Batloader

Malware updated 4 months ago (2024-05-04T20:08:36.054Z)

Download STIX

Preview STIX

Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Notably, Batloader has been observed loading Cobalt Strike, which is often a precursor to ransomware distribution. From August to October 2022, Microsoft detected DEV-0569 activity where Batloader was delivered via phishing emails, masquerading as legitimate installers for various applications like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. In December 2023, an access broker group tracked by Microsoft as Storm-0569 began distributing Batloader through search engine optimization (SEO) poisoning. The group used this technique to spoof legitimate software download sites such as Zoom, Tableau, TeamViewer, and AnyDesk, redirecting users to the malicious Batloader download site under certain conditions. Storm-0569, known for downloading post-compromise payloads like Batloader through malvertising and phishing emails, played a crucial role in these activities. In one instance, Storm-0569's Batloader dropped a Cobalt Strike Beacon, followed by data exfiltration using the Rclone tools and Black Basta ransomware deployment. These activities suggest that Batloader is part of a broader threat landscape involving multiple groups and sophisticated techniques, emphasizing the need for robust cybersecurity measures.

Description last updated: 2024-05-04T16:50:28.684Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Zloader	2	ZLoader is a form of malware, or malicious software, that is designed to exploit and damage computer systems. This harmful program can infiltrate a device through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal inform

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Cobalt Strike

Payload

Malvertising

Windows

Malware Drop...

Rmm

Midjourney

Esentire

Loader

Antivirus

Microsoft

Phishing

Infostealer

PowerShell

Cybercrime

Tool

Google

Ransomware P...

Beacon

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Redline Stealer	Unspecified	5	RedLine Stealer is a malicious software (malware) that infiltrates computer systems and devices, often unbeknownst to users. The malware can infect systems through suspicious downloads, emails, or websites, causing significant damage by stealing personal information, disrupting operations, or even h
Redline	Unspecified	5	RedLine is a notorious malware that has been widely used by cybercriminals to steal sensitive information. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can cause significant damage by stealing personal data or disrupting operations. RedLine's conf
Royal Ransomware	is related to	5	The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious
Cobalt Strike Beacon	Unspecified	4	Cobalt Strike Beacon is a type of malware that has been linked to various ransomware activities. This malicious software has been loaded by HUI Loader in several instances, with different files such as mpc.tmp, dlp.ini, and vmtools.ini being used. A unique feature of this Cobalt Strike Beacon shellc
Vidar	Unspecified	3	Vidar is a type of malware specifically designed to infiltrate and exploit Windows-based systems. It's written in C++ and is based on the Arkei stealer, which means it has the capability to steal personal information from infected devices. Vidar has been found impersonating legitimate software appli
Ursnif	Unspecified	2	Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio
QakBot	Unspecified	2	Qakbot is a type of malware that has been linked to various cybercriminal activities, with its presence first observed as early as 2020. It gained notoriety for its role in the operations of the Black Basta ransomware group, which used Qakbot extensively in sophisticated phishing campaigns. The malw
IcedID	Unspecified	2	IcedID is a malicious software (malware) that has been linked to various cybercrime operations. The malware can infiltrate systems via suspicious downloads, emails, or websites and proceed to steal personal information, disrupt operations, or hold data for ransom. IcedID has been associated with oth

Source Document References

Information about the Batloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	Microsoft Disables App Installer Feature Amid Security Concerns
CERT-EU	8 months ago	MSIX App Installer Disabled Amid Microsoft Malware Attacks
CERT-EU	8 months ago	Microsoft disables online Windows App Installer after attackers abuse it \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	8 months ago	Microsoft disables online Windows App Installer after attackers abuse it \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	8 months ago	Microsoft Implements Disablement of Widely Exploited MSIX App Installer Protocol Due to Malware Attacks
CERT-EU	8 months ago	Financially motivated threat actors misusing App Installer \| Microsoft Security Blog
CERT-EU	8 months ago	Malware attacks exploiting app installation protocol prompt deactivation
BankInfoSecurity	8 months ago	Microsoft Disables Abused Application Installation Protocol
CERT-EU	8 months ago	Microsoft disables app installation protocol abused by hackers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
MITRE	9 months ago	DEV-0569 finds new ways to deliver Royal ransomware, various payloads \| Microsoft Security Blog
MITRE	9 months ago	Royal Rumble: Analysis of Royal Ransomware
MITRE	9 months ago	Royal Ransomware Deep Dive \| Kroll
CERT-EU	9 months ago	How to protect your organization against SEO poisoning and malvertising
CERT-EU	a year ago	8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	BatLoader malware distributed through fraudulent Cisco Webex ad
CERT-EU	a year ago	Cybercriminals Combine Phishing and EV Certificates to Deliver Ransomware Payloads
CERT-EU	a year ago	Cyber Security Week in Review: September 15, 2023
CERT-EU	a year ago	Cybercriminals Use Webex Brand to Target Corporate Users
CERT-EU	a year ago	Fake Cisco Webex Google Ads abuse tracking templates to push malware