“exe - - headless launching a hidden powershell, which decrypts the fake png in memory and reflectively loads the resulting. net assembly into its own address space. nothing lands on disk as an ordinary executable. all that persists is the encrypted image, in a folder defender has…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1053.005Scheduled Task
98%
“secret. png from https : / / captr. b - cdn [. ] net / secret. png ( a bunnycdn url that looks at a glance like any other content - delivery link ) and saves it to c : \ programdata \ microsoftedgeupdate. png, a path chosen to sit beside microsoft ’ s real browser - update folder…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
97%
“helper script that drops two powershell files into the user ’ s temporary folder : scr5020. ps1 and pss5032. ps1. the filenames look like specifics but aren ’ t : the four characters after each prefix are generated fresh every time the installer runs. what stays constant is the p…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
95%
“user noticing. it also saves and restores the parent powershell ’ s tls setting, leaving that one global unchanged after it exits. that ’ s the entire script. researchers call this pattern a downloader cradle, and its advantage to the attacker is flexibility. the real payload liv…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
88%
“##plate entries the installer tool generates automatically : extract files, check the windows version, elevate to admin, write a log, clean up afterwards. each of those has a name that starts with ai _ followed by a description of what it does. and then, sitting at the bottom of …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
78%
“introduced itself to the attacker ’ s server and asked for code to run next — and whether the answer comes back is a decision the operator gets to make later, on their own time, one victim at a time. you cannot tell, from the victim ’ s side, what was returned. for analysis, we r…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
78%
“secret. png from https : / / captr. b - cdn [. ] net / secret. png ( a bunnycdn url that looks at a glance like any other content - delivery link ) and saves it to c : \ programdata \ microsoftedgeupdate. png, a path chosen to sit beside microsoft ’ s real browser - update folder…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
67%
“##quat domain ) at google - antigravity [. ] com it was convincing enough at a glance. so they went on to download the file, called antigravity _ v1. 22. 2. 0. exe. the installer isn ’ t simply named to look like the real one from google. it ’ s 138 mb : large enough to carry the…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1053.005Scheduled Task
57%
“exe - - headless launching a hidden powershell, which decrypts the fake png in memory and reflectively loads the resulting. net assembly into its own address space. nothing lands on disk as an ordinary executable. all that persists is the encrypted image, in a folder defender has…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1053.005Scheduled Task
54%
“user noticing. it also saves and restores the parent powershell ’ s tls setting, leaving that one global unchanged after it exits. that ’ s the entire script. researchers call this pattern a downloader cradle, and its advantage to the attacker is flexibility. the real payload liv…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1555.003Credentials from Web Browsers
48%
“##ize it from its own class and method names, which describe its job in plain english : it scans browsers, messaging apps, gaming platforms, ftp clients, and crypto wallets, collecting data labeled logins, cookies, autofills, and ftpconnections. in practice, that means every chro…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
46%
“if you or anyone who shares your computer recently installed something calling itself google antigravity from anywhere other than antigravity. google, start by checking the network indicators. look in firewall logs, edr alerts, or your router logs for connections to opus - dsn [.…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1620Reflective Code Loading
44%
“exe - - headless launching a hidden powershell, which decrypts the fake png in memory and reflectively loads the resulting. net assembly into its own address space. nothing lands on disk as an ordinary executable. all that persists is the encrypted image, in a folder defender has…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Another AI launch, another trap. A trojanized Google Antigravity installer runs like normal, but secretly hands over your accounts to the attackers.