{
	"id": "1625c1fa-94fd-4ffa-a210-a100ad9e166f",
	"created_at": "2026-04-06T01:31:09.471344Z",
	"updated_at": "2026-04-10T13:12:43.46508Z",
	"deleted_at": null,
	"sha1_hash": "52fd3849db36a54a40c091732817776e3c52e384",
	"title": "Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 588164,
	"plain_text": "Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing\r\nMalicious Batch Scripts to Deploy Stealthy Rootkits\r\nArchived: 2026-04-06 00:51:18 UTC\r\nSecuronix Threat Research Security Advisory\r\nBy Securonix Threat Research: Den Iuzvyk, Tim Peck\r\nMar 13, 2025\r\ntldr:\r\nThe Securonix Threat Research team has been tracking a stealthy malware campaign leveraging social engineering and\r\ndeceptive file downloads to trick users into executing heavily obfuscated code. This infection ultimately deploys a user-mode rootkit that manipulates system processes and registry entries to evade detection and maintain persistence.\r\nTracked as OBSCURE#BAT, our team recently identified a malicious campaign that relies on batch script execution to kick\r\noff a deep-nested chain of malware resulting in a user-mode rootkit that we identified as r77 rootkit which has the ability to\r\ncloak or mask any file, registry key or task beginning with a specific prefix. It has been targeting users by either\r\nmasquerading as legitimate software downloads or via fake captcha social engineering scams.\r\nThe malware that gets installed leverages a user-mode rootkit to establish persistence and evade detection on compromised\r\nsystems. The infection begins with highly obfuscated batch scripts, which execute a series of environment variable\r\nmanipulations and PowerShell commands to deploy the next-stage payload. The malware stores obfuscated scripts in the\r\nWindows Registry and ensures execution via scheduled tasks, allowing it to run stealthily in the background. Additionally, it\r\nmodifies system registry keys to register a fake driver ( ACPIx86.sys ), further embedding itself into the system.\r\nWhat makes this malware particularly dangerous is its ability to hide files, registry entries, and running processes using user-mode API hooking. Any artifacts matching a specific pattern ( $nya- ) become invisible to standard Windows tools like\r\nTask Manager, Explorer, and shell commands such as “dir” to list directory contents. The malware also interacts with critical\r\nsystem processes allowing it to embed deeper into legitimate processes and services. Security logs indicate it is capable of\r\ndeleting evidence of its activity while remaining undetectable by conventional methods.\r\nKey observations\r\nAttackers are using several methods to get users to execute malicious batch scripts\r\nObfuscated batch script initiates infection by executing dynamic PowerShell commands.\r\nPersistence established through scheduled tasks and registry injected PowerShell scripts.\r\nFiles, registry entries and processes hidden using API hooking, preventing detection by users and standard tools.\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 1 of 15\n\nAttempts to register a fake driver ( ACPIx86.sys ) via the Windows Registry for further persistence.\r\nSigns of process injection into legitimate Windows processes.\r\nThe infected system prevents visibility of any files, processes or registry keys matching the “ $nya- ” prefix.\r\nPowerShell execution delays and hidden processes suggest advanced rootkit behavior.\r\nFinal payloads include a user-mode rootkit and another system mode rootkit which gets executed as a service\r\nMalware regularly monitors for clipboard and command history and saves them into hidden files for exfiltration\r\nInitial infection\r\nCode execution begins when a user unknowingly or knowingly executes a malicious batch file. We observed several\r\nmethods used by the attackers:\r\nDelivery method 1: Fake captcha to code execution:\r\nThe idea behind this social engineering scam is to trick the user into executing malicious code by masquerading as a\r\nlegitimate Cloudflare captcha. Many of the captchas we observed appeared to be behind typosquatted domains such as\r\nhxxps://cooinbase[.]net in one example we observed.