What is the PowerLess Trojan and who is behind it?

The PowerLess Trojan is a PowerShell-based backdoor attributed to the Iranian APT group known as Phosphorus (also called Charming Kitten or APT35). This group is known for espionage campaigns targeting medical research organizations, academic researchers, human rights activists, and the media sector, as well as interfering with the US presidential elections.

How does the PowerLess Trojan operate?

The PowerLess Trojan is deployed via exploitation of vulnerabilities such as ProxyShell in Microsoft Exchange Server. Once inside, it enables attackers to conduct espionage, deploy ransomware, and maintain persistence within the target network.

What organizations have been targeted by Phosphorus APT using PowerLess?

Phosphorus APT has targeted medical research organizations in the US and Israel, academic researchers in the US, France, and the Middle East, human rights activists, the media sector, and has interfered with US presidential elections.

What vulnerabilities did Phosphorus exploit to deploy PowerLess?

Phosphorus exploited Microsoft Exchange Server vulnerabilities, specifically those chained together as ProxyShell, to deploy malware including PowerLess on target networks.

How does Cymulate help organizations defend against threats like PowerLess Trojan?

Cymulate enables organizations to simulate real-world threats, including advanced persistent threats (APTs) like PowerLess, to validate their defenses, identify exploitable vulnerabilities, and prioritize remediation. The platform's continuous threat validation and daily updated threat library help organizations stay ahead of emerging threats.

What is the significance of ProxyShell vulnerabilities in recent APT campaigns?

ProxyShell vulnerabilities in Microsoft Exchange Server have been widely exploited by threat actors, including Phosphorus APT, to gain access to networks, deploy malware, and conduct espionage or ransomware attacks.

How does Cymulate's threat intelligence keep up with new threats like PowerLess?

Cymulate provides the most advanced library of attack simulations with daily updates, ensuring that organizations can test their defenses against the latest threats, including new malware and APT techniques.

What resources does Cymulate offer for learning about threats like PowerLess?

Cymulate offers a Resource Hub with whitepapers, guides, data sheets, solution briefs, e-books, and webinars that cover threat intelligence, exposure management, and real-world attack scenarios.

How can organizations validate their exposure to threats like PowerLess?

Organizations can use Cymulate's Exposure Validation and Attack Path Discovery modules to simulate attacks similar to PowerLess, identify exploitable vulnerabilities, and validate the effectiveness of their security controls.

What types of organizations are most at risk from PowerLess and similar APTs?

Organizations in sectors such as healthcare, academia, media, human rights, and government are often targeted by APT groups like Phosphorus using tools such as PowerLess.

What are the core features of the Cymulate platform?

Cymulate offers continuous threat validation, attack path discovery, automated mitigation, detection engineering acceleration, complete kill chain coverage, and an extensive threat simulation library with daily updates.

How does Cymulate's Exposure Validation differ from manual pen tests?

Cymulate's Exposure Validation provides automated, continuous security testing with a library of over 100,000 attack actions, easy control integrations, and automated mitigation, overcoming the limitations of infrequent manual tests and traditional BAS tools.

What is Cymulate's 'Threat (IoC) updates' feature?

The 'Threat (IoC) updates' feature provides recommended Indicators of Compromise that can be exported and applied directly to security controls, improving threat resilience by enabling rapid defense against new threats.

How does Cymulate support detection engineering?

Cymulate accelerates detection engineering by validating responses and building custom detection rules for SIEM, EDR, and XDR, helping organizations improve their mean time to detect threats.

What integrations does Cymulate offer?

Cymulate integrates with a wide range of technology partners, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, CrowdStrike Falcon, Cybereason, and more. For a full list, visit the Partnerships and Integrations page.

How often is Cymulate's platform updated?

Cymulate updates its SaaS platform every two weeks with new features, such as AI-powered SIEM rule mapping and advanced exposure prioritization, ensuring customers always have access to the latest capabilities.

What is the benefit of Cymulate's immediate threats module?

According to a Penetration Tester, the immediate threats module is highly valued for its rapid updates, allowing organizations to quickly assess their risk from new attacks and implement remedial actions.

How does Cymulate help with cloud security validation?

Cymulate provides cloud security validation through integrations with tools like AWS GuardDuty and Check Point CloudGuard, enabling organizations to test and validate their cloud security controls against real-world threats.

What technical documentation is available for Cymulate?

