{
	"id": "7cd2e581-caef-4887-a77a-836bd720bcb7",
	"created_at": "2026-05-05T02:44:52.075268Z",
	"updated_at": "2026-05-05T02:46:36.643402Z",
	"deleted_at": null,
	"sha1_hash": "1d569e4fdf8e039069d961a195007224328425fd",
	"title": "Revisiting BatLoader C2 structure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 936612,
	"plain_text": "Revisiting BatLoader C2 structure\r\nBy Jason Reaves\r\nPublished: 2022-04-15 · Archived: 2026-05-05 02:32:45 UTC\r\n2 min read\r\nApr 15, 2022\r\nBy: Jason Reaves and Joshua Platt\r\nPress enter or click to view image in full size\r\nBatLoader, named by Mandiant[7], is an interesting distribution/loading system that has been discussed\r\npreviously[1,2] and leveraged by various actors. Recent media headlines show the connection to Zloader[3] after a\r\ndisruption was done by multiple organizations[4] but this is not a Zloader exclusive service.\r\nReports of the disruption included brief mentions of BatLoader in their reporting. We assume that was not the\r\ntarget of their recent disruption campaign because the service is still functioning. While looking into new\r\nBatLoader campaigns, we noticed they changed the C2 structure of the loading process since our last blog[1]:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a\r\nPage 1 of 4\n\nRef: Virustotal.com\r\nThe structure looks similar to what we reported previously, but some of the data now looks like a hash value.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nPreviously:\r\n/processingSetRequestBat1/?servername=\r\n/processingSetRequestBat2/?servername=\r\n/processingSetRequestBat3/?servername=\r\n/processingSetRequestBat4/?servername=\r\n/processingSetRequestBat5/?servername=\r\n/processingSetRequestBat6/?servername=\r\n/processingSetRequestBot/?servername=\r\n/processingSetRequestCoba/?servername=\r\n/processingSetRequestDownload/?servername=\r\n/processingSetRequestAtera/?servername=\r\nSo these hash values aren’t just the hash of the processing strings right?\r\n\u003e\u003e\u003e hashlib.md5('processingSetRequestBat1').hexdigest()\r\n'e6a5614c379561c94004c531781ee1c5'\r\nhttps://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a\r\nPage 2 of 4\n\nAh, so they are. Then we can create new suricata rules based on the new patterns. However, I noticed if the hash\r\nstarts with a number then the developer changes it to a character, for example:\r\n\u003e\u003e\u003e hashlib.md5('processingSetRequestBat3').hexdigest()\r\n'73874ddb552a5b45cade5a2700d15587'\r\nThe hash used in traffic patterns however is:\r\na3874ddb552a5b45cade5a2700d15587\r\nGoing by the other Bat requests it appears they are going in order; a,b,c,d… So we can continue mapping hash\r\nvalues to new request structure:\r\n/e6a5614c379561c94004c531781ee1c5/?servername=\r\n/f69af5bc8498d0ebeb37b801d450c046/?servername=\r\n/a3874ddb552a5b45cade5a2700d15587/?servername=\r\n/fa777fbbb8f055cb8bfcba6cb41c62e7/?servername=\r\n/b1eeec75ef1488e2484b14c8fd46ddce/?servername=\r\n/c003996958c731652178c7113ad768b7/?servername=\r\n/d2ef590c0310838490561a205469713d/?servername=\r\n/fa0a24aafe050500595b1df4153a17fb/?servername=\r\n/i850c923db452d4556a2c46125e7b6f2/?servername=\r\n/b5e6ec2584da24e2401f9bc14a08dedf/?servername=\r\n/e747834ae24a1a43e044ea7b070048f0/?servername=\r\nWith the addition of deploying a stealer this maps like:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a\r\nPage 3 of 4\n\nMost of the reporting has also shown that the templating for the msi installers has been Zoom and Teamviewer\r\nbased fake installers, however as we have previously mentioned there are many affiliates involved in this service.\r\nA more exhaustive list of fake software templates for the initial MSI files can be found below:\r\nzoom\r\nteamviewer\r\nAnyDesk\r\nTelegram\r\nyoutube\r\ncheats\r\nccleaner\r\ndiscord\r\nthunderbird\r\nluminar\r\nadobe reader\r\nchrome\r\nfirefox\r\nbrave\r\ngemini\r\ngrammarly\r\nquicken\r\nrobinhood\r\namazon\r\nsmbc\r\nfidelity\r\nlogmein\r\nReferences:\r\n1: https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\n2: https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/\r\n3: https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\n4: https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/\r\n5: https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\n6: https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/\r\n7: https://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nSource: https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a\r\nhttps://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a"
	],
	"report_names": [
		"revisiting-batloader-c2-structure-52f46ff9893a"
	],
	"threat_actors": [],
	"ts_created_at": 1777949092,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1d569e4fdf8e039069d961a195007224328425fd.pdf",
		"text": "https://archive.orkl.eu/1d569e4fdf8e039069d961a195007224328425fd.txt",
		"img": "https://archive.orkl.eu/1d569e4fdf8e039069d961a195007224328425fd.jpg"
	}
}