\r\nWe’ve all seen the dialog boxes and clicked the fire hydrants and crosswalks dozens of times. Attackers pray on these rather\r\ninnocuous tasks in order to trick the user into executing malicious code instead.[a]\r\nAs seen in the figure below, when a user clicks the “Verify you are human” checkbox, code is copied via JavaScript to the\r\nuser’s keyboard. Instructions follow to hit Windows + R to open the run dialog box, paste in the just copied contents, and\r\nthen hit OK.\r\nFigure 1: Initial code execution\r\nDelivery method 2: Masquerading as legitimate tooling\r\nThe attackers also opted to spread the malware by masquerading as legitimate tools and software. We observed several file\r\nnames that revealed some insight as to the tools they were masquerading as. As you’re see further down in the campaign,\r\nSIP (VoIP) software, the Tor Browser, Adobe software and other network and message client software. Unfortunately we\r\nwere not able to obtain any information as to the download links, though we speculate that malvertising could have been an\r\ninitial starting point.\r\nInitial code execution analysis\r\nWhile we were able to gather many of the attackers .bat files, we’ll focus on one in particular. This batch file was a part of a\r\ndownloaded zip file “sip.zip” which contained a malicious batch file named “install.bat”. The rest of the files appeared to be\r\nlegitimate and non-malicious.\r\nThe install.bat file serves as the initial execution point for the malware, setting off a series of actions that establish\r\npersistence and deploy the embedded RAT malware and rootkit. When a user clicks on install.bat, it calls PowerShell to\r\nexecute obfuscated commands, which in turn write additional scripts or payloads to disk, modify the registry, and schedule\r\ntasks for persistence, which we’ll dive into further down.\r\nFigure 2: sip.zip file contents – install.bat\r\nThe batch file is highly obfuscated, making static analysis difficult. Because of this, detections were minimal. At the time of\r\nwriting, we analyzed a few batch files identified as part of the OBSCURE#BAT campaign and they all scored very low (0–2\r\ndetections on VirusTotal).\r\nFigure 3: VirusTotal detections for install.bat\r\nAt first glance, the batch scripts used in the campaign are massive. In this example, we’ll analyze “install.bat” which stood\r\nat over 6MB in size.\r\nAfter opening the batch file in a text editor, the reason for its size becomes apparent. The script contains thousands of lines\r\nof variables defined or concatenated to thwart analysis.\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 2 of 15\n\nThe script essentially consists of two main components:\r\n1. The obfuscated batch script code which we’ll dive into now\r\n2. A very large string of random characters at the last line of the script – an embedded payload we’ll discuss later.\r\nThe obfuscated batch script relies heavily on padding the code with useless variables (defined by %…%) and character\r\nsubstitutions. Strings of commands are built from hundreds of predefined variables which, when parsed, execute the next-stage payload.\r\nFigure 4: Obfuscated contents of install.bat\r\nDeobfuscating the contents of install.bat took some time, but once we identified the variable sequences that built up the SET\r\ncommand, it started to come together. We replaced those sequences with the actual SET command.\r\nOnce done, the remaining lines consisted of concatenated variable strings. By inserting an ECHO command before them, we\r\ncould print the contents instead of executing them.\r\nFigure 5: Deobfuscation process of install.bat\r\nOnce initial execution is completed, the install.bat file deletes itself, hiding malicious artifacts while the next-stage\r\nPowerShell code is executed.