Batloader

Malware updated 7 months ago (2024-05-04T20:08:36.054Z)

Download STIX

Preview STIX

Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Notably, Batloader has been observed loading Cobalt Strike, which is often a precursor to ransomware distribution. From August to October 2022, Microsoft detected DEV-0569 activity where Batloader was delivered via phishing emails, masquerading as legitimate installers for various applications like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. In December 2023, an access broker group tracked by Microsoft as Storm-0569 began distributing Batloader through search engine optimization (SEO) poisoning. The group used this technique to spoof legitimate software download sites such as Zoom, Tableau, TeamViewer, and AnyDesk, redirecting users to the malicious Batloader download site under certain conditions. Storm-0569, known for downloading post-compromise payloads like Batloader through malvertising and phishing emails, played a crucial role in these activities. In one instance, Storm-0569's Batloader dropped a Cobalt Strike Beacon, followed by data exfiltration using the Rclone tools and Black Basta ransomware deployment. These activities suggest that Batloader is part of a broader threat landscape involving multiple groups and sophisticated techniques, emphasizing the need for robust cybersecurity measures.

Description last updated: 2024-05-04T16:50:28.684Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Zloader is a possible alias for Batloader. ZLoader is a form of malware, or malicious software, that is designed to exploit and damage computer systems. This harmful program can infiltrate a device through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal inform	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Cobalt Strike

Payload

Malvertising

Windows

Malware Drop...

Rmm

Midjourney

Esentire

Loader

Antivirus

Microsoft

Phishing

Infostealer

PowerShell

Cybercrime

Tool

Google

Ransomware P...

Beacon

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Redline Stealer Malware is associated with Batloader. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects s	Unspecified	5
The Redline Malware is associated with Batloader. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actor	Unspecified	5
The Royal Ransomware Malware is associated with Batloader. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could stea	is related to	5
The Cobalt Strike Beacon Malware is associated with Batloader. Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike Beacon	Unspecified	4
The Vidar Malware is associated with Batloader. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malw	Unspecified	3
The Ursnif Malware is associated with Batloader. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for ra	Unspecified	2
The QakBot Malware is associated with Batloader. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by d	Unspecified	2
The IcedID Malware is associated with Batloader. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d	Unspecified	2

Source Document References

Information about the Batloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Microsoft Disables App Installer Feature Amid Security Concerns
CERT-EU	10 months ago	MSIX App Installer Disabled Amid Microsoft Malware Attacks
CERT-EU	a year ago	Microsoft disables online Windows App Installer after attackers abuse it \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Microsoft disables online Windows App Installer after attackers abuse it \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Microsoft Implements Disablement of Widely Exploited MSIX App Installer Protocol Due to Malware Attacks
CERT-EU	a year ago	Financially motivated threat actors misusing App Installer \| Microsoft Security Blog
CERT-EU	a year ago	Malware attacks exploiting app installation protocol prompt deactivation
BankInfoSecurity	a year ago	Microsoft Disables Abused Application Installation Protocol
CERT-EU	a year ago	Microsoft disables app installation protocol abused by hackers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
MITRE	a year ago	DEV-0569 finds new ways to deliver Royal ransomware, various payloads \| Microsoft Security Blog
MITRE	a year ago	Royal Rumble: Analysis of Royal Ransomware
MITRE	a year ago	Royal Ransomware Deep Dive \| Kroll
CERT-EU	a year ago	How to protect your organization against SEO poisoning and malvertising
CERT-EU	a year ago	8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	BatLoader malware distributed through fraudulent Cisco Webex ad
CERT-EU	a year ago	Cybercriminals Combine Phishing and EV Certificates to Deliver Ransomware Payloads
CERT-EU	a year ago	Cyber Security Week in Review: September 15, 2023
CERT-EU	a year ago	Cybercriminals Use Webex Brand to Target Corporate Users
CERT-EU	a year ago	Fake Cisco Webex Google Ads abuse tracking templates to push malware