Batcloak

Malware updated 15 days ago (2024-11-29T14:15:35.124Z)
Download STIX
Preview STIX
BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository appears to be abandoned, researchers discovered that BatCloak had its own standalone repository, with threat actors behind Jlaive contributing to numerous iterations and adaptations of the BatCloak engine. This engine is known for using heavily obfuscated batch files to deploy various malware families, effectively evading detection by antivirus programs. The inclusion of SeroXen and BatCloak in the arsenal of malicious actors underscores the evolution of FUD obfuscators with a low barrier to entry. In June 2023, Trend Micro researchers detailed how multiple threat actors were using the malware obfuscation engine BatCloak. The first entry of a three-part technical analysis titled "The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression" delved into the evolution of the BatCloak obfuscation engine. The second part, titled "SeroXen Incorporates Latest BatCloak Engine Iteration," discussed the SeroXen malware and its use of the latest iteration of BatCloak to generate an FUD ".bat" loader. BatCloak has been implicated in several campaigns, including one where it was used alongside another malware obfuscation engine called ScrubCrypt to distribute malware through obfuscated batch scripts. An updated version of ScrubCrypt, also known as BatCloak, was reported by the HUMAN Satori Threat Intelligence Team to be delivering the RedLine stealer malware. When targeted users open a specific SVG file, the ECMAScript creates a new blob and uses "window.URL.createObjectURL" to drop the decoded data as a ZIP file. The decompressed file reveals an obfuscated batch file with an embedded payload, presumably created by the BatCloak tool, which distributes malware while effectively evading detection by antivirus programs.
Description last updated: 2024-05-04T16:07:34.522Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Scrubcrypt is a possible alias for Batcloak. ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disrupt
3
Seroxen is a possible alias for Batcloak. SeroXen is a potent malware that has been discovered in malicious NuGet packages, infecting developer systems. The Remote Access Trojan (RAT) was first identified by the DevSecOps company Phylum and is being delivered through typosquatted NuGet packages. Additionally, SeroXen has been found to targe
3
Jlaive is a possible alias for Batcloak. Jlaive is a malware that began circulating in 2022, primarily known for its obfuscation algorithm powered by the BatCloak engine. The malware was designed to evade antivirus software by converting executables into undetectable batch files. The creator, identified as ch2sh, made significant contribut
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Remcos
Antivirus
Ransomware
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mallox Malware is associated with Batcloak. Mallox is a potent malware that has been causing significant disruption in the digital world. This ransomware, primarily infiltrating networks via SQL servers, has shown its ability to adapt and evolve over time. PCrisk has identified new variants of Mallox that append extensions such as .ma1x0, .coUnspecified
2
The Targetcompany Malware is associated with Batcloak. TargetCompany is a known malware entity, often referred to as Mallox, Tohnichi, or Fargo in various articles and blog posts. This malicious software is designed to infiltrate and damage computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, oUnspecified
2
Source Document References
Information about the Batcloak Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
8 months ago
Securityaffairs
8 months ago
Fortinet
8 months ago
Trend Micro
a year ago
Trend Micro
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
DARKReading
a year ago
CERT-EU
a year ago
Securityaffairs
2 years ago
CERT-EU
a year ago
Trend Micro
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Trend Micro
2 years ago