(adsbygoogle = window.adsbygoogle || []).push({}); Hello Guys!

For people who are not aware, nowadays not even the source of a program is safe. People are able to run PowerShell scripts with it.

How do they do that?

When you open the .csprj (we are using C# as an example, but can be used in VB also), you will see some bunch of code.

When you go to the part where it says "<Target Name=" , there people can add PowerShell scripts that will make an EXE download, and execute, making your computer a slave of a RAT/Botnet.

Example of backdoor script:

You must login or register to view this content.


This is how the backdoor works:

You must login or register to view this content.


So when opening a Source, always use GitHub, or atleast check if there is any script in it.


Another example is the following.

I downloaded a source, and when i opened the CSPRJ on a notepad, i noticed this code:

You must login or register to view this content.


Which looks pretty normal. But when you decode it, you get something like this:

You must login or register to view this content.

(Too lazy to fix the format)

So as you can see that script downloads a string from this page You must login or register to view this content., means it downloads the following thext:
aHR0cDovL2dvdWFzYnFhaDEuZ290ZG5zLmNoL0JhY2tkb29yL0Rvd25sb2FkL1ByaW50ZXJXaXp6YXJkLmV4ZQ==
and decodes it back from Base64, which turns to this:
*Direct Download of an .EXE with backdoor*

(Ofcourse im not going to put the link of the exe, but you can decode the string if you want to check)

So basically, the code downloads an .exe from the site, it stores it in %appdata% , and then it executes it.


Hope you guys can take a bit of consideration before opening a Source from someone you don't know.

Credits to Furz(HF), for the gif on how the backdoor works.

not trying to hate just pointing it out you should give credits

Credits added.