\r\nPowerShell Execution\r\nThe PowerShell executed in the next stage performs key tasks. First, it performs odd system checks using Get-WmiObject\r\nWin32_DiskDrive to query the system’s physical disk drive information.\r\nThe command retrieves details about all connected storage devices, while Select-Object -ExpandProperty Model extracts\r\nonly the model names. The output is then piped to findstr /i 'WDS100T2B0A , which performs a case-insensitive search for\r\nthe SSD model WDS100T2B0A (a Western Digital Blue SSD, 1TB SATA 2.5″).\r\nIf this specific SSD is found, the script proceeds with additional checks (such as verifying if the F:\\ drive is empty) – an anti-analysis technique to detect forensic environments. However, we could not determine why execution would be halted based\r\non these checks.\r\nFigure 6: PowerShell execution – disk drive checks\r\nLastly, the script either exits with error code 900 if the SSD (WDS100T2B0A) is detected and F:\\ is empty, or continues\r\nnormally.\r\nPowerShell Obfuscation\r\nThe PowerShell script employs multiple obfuscation techniques to evade detection. One primary method is string\r\nobfuscation using concatenation and character replacements – evident from the extensive use of .Replace() functions.\r\nFor example, one line uses PowerShell invoke expressions to run:\r\n'$rFUJ=\r\n[nKSnKynKsnKtnKemnK.nKSenKcnKunKrinKtnKynK.nKCnKrnKynKpnKtnKonKgnKrnKanKpnKhynK.nKAnKesnK]nK::nKCrnKenKanKtnKe(nK)nK;'.Replace('nK'\r\n'');\r\nAfter removing “nK” characters, the command becomes:\r\n$rFUJ = [System.Security.Cryptography.Aes]::Create();\r\nThis reveals that AES encryption is used to decrypt and execute an encoded payload. The script also employs function\r\naliasing and variable obfuscation to further mask its true purpose.\r\nFigure 7: PowerShell obfuscation in Invoke-Expressions\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 3 of 15\n\n1. -InformationAction Ignore: This suppresses informational messages that could reveal execution details.\r\n2. -Verbose: Used for debugging, though its effect is muted unless VerbosePreference is set to Continue.\r\n3. -Debug: Enables detailed debugging output, which is unusual in malware and may be used to blend in with normal\r\nscript behavior.\r\nEmbedded payload – Decrypt, decode and execute\r\nWith the code cleaned up for readability, we see that the PowerShell script implements a multi-layered decryption process\r\non an embedded payload. The huge string at the end of “install.bat” is read in by PowerShell, decoded, extracted, and then\r\nexecuted.\r\nThe decryption process involves three key functions as shown in the figure below: taBy , mDmV , and EHSd , which work\r\ntogether to extract and execute the final payload.\r\nFigure 8: Cleaned up PowerShell – decryption process of embedded payloads\r\nThe EHSd function executes the final stage of the decoded payload. It takes two arguments, $iMqB and $GkzP , and\r\nprocesses $iMqB which stores the final decoded payload.\r\nFigure 9: PowerShell execution of embedded payload\r\nThe function initializes a byte array using a series of .Replace() functions to remove obfuscation markers, assigns the\r\nresult to $ySJh , and finally leverages [System.Reflection.Assembly] to execute the decoded payload directly in\r\nmemory.\r\nWe’ll dive into this payload further in the next section.\r\nWindows registry injection\r\nThe final task of the script is injecting payloads into the Windows registry. In our case, the malware creates values under the\r\nHKLM:\\SOFTWARE\\OOhhhm key as part of the srh function.\r\nFigure 10: PowerShell execution – Windows registry injection\r\nThese registry values include XFtkNtIDKz and YvrtRvSWmsUlsKkNV , which store AES and IV keys for decoding further\r\npayloads. These keys were also used to decode the initial payload that is reflectively loaded.\r\nAdditional keys were created – for example, the first key in “ HKU\\S-1-5-21-...