> Family · Unclassified Batch PowerShell Dropper Family_

~/packetpursuit $ cat /intel/families/unclassified-batch-powershell-dropper.md

typeentityfamilyunclassified-batch-powershell-dropperconfidencemediumcreated2026-06-03updated2026-06-03scriptdropperc2defense-evasionexecution

Unclassified Batch PowerShell Dropper Family

Windows batch-script droppers that assemble a PowerShell payload via SET/GOTO variable expansion, download a second-stage assembly from paste sites (dpaste, pastefy, gitlab), and execute it reflectively under a masquerade identity (e.g., MsBuild). Spanish/Portuguese actor indicators observed in static strings.

Capabilities

  • batch-script-powerShell-assembly-via-set-goto-expansion
  • inline-base64-obfuscation-f@-insertion-regex-cleanup
  • paste-site-failover-download-dpaste-pastefy-gitlab
  • in-memory-dotnet-assembly-reflective-load
  • msbuild-proxy-masquerade-string-passthrough
  • reversed-string-url-anti-static

Build / RE

  • Language: DOS batch file (cmd.exe / cmd /c) with inline PowerShell
  • Obfuscation: Manual — no commercial packer. String split across dozens of SET variables, rejoined via %var% expansion on a single concatenation line. Anti-static insertions (f@) cleaned via [regex]::replace. Method names split by string concatenation (run + ss). URL string reversed with trailing junk strip.
  • Anti-analysis: No anti-VM or anti-debug; relies on being a trivial text file that sandboxes and AV may skip or underestimate.
  • Code quality: Low — verbose repetitive batch patterns, hardcoded URL strings that rotate infrequently.

Deploy / ATT&CK

Tactic Technique Evidence
Execution T1059.003 (Windows Command Shell) Batch script assembly and launch
Execution T1059.001 (PowerShell) Nested -WindowStyle Hidden inline script
Command and Control T1105 (Ingress Tool Transfer) Paste-site download with failover
Defense Evasion T1620 (Reflective Code Loading) [Reflection.Assembly]::Load without disk write
Defense Evasion T1127.001 (Trusted Developer Utilities Proxy Execution: MSBuild) Masquerade string MsBuild passed to invoked method
Defense Evasion T1027.010 (Obfuscated Files or Information: HTML Smuggling) Base64 assembly hidden between HTML-like delimiters in paste-site text

Sibling Analyses

  • cae0056acc2f1b6285544c96e33a4e4c49b964f309b8e4df08b9bf55695389b8 — First observed sibling: dpaste + pastefygitlab chain, myprogram.Homees.runss, Spanish-language URL indicators ^[/intel/analyses/cae0056acc2f1b6285544c96e33a4e4c49b964f309b8e4df08b9bf55695389b8.html]
  • eda47a53b9d17d5f8dd8866b245679d5a008916d366a1464677c63d109d7d6b0 — Second sibling: dual pastefy.app failover (JJtdc9TE, 3ocDEoXR), reversed GitLab C2 sostsenrer2, MsBuild masquerade, same myprogram.Homees.runss entry. ^[/intel/analyses/eda47a53b9d17d5f8dd8866b245679d5a008916d366a1464677c63d109d7d6b0.html]

Related

  • unclassified-js-dropper — Brazilian Portuguese WScript→PowerShell→.NET dropper with debugger/sandbox gate and HostGator C2. Similar chain but different obfuscation (JS string arrays vs batch SET/GOTO).
  • msbuild-proxy-execution — Procedure page for T1127.001 masquerade observed here.