Jlaive

Malware updated 7 months ago (2024-05-04T20:18:52.642Z)
Download STIX
Preview STIX
Jlaive is a malware that began circulating in 2022, primarily known for its obfuscation algorithm powered by the BatCloak engine. The malware was designed to evade antivirus software by converting executables into undetectable batch files. The creator, identified as ch2sh, made significant contributions to Fully Undetectable (FUD) technologies, with Jlaive being an open-source toolkit. However, even though the Jlaive code repository appears abandoned, researchers have discovered that BatCloak remains active as a standalone repository, with threat actors behind Jlaive contributing to numerous iterations and adaptations of the engine. SeroXen, a modified version of Quasar RAT, adopted the loader builder Jlaive and BatCloak obfuscation engine to generate a FUD .bat loader. This modification included a rootkit among other changes. While many repositories containing modified or cloned versions of Jlaive continue to be removed from code hosting sites like GitHub and GitLab, threat actors persist in uploading the code. In some cases, development teams have ported the code to other languages such as Rust. BatCloak's functionality is specifically tied to the instructions "LineObfuscation.cs and FileObfuscation.cs" used in the Jlaive crimeware. Researchers have found that the BatCloak engine was part of the Jlaive FUD builder and is now repurposed. The BatCloak engine has also been utilized in the ScrubCrypt malware toolkit, which unlike Jlaive, is closed-source. Despite the abandonment of Jlaive's original repository, the continued use and adaptation of its core BatCloak engine highlight the ongoing threat posed by this sophisticated obfuscation technology.
Description last updated: 2024-04-09T21:15:29.852Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Batcloak is a possible alias for Jlaive. BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository
3
Scrubcrypt is a possible alias for Jlaive. ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disrupt
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Github
Crypter
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Jlaive Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more