Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
Ninez Hider uses a two-stage loader design built around PowerShell's built-in base64 execution support. The operator invokes powershell.exe with the -encodedCommand (or -enc) flag, supplying a base64-encoded string in place of a plaintext command. This approach is intended to prevent casual log inspection from revealing the true payload URL.
The second stage is fetched from files.catbox.moe, a public file hosting platform that requires no account for anonymous uploads. Its lack of registration requirements makes it a preferred staging host for low-sophistication cheat loaders.
The primary forensic weakness of this technique is that PowerShell's PSReadLine module records every command entered in an interactive session to ConsoleHost_history.txt — including -encodedCommand invocations with the full base64 blob. Even if the actor attempts to wipe evidence, this file persists at a fixed path under the user profile and survives standard cleanup scripts that do not know to target it. The base64 string in history can be decoded offline to recover the original catbox.moe download URL.
Primary IOCs
ConsoleHost_history.txt inspection
Navigate to %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. Open with any text editor. Look for lines containing -encodedCommand or the short alias -enc followed by a long base64 string. This file is not cleared by standard bypass cleanup routines.
Base64 -encodedCommand entry in history
A Ninez Hider invocation will appear similar to: powershell -enc <base64blob>. The base64 blob is typically 80–300 characters. Copy the blob — it decodes to a UTF-16LE string (PowerShell's native encoding). Decode with: [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('<blob>'))
Catbox.moe download URL recovery
After decoding, the plaintext command will contain a Invoke-WebRequest, (New-Object Net.WebClient).DownloadFile, or similar download call targeting a URL on files.catbox.moe. The path component of the URL (e.g. /<hash>.exe) identifies the specific staged payload. Record this URL as a network IOC.
Decoded command analysis
Beyond the download URL, the decoded command may reveal the output path where the second stage is written on disk, execution method (Start-Process, Invoke-Expression, etc.), and any additional arguments. Cross-reference the output path against Prefetch records and Journal Trace entries to confirm execution of the downloaded binary.
Network IOC: files.catbox.moe in DNS cache
Run ipconfig /displaydns in an elevated Command Prompt. A cache entry for files.catbox.moe or its CDN endpoints confirms that the host made an outbound DNS resolution for the staging server. This persists until the DNS cache is flushed and is independent of the PowerShell history file.
PowerShell Encoded Commands & History
PSReadLine, which ships as a default module since PowerShell 5.1, maintains a per-user command history at ConsoleHost_history.txt. Every command executed in an interactive console session is appended to this file. The critical point for investigators: the entire invocation line is recorded, including the base64 blob passed to -encodedCommand.
Bypass authors frequently attempt to clear evidence by deleting Prefetch files, wiping Event Logs, or running Clear-History within the same PowerShell session. However, Clear-History only clears the in-memory history buffer for the current session — it does not modify ConsoleHost_history.txt on disk. Targeted deletion of the file itself requires the actor to know the exact path, which many low-sophistication bypass scripts do not.
To decode a recovered blob manually: PowerShell encodes commands as UTF-16LE before base64-encoding. Standard base64 decoders expecting ASCII/UTF-8 will produce garbled output. Use PowerShell directly, or a tool that supports UTF-16LE decoding (e.g., CyberChef with "Decode text → UTF-16LE" after base64 decode).
Detection Notes
ConsoleHost_history.txt is the primary pivot point. It survives most cleanup attempts and is sufficient on its own to establish that an encoded PowerShell command was executed and to recover the original payload URL. Even if the downloaded binary has been deleted, the DNS cache and download URL provide strong supporting evidence.
Network defenders can block or alert on DNS resolutions to files.catbox.moe at the firewall or DNS resolver level. While catbox.moe has legitimate uses, its presence in a gaming system's DNS cache with no corresponding browser history entry for the domain is suspicious.
For endpoint detection, monitoring for powershell.exe invocations with -enc or -encodedCommand flags via Windows Event Log (Event ID 4688 with command-line auditing enabled, or Sysmon Event ID 1) provides proactive detection before any artifact is committed to disk.