\u003cSID\u003e...-1001\\Environment\\onimaiuc ”\r\ncontained a copy of the malicious PowerShell code from install.bat.\r\nThe registry payload is stored in “ HKLM\\SOFTWARE\\OOhhhm=\\NbPqJZCqG ”, which is dynamically generated.\r\nFigure 11: Log analysis – PowerShell and encrypted payloads injected into the Windows Registry\r\nSimilar to install.bat, the PowerShell executed from the registry reads in encrypted payloads in chunks, replaces certain\r\ncharacters, decrypts them, and executes via reflection.\r\nEven stealthier persistence in Windows registry\r\nThe malware employs advanced techniques to hide in the Windows registry to evade detection by tools like regedit. We\r\nlogged additional keys and values created at:\r\nHKLM\\SOFTWARE\\$nya-dll64\r\nHKLM\\SOFTWARE\\$nya-dll32\r\nHKLM\\SOFTWARE\\$nya-config\\paths\\C:\\Windows\\system32\\drivers\\ACPIx86.sys\r\nHKLM\\SOFTWARE\\$nya-config\\service_names\\ACPIx86\r\nHKLM\\SOFTWARE\\$nya-config\\pid\\3499344\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 4 of 15\n\nHowever, when browsing regedit, the created key $nya-dll64 did not exist!\r\nThis is achieved via rootkit functionality that manipulates visible system data. The malware likely employs API hooking,\r\nprocess injection, and registry tampering to achieve stealth and persistence.\r\nFor example, renaming the file with the PowerShell command Rename-Item makes hidden files visible because the filter is\r\nhardcoded to specific patterns.\r\nFigure 12: Viewing hidden binary payloads in the registry\r\nSuch techniques are common in advanced malware and APT infections, where persistence and evasion are critical.\r\nExecution is handled by calling Windows environmental variables – in this case, %onimaiuc% is defined, and when\r\nreferenced in PowerShell, its registry content is executed.\r\nCode execution from Windows registry\r\nExecution happens as Windows processes environment variables. The malware stores malicious PowerShell code in\r\nHKU\u003cSID\u003e\\Environment\\onimaiuc . Windows loads these variables when a user logs in.\r\nWhen a process references %onimaiuc% , it expands the stored registry content as a string. The malware ensures execution\r\nby using Invoke-Expression $env:onimaiuc or embedding it in another execution mechanism.\r\nThis method is stealthy because:\r\nIt avoids writing a visible script to disk.\r\nEnvironment variables in HKU\u003cSID\u003e\\Environment reload automatically at logon.\r\nIt can be executed indirectly via scripts or scheduled tasks.\r\nWe can confirm execution by searching for instances of Invoke-Expression $env:onimaiuc or monitoring processes that\r\nretrieve the value of %onimaiuc% .\r\nFigure 13: Testing for the presence of the %onimaiuc% environmental variable\r\nPersistence through Scheduled Tasks (extreme stealth edition)\r\nThe malware maintains persistence by leveraging Windows scheduled tasks. It creates an XML configuration file “ $nya-qX6Pb164 ” in C:\\Windows\\System32\\Tasks .\r\nThe screenshot below shows the XML contents:\r\nFigure 14: Screenshot of “ $nya-qX6Pb164 ” scheduled task configuration\r\nThis task executes malicious PowerShell commands – the same script injected into the registry earlier. Let’s break down its\r\nkey components.\r\nKey Components of the Scheduled Task\r\nTrigger:\r\n\u003cLogonTrigger\u003e: Execute at each user logon.\r\n\u003cEnabled\u003etrue\u003c/Enabled\u003e: Task enabled upon logon.\r\nExecution Context \u0026 Privileges:\r\n\u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e: Runs with the highest available privileges.\r\n\u003cGroupId\u003eBUILTIN\\Users\u003c/GroupId\u003e: In the current user’s context.\r\nSettings:\r\n\u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e: No new instance if already running.\r\n\u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e: Task runs if missed due to system off.