Jlaive

Malware updated 4 months ago (2024-05-04T20:18:52.642Z)

Download STIX

Preview STIX

Jlaive is a malware that began circulating in 2022, primarily known for its obfuscation algorithm powered by the BatCloak engine. The malware was designed to evade antivirus software by converting executables into undetectable batch files. The creator, identified as ch2sh, made significant contributions to Fully Undetectable (FUD) technologies, with Jlaive being an open-source toolkit. However, even though the Jlaive code repository appears abandoned, researchers have discovered that BatCloak remains active as a standalone repository, with threat actors behind Jlaive contributing to numerous iterations and adaptations of the engine. SeroXen, a modified version of Quasar RAT, adopted the loader builder Jlaive and BatCloak obfuscation engine to generate a FUD .bat loader. This modification included a rootkit among other changes. While many repositories containing modified or cloned versions of Jlaive continue to be removed from code hosting sites like GitHub and GitLab, threat actors persist in uploading the code. In some cases, development teams have ported the code to other languages such as Rust. BatCloak's functionality is specifically tied to the instructions "LineObfuscation.cs and FileObfuscation.cs" used in the Jlaive crimeware. Researchers have found that the BatCloak engine was part of the Jlaive FUD builder and is now repurposed. The BatCloak engine has also been utilized in the ScrubCrypt malware toolkit, which unlike Jlaive, is closed-source. Despite the abandonment of Jlaive's original repository, the continued use and adaptation of its core BatCloak engine highlight the ongoing threat posed by this sophisticated obfuscation technology.

Description last updated: 2024-04-09T21:15:29.852Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Batcloak	3	BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository
Scrubcrypt	2	ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disrupt

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Github

Crypter

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Jlaive Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	5 months ago	ScrubCrypt used to drop VenomRAT along with many malicious plugins
CERT-EU	a year ago	Obfuscation tool 'BatCloak’ can evade 80% of AV engines
CERT-EU	a year ago	Obfuscation tool 'BatCloak’ can evade 80% of AV engines
CERT-EU	a year ago	The Good, the Bad and the Ugly in Cybersecurity - Week 24 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Trend Micro	a year ago	SeroXen Mechanisms: Exploring Distribution, Risks, and Impact
Trend Micro	a year ago	SeroXen Incorporates Latest BatCloak Engine Iteration
Securityaffairs	a year ago	FUD Malware obfuscation engine BatCloak continues to evolve