and IV are static symmetric keys that are hard coded into the PowerShell script and are not dynamically generated. The AES key and IV are also not obfuscated, obscured, or encrypted beyond the initial PowerShell script encoding.<\/p>\n

PowerDrop is using the PowerShell provided interface, \u201cCreatEncryptor\u201d and \u201cTransformFinalBlock\u201d to encrypt and decrypt the payload.<\/p>\n

\"\"<\/p>\n

PowerDrop will then receive a response from the C2 server in the form of an encrypted command. The implant will then decrypt the command, strip the prepending and postpending values, and execute the command using the Invoke-Expression cmdlet in PowerShell.<\/p>\n

\"\"<\/p>\n

The implant will then take the results of the command and encrypt them using the same scheme used for decryption and send the results back to the C2 server.<\/p>\n

Any oversized responses, those greater than 128 bytes, are split into multiple messages. The first message is sent with the first 128 bytes of the response and the subsequent messages are sent with the remaining bytes of the response in 128-bytes chunks. The C2 server is responsible for reassembling the response:<\/p>\n

\"\"<\/p>\n

PowerDrop uses the strings \u201cDRP\u201d and \u201cOCD\u201d as prepending and postpending values bookmarking the response content to the C2 server. The prepending and postpending values are used to indicate the start and end of the response content.<\/p>\n

If the response is split into multiple messages, then all messages with have the prepending \u201cDRP\u201d value, and only the final message with have both the \u201cDRP\u201d prefix and \u201cORD\u201d suffix. The prepending and postpending values are not encrypted and are static values in the PowerShell script. Example of the prepending and postpending values:<\/p>\n

\"\"<\/p>\n

Detections<\/strong><\/span><\/h2>\n

We have produced the following detections to help identify potential instances of this malware both on the endpoint and through captured or monitored network traffic.<\/p>\n

Snort Detection<\/em><\/p>\n

This detection can be applied to outbound network traffic and detects instances of PowerDrop malware data exfiltration.<\/p>\n

\"\"<\/p>\n

SIGMA<\/em><\/p>\n

This SIGMA detection identifies PowerShell executions via the PowerShell script block for unencoded and required components of the PowerDrop malware:<\/p>\n

\"\"<\/p>\n

Conclusion<\/strong><\/span><\/h2>\n

Our team advises that those in the aerospace defense industry remain vigilant against this new malware that\u2019s making the rounds. The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.<\/p>\n

\u201cPowerDrop clearly shows that mixing old tactics with new techniques proves a powerful combination in today\u2019s age,\u201d said Will Ledesma, Adlumin Security Operations Center Director.<\/p>\n

\u201cIt highlights the importance of having dedicated 24\/7 cybersecurity teams within any operational landscape,\u201d Ledesma added.<\/p>\n","protected":false},"excerpt":{"rendered":"