\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 5 of 15\n\n\u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e: Task can be manually started.\r\n\u003cEnabled\u003etrue\u003c/Enabled\u003e: Task is enabled.\r\n\u003cHidden\u003etrue\u003c/Hidden\u003e: Task is hidden from normal views.\r\n\u003cRestartOnFailure\u003e: Retries up to five times at one-minute intervals on failure.\r\nAction (execution of malicious code):\r\nAt this point, the PowerShell code is executed. (Details as previously observed.)\r\nOverall, this scheduled task ensures the malicious PowerShell code runs at every login by hiding itself and retrying upon\r\nfailure. It is responsible for decrypting and executing payloads stored in the registry ( HKLM:\\SOFTWARE\\$nya-OXD9Q ).\r\nThe Stealthy side of Scheduled Task persistence\r\nThe unusual name “ $nya-qX6Pb164 ” is reminiscent of the Windows registry key “ $nya-config ”. The screenshot below\r\ndemonstrates this advanced hiding technique.\r\nFigure 15: The scheduled tasks file “ $nya-config ” hidden from view but readable via special methods\r\nBinary static analysis (Test.exe/.NET assemblies)\r\nJumping back into the core components of the attack chain: we observed a binary payload decrypted and reflectively loaded\r\nvia PowerShell. Let’s analyze this binary.\r\nUpon execution, we dumped the .NET binary payload containing the assemblies loaded by PowerShell.\r\nAt a high level, the project is simply called “Test”.\r\nFigure 16: PE file information – “Test.exe”\r\nCracking open the file in ILSpy reveals heavily obfuscated source code, making reverse engineering challenging.\r\nFigure 17: Obfuscated .NET assemblies\r\nThe highlighted function shows advanced obfuscation techniques such as control-flow obfuscation, symbol renaming, and\r\nstring encryption. Key techniques include:\r\n.NET obfuscation techniques breakdown:\r\n1. Unicode and Symbol Mangling:\r\n1. ڗ 튯\\uF83C摊턝䵯\\u20B1쨩ኟዚR늤㮌绂ꡛ\\u25B9ጤꀰ䠛侪 – Function names using mixed Arabic, Chinese, and special\r\ncharacters.\r\n2. Some functions start with Unicode escape sequences, hindering automated deobfuscation.\r\n2. Array-Based Execution Flow Manipulation:\r\n1. Multiple arrays (e.g. array, array2, array3) store variables and obfuscated logic assembled in random sequences.\r\n2. “Fixed” statements lock arrays in memory for unsafe operations.\r\n3. Control Flow Flattening \u0026 Dead Code Injection:\r\n1. Multiple conditions (if, switch) obscure the true execution flow.\r\n2. Redundant calculations mask variables or strings.\r\n4. Pointer and Memory Manipulation:\r\n1. Unsafe code (e.g., byte* ptr, IntPtr, fixed arrays) indicates raw memory operations.\r\n2. Direct manipulation of memory regions for decryption or function resolution.\r\nAutomated .NET deobfuscation tools yielded mixed results, offering only partial readability.\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 6 of 15\n\n.NET API Calls\r\nBy examining API calls (e.g., in kernel32.dll), we gain insight into potential process manipulation, code injection, and\r\nevasion techniques.\r\nFigure 18: .NET API calls\r\nSetThreadContext and GetThreadContext: These functions modify or retrieve a thread’s execution context, potentially\r\nredirecting execution flow.\r\nGetProcAddress and LoadLibrary: These functions resolve DLL function addresses dynamically to evade static detection.\r\nAddVectoredExceptionHandler: Registers an exception handler; malware may use it for anti-debugging or alternate\r\nexecution flow.\r\nOverall, the API calls suggest process manipulation, API obfuscation, and anti-analysis techniques.\r\nAMSI bypass\r\nDebugging Test.exe revealed several anti-debugging traps, including AMSI patching to bypass antivirus detections.\r\nFigure 19: .NET AMSI bypass\r\nAMSI (Antimalware Scan Interface) is designed to block malicious scripts. By patching amsi.dll (using techniques like\r\n“calli”), the malware bypasses these scans.