“…In recent years, Invoke-PSImage has been exploited by Powload (spotted in the first half of 2018), and it is still in the toolbox of different incarnations of Emotet and Bebloh. 9,10 It is also the basis of stages for dropping payloads on the host of the victim in malicious software like the Greystar ransomware and some variants of Ursnif. 11 Another notable utilization concerns the creation of backdoors, as it happens in Bandook.…”