{"id":4227,"date":"2022-01-12T11:59:06","date_gmt":"2022-01-12T06:29:06","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=4227"},"modified":"2022-01-12T11:59:08","modified_gmt":"2022-01-12T06:29:08","slug":"how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/","title":{"rendered":"How State Hackers utilize New PowerShell Backdoor in Log4j Attacks?"},"content":{"rendered":"\n<p><p style=\"text-align: justify;\">Hackers assumed to be the part of Iranian APT35 state-backed group which is also known as \u2018Charming Kitten\u2019 or \u2018Phosphorus\u2019 have been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">The modular payload can handle C2 communications, perform system enumeration, and finally receive, decrypt, and load additional modules. Log4Shell is an exploit for CVE-2021-44228, a critical remote code execution vulnerability in Apache Log4j revealed in December.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">As per the researcher, APT35 was among the first to advantage the vulnerability before targets had an event to apply the security update, scanning for vulnerable systems these days after its public disclosures. A researcher, who has been following these attempts, attributes the exploit activity to APT35 as the attacker\u2019s attack was promptly deployed using the previously exposed infrastructure known to be utilized by the group.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">However, as part of their research, the analysts also spotted something new in the form of a PowerShell modular backdoor named \u2018CharmPower.\u2019<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>An Interchangeable Backdoor for Numerous Tasks<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">The exploitation of CVE-2021-44228 results in executing the PowerShell command with a base64-encoded payload, eventually enchanting the \u2018CharmPower\u2019 module from an actor-controlled Amazon S3 bucket.<\/p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"325\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image1-1024x325.jpg\" alt=\"How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image1\" class=\"wp-image-4229\" srcset=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image1-1024x325.jpg 1024w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image1-300x95.jpg 300w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image1-768x244.jpg 768w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image1-1536x488.jpg 1536w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image1.jpg 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<p><p style=\"text-align: justify;\">This core module can execute the following main functions:<\/p><\/p>\n\n\n\n<ul><li><strong>Validate network connection<\/strong>&nbsp;\u2013 Upon execution, the script waits for an active internet connection by making HTTP POST requests to google.com with the parameter hi=hi.<\/li><li><strong>Basic system enumeration<\/strong>&nbsp;\u2013 The script collects the Windows OS version, computer name, and the contents of a file Ni.txt in $APPDATA path; the file is presumably created and filled by different modules that will be downloaded by the main module.<\/li><li><strong>Retrieve C&amp;C domain<\/strong>&nbsp;\u2013 The malware decodes the C&amp;C domain retrieved from a hardcoded URL which is located in the same S3 bucket from where the backdoor was downloaded.<\/li><li>Receive, decrypt, and execute follow-up modules.<\/li><\/ul>\n\n\n\n<p><p style=\"text-align: justify;\">The core module keeps sending HTTP POST requests to the C2 that either go unanswered or receive a Base64 string which initiates the downloading of an additional PowerShell or C# module.&nbsp; &nbsp;<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">\u2018CharmPower\u2019 is responsible for decrypting and loading such modules, and these then establish an independent channel of communications with the C2.<\/p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"784\" height=\"348\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image2.jpg\" alt=\"How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image2\" class=\"wp-image-4230\" srcset=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image2.jpg 784w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image2-300x133.jpg 300w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image2-768x341.jpg 768w\" sizes=\"(max-width: 784px) 100vw, 784px\" \/><\/figure><\/div>\n\n\n\n<p><p style=\"text-align: justify;\">The list of modules to be sent to the affected endpoint is generated automatically based on the basis of the system\u2019s data retrieved by CharmPower during the reconnaissance phase.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">The additional modules sent by the C2 are the following:<\/p><\/p>\n\n\n\n<ul><li>Applications \u2013 Enumerates uninstall registry values and uses the &#8220;wmic&#8221; command to figure out which applications are installed on the infected system.<\/li><li>Screenshot \u2013 Captures screenshots according to a specified frequency and uploads them to an FTP server using hardcoded credentials.<\/li><li>Process \u2013 Grabs runs processes by using the tasklist command.<\/li><li>System information \u2013 Runs the &#8220;systeminfo&#8221; command to gather system information. Has many more commands but are commented out.<\/li><li>Command Execution \u2013 Remote command execution module featuring Invoke-Expression, cmd, and PowerShell options.<\/li><li>Cleanup \u2013 Module to remove all traces left in the compromised system, like registry and startup folder entries, files, and processes. It&#8217;s dropped at the very end of the APT35 attacks.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"876\" height=\"381\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image3.jpg\" alt=\"How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image3\" class=\"wp-image-4231\" srcset=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image3.jpg 876w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image3-300x130.jpg 300w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image3-768x334.jpg 768w\" sizes=\"(max-width: 876px) 100vw, 876px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><p style=\"text-align: justify;\"><strong>What are the Similarities with the Previous Backdoors?