\r\nIt achieves this by loading amsi.dll and using functions such as LoadLibrary and GetProcAddress to modify AMSI functions\r\nlike AmsiScanBuffer.\r\nThis patch forces AMSI to always return a “clean” result, allowing malicious code to execute undetected.\r\nBinary dynamic analysis (Test.exe/.NET assemblies)\r\nExecution of the PowerShell script that reflectively loaded the binary payload (Test.exe) showed that the payload began\r\nbeaconing immediately, connecting to 86.54.42[.]120 on port 4782 – a common port for open-source QuasarRAT.\r\nSince QuasarRAT is written in CSharp, this aligns with our static analysis. Typically, such payloads are not obfuscated well;\r\nhere, the threat actors took steps to make detection harder.\r\nFinal payload analysis (ACPIx86.sys)\r\nAs part of the attack chain, the .NET payload dropped a malicious file into C:\\Windows\\System32\\Drivers\\ called\r\nACPIx86.sys . This occurred concurrently with the creation of malicious registry keys (see “Windows registry injection”).\r\nWindows services for persistence\r\nThe malware registers and launches the malicious driver ( ACPIx86.sys ) as a Windows service. It writes entries under\r\nHKLM\\SOFTWARE\\$nya-config\\service_names\\ACPIx86 and HKLM\\SOFTWARE\\$nya-config\\paths\\C:\\Windows\\system32\\drivers\\ACPIx86.sys mapping the driver file to a service name.\r\nAdditionally, by modifying HKLM\\SYSTEM\\CurrentControlSet\\Services\\ACPIx86 , the service is configured with its location,\r\nstartup type, and execution parameters. It can be started via standard API calls or the command sc.exe start ACPIx86 .\r\nFigure 20: Registry details for the ACPIx86 service\r\nDynamic execution in a controlled environment yielded limited results – likely due to anti-analysis techniques.\r\nr77 Rootkit analysis\r\nThe rootkit used in OBSCURE#BAT appears to be a user-mode rootkit designed to manipulate Windows processes, files,\r\nand registry entries to remain hidden.\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 7 of 15\n\nWe identified it as r77 rootkit – an open-source ring-3 rootkit. According to its Github page, it offers functionality including:\r\nFiles, directories\r\nProcesses \u0026 CPU/GPU usage\r\nRegistry keys \u0026 values\r\nServices\r\nTCP \u0026 UDP connections\r\nJunctions, named pipes, scheduled tasks\r\nBy default, the r77 rootkit hides the “$77” file prefix; here it has been modified to hide the “$nya” prefix.\r\nThe binary payloads for the rootkit are stored in the registry under HKLM\\Software as $nya-dll32 and $nya-dll64 .\r\nThese DLLs get injected into the PowerShell process invoked by the batch script. Although elevated, the rootkit remains in\r\nuser space.\r\nIts tactics are similar to those seen in online projects like Chaos-Rootkit and S12URootkit, which hide their own process IDs\r\nand files.\r\nA user-mode rootkit operates in ring 3, avoids kernel modifications, and uses registry and scheduled tasks for persistence.\r\nKey observations include:\r\n1. Operates in user space (ring 3) via a hidden PowerShell process\r\n2. Uses API hooking rather than kernel hooking\r\n3. Relies on registry and scheduled tasks for persistence\r\n4. Injects into system processes such as winlogon.exe, explorer.exe, or powershell.exe\r\n5. No evidence of active driver installation in Ring 0\r\n6. No modification of SSDT or IRP hooks detected\r\n7. Being user-mode, it evades many traditional kernel-based security tools\r\nWe observed multiple stealth techniques to hide files, processes, scheduled tasks, and registry keys.\r\nFigure 21: Rootkit hiding under process ID: 6692\r\nBased on our analysis, the r77 rootkit exhibits the following behaviors (observed during dynamic analysis):\r\nr77 Rootkit Capabilities:\r\nProcess hiding: The malware hides its process from tasklist, Get-Process, and Task Manager, though Sysmon may\r\nstill log its activity.\r\nLikely achieved via API hooking (e.g., NtQuerySystemInformation).\r\nMay modify the System Process Information table to filter its own process ID.