Cymulate provides whitepapers, guides, data sheets, solution briefs, and e-books covering topics such as exposure management, detection engineering, vulnerability management, and security validation.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as finance, healthcare, retail, media, transportation, and manufacturing.

What business impact can customers expect from Cymulate?

Customers have reported an 81% reduction in cyber risk within four months, a 60% increase in team efficiency, 40X faster threat validation, a 30% improvement in threat prevention, and a 52% reduction in critical exposures.

What pain points does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers for CISOs.

How does Cymulate address the needs of different security personas?

Cymulate provides tailored solutions for CISOs (metrics and insights), SecOps (operational efficiency), red teams (automated offensive testing), and vulnerability management teams (exposure prioritization).

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its user-friendly and intuitive platform, quick implementation, and actionable insights. Testimonials highlight its simplicity and effectiveness for communicating risks to management.

How does Cymulate help financial services organizations?

Cymulate helps financial services organizations defend against sophisticated threats like ransomware, phishing, and APTs by validating security controls for both internal systems and customer-facing applications.

What is Cymulate's overarching vision and mission?

Cymulate's vision is to create an environment where organizations can proactively validate their cybersecurity defenses, identify vulnerabilities, and optimize their security posture, fostering collaboration, innovation, and a proactive approach to cybersecurity.

What is the primary purpose of Cymulate's product?

The primary purpose of Cymulate is to proactively validate cybersecurity defenses, identify vulnerabilities, and optimize security posture by continuously validating threats and exposures.

What security and compliance certifications does Cymulate have?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, ensuring compliance with global security and privacy standards.

How does Cymulate ensure data security and privacy?

Cymulate is hosted in secure AWS data centers, uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), and follows a strict Secure Development Lifecycle (SDLC) with continuous vulnerability scanning and annual third-party penetration tests.

Is Cymulate GDPR compliant?

Yes, Cymulate is GDPR compliant, incorporating data protection by design and maintaining a dedicated privacy and security team, including a Data Protection Officer (DPO) and Chief Information Security Officer (CISO).

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs, determined by the chosen package, number of assets, and selected scenarios. For a custom quote, schedule a demo with the Cymulate team.

How does Cymulate compare to AttackIQ?

AttackIQ delivers automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. Cymulate offers the industry's leading threat scenario library and AI-powered capabilities.

How does Cymulate compare to Mandiant Security Validation?

Mandiant is one of the original BAS platforms but has seen little innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management as a grid leader.

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks the depth Cymulate provides to fully assess and strengthen defenses. Cymulate covers the full kill chain and provides cloud control validation.

How does Cymulate compare to Picus Security?

Picus is suitable for on-premise BAS needs but lacks the complete exposure validation platform Cymulate provides, including full kill chain and cloud control validation.

How does Cymulate compare to SafeBreach?

SafeBreach offers breach and attack simulation but lacks Cymulate's innovation, precision, and automation. Cymulate leads with AI-powered BAS, the largest attack library, and a full CTEM solution.

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams but lacks Cymulate's focus on actionable remediation and automated mitigation. Cymulate provides a more complete exposure validation platform with daily threat updates and no-code workflows.

How long does it take to implement Cymulate?

Cymulate is designed for quick, agentless deployment, allowing organizations to start running simulations almost immediately with minimal resources required.

What support options are available for Cymulate customers?

Cymulate offers email support, real-time chat support, a knowledge base, webinars, e-books, and an AI chatbot for troubleshooting and best practices.

PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage

February 2, 2022

Over the past months, the Cybereason Nocturnus Team observed an uptick in the activity of the Iranian attributed group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research organizations in the US and Israel in late 2020, and for targeting academic researchers from the US, France, and the Middle East region back in 2019.

They have also previously targeted human rights activists, the media sector, and interfered with the US presidential elections.

Towards the end of 2021, multiple attacks were carried out exploiting the notorious Microsoft Exchange Server vulnerabilities chained together and referred to as ProxyShell, which ultimately enabled multiple threat actors to deploy malware on their targets' networks.
There have been several reports detailing the exploitation of these vulnerabilities by Iranian state sponsored threat actors, among them the Phosphorus APT group carrying out ransomware attacks.

Featured Resources

View More Resources

blog

CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover

CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.

Demo

Exposure Validation Demo

Demo of automated offensive simulations validating detection, prevention, and IOC coverage

Learn More