&nbsp;&nbsp;<\/strong><\/p><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">A researcher has seen the similarities between \u2018CharmPower\u2019 and Android spyware utilized by APT35 in the past, which include implementing the same logging function and utilizing an identical format and syntax. Also, the \u2018Stack=Overflow\u2019 parameter in C2 communications is seen on both samples, which is a unique element only seen in APT35 tools.<\/p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image4.jpg\" alt=\"How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image4\" class=\"wp-image-4232\" width=\"620\" height=\"472\" srcset=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image4.jpg 892w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image4-300x228.jpg 300w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-image4-768x585.jpg 768w\" sizes=\"(max-width: 620px) 100vw, 620px\" \/><\/figure><\/div>\n\n\n\n<p><p style=\"text-align: justify;\">These code similarities and infrastructure overlaps allowed Xiarch to attribute the operation to APT35. &#8216;CharmPower&#8217; is an example of how quickly sophisticated actors can respond to the emergence of vulnerabilities like CVE-2021-44228 and put together code from previously exposed tools to create something potent and influential that can go further security and detection layers.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers assumed to be the part of Iranian APT35 state-backed group which is also known as \u2018Charming Kitten\u2019 or \u2018Phosphorus\u2019 have been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor. The modular payload can handle C2 communications, perform system enumeration, and finally receive, decrypt, and load additional modules. Log4Shell is an exploit for [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4233,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.11 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How State Hackers utilize New PowerShell Backdoor in Log4j Attacks? - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How State Hackers utilize New PowerShell Backdoor in Log4j Attacks? - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Hackers assumed to be the part of Iranian APT35 state-backed group which is also known as \u2018Charming Kitten\u2019 or \u2018Phosphorus\u2019 have been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor. The modular payload can handle C2 communications, perform system enumeration, and finally receive, decrypt, and load additional modules. Log4Shell is an exploit for [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-12T06:29:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-01-12T06:29:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"How State Hackers utilize New PowerShell Backdoor in Log4j Attacks?\",\"datePublished\":\"2022-01-12T06:29:06+00:00\",\"dateModified\":\"2022-01-12T06:29:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/\"},\"wordCount\":643,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/\",\"url\":\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/\",\"name\":\"How State Hackers utilize New PowerShell Backdoor in Log4j Attacks? - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2022-01-12T06:29:06+00:00\",\"dateModified\":\"2022-01-12T06:29:08+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How State Hackers utilize New PowerShell Backdoor in Log4j Attacks?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How State Hackers utilize New PowerShell Backdoor in Log4j Attacks? - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/","og_locale":"en_US","og_type":"article","og_title":"How State Hackers utilize New PowerShell Backdoor in Log4j Attacks? - Xiarch Solutions Private Limited","og_description":"Hackers assumed to be the part of Iranian APT35 state-backed group which is also known as \u2018Charming Kitten\u2019 or \u2018Phosphorus\u2019 have been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor. The modular payload can handle C2 communications, perform system enumeration, and finally receive, decrypt, and load additional modules. Log4Shell is an exploit for [&hellip;]","og_url":"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2022-01-12T06:29:06+00:00","article_modified_time":"2022-01-12T06:29:08+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/How-State-Hackers-utilize-New-PowerShell-Backdoor-in-Log4j-Attacks-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"How State Hackers utilize New PowerShell Backdoor in Log4j Attacks?","datePublished":"2022-01-12T06:29:06+00:00","dateModified":"2022-01-12T06:29:08+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/"},"wordCount":643,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/","url":"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/","name":"How State Hackers utilize New PowerShell Backdoor in Log4j Attacks? - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2022-01-12T06:29:06+00:00","dateModified":"2022-01-12T06:29:08+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/how-state-hackers-utilize-new-powershell-backdoor-in-log4j-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How State Hackers utilize New PowerShell Backdoor in Log4j Attacks?"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4227"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=4227"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4227\/revisions"}],"predecessor-version":[{"id":4234,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4227\/revisions\/4234"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/4233"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=4227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=4227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=4227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}