Security researchers have discovered that an Iranian advanced persistent threat (APT) group is using a novel trick to avoid detection of malicious PowerShell code.

Cybereason said it had found a new toolkit used by the Phosphorus group, also known as Charming Kitten and APT35, that installs malicious Microsoft PowerShell code to operate as a remote access backdoor to download further malware payloads.
The hackers, who are said to be Iranian state-sponsored, run the malicious PowerShell code in the context of a .NET programming framework application, which means the powershell.exe binary is not launched, Cybereason said.
This stealth technique lets the hackers run their code without triggering alerts from security products.
The new Phosphorus toolkit is modular and multistaged, with active command and control infrastructure, some of which is shared with the Memento ransomware, the researchers noted.
Phosphorus has attacked research facilities and academic organisations in the United States and Israel in the past few years, as well as Europe and other Middle East nations.
The groups is believed to specialise in espionage and attacks against enemies of Iran.
Cybereason said Phosphorus has been active over the past months, using publicised exploits such as ProxyShell against Microsoft Exchange Server for ransomware attacks.