Jlaive

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
Jlaive is a malware that began circulating in 2022, primarily known for its obfuscation algorithm powered by the BatCloak engine. The malware was designed to evade antivirus software by converting executables into undetectable batch files. The creator, identified as ch2sh, made significant contributions to Fully Undetectable (FUD) technologies, with Jlaive being an open-source toolkit. However, even though the Jlaive code repository appears abandoned, researchers have discovered that BatCloak remains active as a standalone repository, with threat actors behind Jlaive contributing to numerous iterations and adaptations of the engine. SeroXen, a modified version of Quasar RAT, adopted the loader builder Jlaive and BatCloak obfuscation engine to generate a FUD .bat loader. This modification included a rootkit among other changes. While many repositories containing modified or cloned versions of Jlaive continue to be removed from code hosting sites like GitHub and GitLab, threat actors persist in uploading the code. In some cases, development teams have ported the code to other languages such as Rust. BatCloak's functionality is specifically tied to the instructions "LineObfuscation.cs and FileObfuscation.cs" used in the Jlaive crimeware. Researchers have found that the BatCloak engine was part of the Jlaive FUD builder and is now repurposed. The BatCloak engine has also been utilized in the ScrubCrypt malware toolkit, which unlike Jlaive, is closed-source. Despite the abandonment of Jlaive's original repository, the continued use and adaptation of its core BatCloak engine highlight the ongoing threat posed by this sophisticated obfuscation technology.
What's your take? (Question 1 of 3)
a16e3cf0-3492-4357-971c-dff789d3ce94 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Batcloak
3
BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository
Scrubcrypt
2
ScrubCrypt is a sophisticated malware that has been actively used in various cybercrime campaigns. It functions by converting executables into undetectable batch files, thereby making it difficult for antivirus products to detect. This tool provides several options to manipulate malware, enhancing i
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Github
Crypter
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Jlaive Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Obfuscation tool 'BatCloak’ can evade 80% of AV engines
CERT-EU
a year ago
Obfuscation tool 'BatCloak’ can evade 80% of AV engines
Trend Micro
a year ago
SeroXen Incorporates Latest BatCloak Engine Iteration
Securityaffairs
a year ago
FUD Malware obfuscation engine BatCloak continues to evolve
Securityaffairs
2 months ago
ScrubCrypt used to drop VenomRAT along with many malicious plugins
Trend Micro
a year ago
SeroXen Mechanisms: Exploring Distribution, Risks, and Impact
CERT-EU
a year ago
The Good, the Bad and the Ugly in Cybersecurity - Week 24 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting