Batloader

Malware updated 22 days ago (2024-11-29T14:35:13.805Z)
Download STIX
Preview STIX
Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Notably, Batloader has been observed loading Cobalt Strike, which is often a precursor to ransomware distribution. From August to October 2022, Microsoft detected DEV-0569 activity where Batloader was delivered via phishing emails, masquerading as legitimate installers for various applications like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. In December 2023, an access broker group tracked by Microsoft as Storm-0569 began distributing Batloader through search engine optimization (SEO) poisoning. The group used this technique to spoof legitimate software download sites such as Zoom, Tableau, TeamViewer, and AnyDesk, redirecting users to the malicious Batloader download site under certain conditions. Storm-0569, known for downloading post-compromise payloads like Batloader through malvertising and phishing emails, played a crucial role in these activities. In one instance, Storm-0569's Batloader dropped a Cobalt Strike Beacon, followed by data exfiltration using the Rclone tools and Black Basta ransomware deployment. These activities suggest that Batloader is part of a broader threat landscape involving multiple groups and sophisticated techniques, emphasizing the need for robust cybersecurity measures.
Description last updated: 2024-05-04T16:50:28.684Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Zloader is a possible alias for Batloader. ZLoader is a form of malware, or malicious software, that is designed to exploit and damage computer systems. This harmful program can infiltrate a device through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal inform
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Cobalt Strike
Payload
Malvertising
Windows
Malware Drop...
Rmm
Midjourney
Esentire
Loader
Antivirus
Microsoft
Phishing
Infostealer
PowerShell
Cybercrime
Tool
Google
Ransomware P...
Beacon
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Redline Stealer Malware is associated with Batloader. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects sUnspecified
5
The Redline Malware is associated with Batloader. RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage forUnspecified
5
The Royal Ransomware Malware is associated with Batloader. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could steais related to
5
The Cobalt Strike Beacon Malware is associated with Batloader. Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike BeaconUnspecified
4
The Vidar Malware is associated with Batloader. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malwUnspecified
3
The Ursnif Malware is associated with Batloader. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for raUnspecified
2
The QakBot Malware is associated with Batloader. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt opeUnspecified
2
The IcedID Malware is associated with Batloader. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
2
Source Document References
Information about the Batloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
a year ago
MITRE
a year ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago