The preinstalled and versatile Windows PowerShell has become one of the most popular choices in cyber criminals’ arsenals. We have observed an increase of 661 percent in computers where malicious PowerShell activity was blocked from the second half of 2017 to the first half of 2018—a clear indication that attackers are still growing the use of PowerShell in their attacks.

Of course, it is not just a method seen with targeted attack groups, but also among common cyber criminals deploying financial Trojans or cryptocurrency miners. Especially for fileless attacks, where no file is written to disk, such PowerShell scripts have become very popular, as recently seen with the GhostMiner and Bluwimps worms that distribute coinminers directly in memory.