Protect your aerospace defense systems from PowerDrop malware with Adlumin\u2019s detection tips, SIGMA and Snort rules, and expert cybersecurity recommendations.<\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-70313","post","type-post","status-publish","format-standard","hentry","topic-cyber-resilience","topic-security"],"acf":[],"yoast_head":"\nPowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry - N-able<\/title>\n<meta name=\"description\" content=\"Safeguard aerospace defense systems from PowerDrop malware with Adlumin\u2019s detection tools and cybersecurity guidance.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry - N-able\" \/>\n<meta property=\"og:description\" content=\"Safeguard aerospace defense systems from PowerDrop malware with Adlumin\u2019s detection tools and cybersecurity guidance.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry\" \/>\n<meta property=\"og:site_name\" content=\"N-able\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/NableMSP\" \/>\n<meta property=\"article:published_time\" content=\"2023-06-06T14:52:44+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-28T09:38:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.n-able.com\/wp-content\/uploads\/2025\/08\/2508_Adlumin_BlogHeaders_PowerDrop.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"N-able\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Nable\" \/>\n<meta name=\"twitter:site\" content=\"@Nable\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"N-able\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"9\u00a0Minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry\"},\"author\":{\"name\":\"N-able\",\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b\"},\"headline\":\"PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry\",\"datePublished\":\"2023-06-06T15:52:44+01:00\",\"dateModified\":\"2025-08-28T09:38:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry\"},\"wordCount\":1610,\"publisher\":{\"@id\":\"https:\/\/www.n-able.com\/de#organization\"},\"image\":{\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry#primaryimage\"},\"thumbnailUrl\":\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/1.png\",\"inLanguage\":\"de\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry\",\"url\":\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry\",\"name\":\"PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry - N-able\",\"isPartOf\":{\"@id\":\"https:\/\/www.n-able.com\/de#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry#primaryimage\"},\"thumbnailUrl\":\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/1.png\",\"datePublished\":\"2023-06-06T15:52:44+01:00\",\"dateModified\":\"2025-08-28T09:38:50+00:00\",\"description\":\"Safeguard aerospace defense systems from PowerDrop malware with Adlumin\u2019s detection tools and cybersecurity guidance.\",\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry#primaryimage\",\"url\":\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/1.png\",\"contentUrl\":\"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/1.png\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.n-able.com\/de#website\",\"url\":\"https:\/\/www.n-able.com\/de\",\"name\":\"N-able\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.n-able.com\/de#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.n-able.com\/de?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.n-able.com\/de#organization\",\"name\":\"N-able\",\"url\":\"https:\/\/www.n-able.com\/de\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg\",\"contentUrl\":\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"N-able\"},\"image\":{\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/NableMSP\",\"https:\/\/x.com\/Nable\",\"https:\/\/www.linkedin.com\/company\/n-able\",\"https:\/\/www.youtube.com\/channel\/UClnp77HHg4aME-S-3fWQhFw\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b\",\"name\":\"N-able\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"caption\":\"N-able\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry - N-able","description":"Safeguard aerospace defense systems from PowerDrop malware with Adlumin\u2019s detection tools and cybersecurity guidance.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry","og_locale":"de_DE","og_type":"article","og_title":"PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry - N-able","og_description":"Safeguard aerospace defense systems from PowerDrop malware with Adlumin\u2019s detection tools and cybersecurity guidance.","og_url":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry","og_site_name":"N-able","article_publisher":"https:\/\/www.facebook.com\/NableMSP","article_published_time":"2023-06-06T14:52:44+00:00","article_modified_time":"2025-08-28T09:38:50+00:00","og_image":[{"width":1600,"height":900,"url":"https:\/\/www.n-able.com\/wp-content\/uploads\/2025\/08\/2508_Adlumin_BlogHeaders_PowerDrop.png","type":"image\/png"}],"author":"N-able","twitter_card":"summary_large_image","twitter_creator":"@Nable","twitter_site":"@Nable","twitter_misc":{"Verfasst von":"N-able","Gesch\u00e4tzte Lesezeit":"9\u00a0Minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry#article","isPartOf":{"@id":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry"},"author":{"name":"N-able","@id":"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b"},"headline":"PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry","datePublished":"2023-06-06T15:52:44+01:00","dateModified":"2025-08-28T09:38:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry"},"wordCount":1610,"publisher":{"@id":"https:\/\/www.n-able.com\/de#organization"},"image":{"@id":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry#primaryimage"},"thumbnailUrl":"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/1.png","inLanguage":"de"},{"@type":"WebPage","@id":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry","url":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry","name":"PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry - N-able","isPartOf":{"@id":"https:\/\/www.n-able.com\/de#website"},"primaryImageOfPage":{"@id":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry#primaryimage"},"image":{"@id":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry#primaryimage"},"thumbnailUrl":"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/1.png","datePublished":"2023-06-06T15:52:44+01:00","dateModified":"2025-08-28T09:38:50+00:00","description":"Safeguard aerospace defense systems from PowerDrop malware with Adlumin\u2019s detection tools and cybersecurity guidance.","inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.n-able.com\/de\/blog\/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry#primaryimage","url":"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/1.png","contentUrl":"https:\/\/adlumin.wpenginepowered.com\/wp-content\/uploads\/1.png"},{"@type":"WebSite","@id":"https:\/\/www.n-able.com\/de#website","url":"https:\/\/www.n-able.com\/de","name":"N-able","description":"","publisher":{"@id":"https:\/\/www.n-able.com\/de#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.n-able.com\/de?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.n-able.com\/de#organization","name":"N-able","url":"https:\/\/www.n-able.com\/de","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/","url":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg","contentUrl":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg","width":"1024","height":"1024","caption":"N-able"},"image":{"@id":"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/NableMSP","https:\/\/x.com\/Nable","https:\/\/www.linkedin.com\/company\/n-able","https:\/\/www.youtube.com\/channel\/UClnp77HHg4aME-S-3fWQhFw"]},{"@type":"Person","@id":"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b","name":"N-able","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","caption":"N-able"}}]}},"_links":{"self":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/posts\/70313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/comments?post=70313"}],"version-history":[{"count":0,"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/posts\/70313\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/media?parent=70313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}