\r\nThe malware registers active PIDs in the registry ( HKLM\\SOFTWARE\\$nya-config\\pid ), possibly for tracking.\r\nFile masking: Files matching $nya-* are hidden from Explorer, dir, and Get-Item. We verified this by renaming a\r\nfile to $xxx- prefix .\r\nMay hook into NtQueryDirectoryFile to filter file names.\r\nMay manipulate NTFS metadata or redirect file queries.\r\nRegistry tampering: Certain registry keys ( HKLM\\SOFTWARE\\$nya-config ) are hidden until specifically queried.\r\nLikely via API hooking in advapi32.dll intercepting RegQueryValueEx calls.\r\nRegistry editors and standard queries cannot enumerate these keys due to selective filtering.\r\nKernel interaction: The malware references a driver ( ACPIx86.sys ) in C:\\Windows\\System32\\Drivers , executed as\r\na service via registry modification.\r\nIf the driver is loaded but hidden, kernel-mode techniques may be used.\r\nCould involve direct system calls to bypass user-mode detection.\r\nMay leverage DKOM (Direct Kernel Object Manipulation) to alter process visibility.\r\nStealthy endpoint and user monitoring\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 8 of 15\n\nThe malware monitors user interactions such as clipboard activity and PowerShell logging. An encrypted binary file is\r\ncreated daily and saved in the “%APPDATA%\\Roaming” directory, using the $nya naming scheme, which causes the\r\nfolder to be hidden from Explorer and command shells.\r\nFigure 22: Files containing encrypted user data\r\nMonitoring the r77 rootkit’s process via Procmon shows regular file writes and access to these date files, which are likely\r\nexfiltrated for decryption and analysis.\r\nWrapping up…\r\nOBSCURE#BAT demonstrates a highly evasive attack chain, leveraging obfuscation, stealth techniques, and API hooking to\r\npersist on compromised systems while evading detection. From the initial execution of the obfuscated batch script\r\n(install.bat) to the creation of scheduled tasks and registry-stored scripts, the malware ensures persistence even after reboots.\r\nBy injecting into critical system processes like winlogon.exe, it manipulates process behavior to further complicate\r\ndetection.\r\nThe most alarming aspect is the user-mode rootkit functionality, which systematically hides files, processes, and registry\r\nkeys matching the pattern ( $nya- ). This requires deeper forensic and behavioral analysis to detect and neutralize.\r\nVictimology and attribution\r\nWe believe the OBSCURE#BAT campaign primarily targets English-speaking individuals. All lure documents, file names,\r\nand websites are in English, and our analysis of the attacker’s infrastructure indicates a US base, with telemetry also from\r\nCanada, Germany, and the United Kingdom.\r\nHowever, we cannot definitively state which country or threat group is responsible. Updates will be provided as more\r\ninformation emerges.\r\nSecuronix recommendations\r\nMaintain vigilance against social engineering, malvertising, and fake captcha scams that trick users into executing\r\ncode.\r\nAlways verify that software downloads come from legitimate websites.\r\nA legitimate captcha will never copy code to your clipboard and prompt execution.\r\nBe cautious with batch (.bat) files from unknown sources, as they are a common attack vector in phishing campaigns.\r\nInspect batch files in a text editor before executing them.\r\nIf infected, note that although the attacker may mask attribution, the original r77 rootkit author provides a remover or\r\nuninstaller.\r\nWe strongly recommend deploying robust endpoint logging (e.g., Sysmon and PowerShell logging) for enhanced\r\ndetection.\r\nSecuronix customers can use the following hunting queries to scan endpoints.\r\nMITRE ATT\u0026CK Matrix\r\nTactics Techniques\r\nInitial Access T1566.001: Phishing: Spearphishing Attachment\r\nCommand and Control\r\nT1071.001: Application Layer Protocol: Web Protocols\r\nT1132: Data Encoding\r\nT1219: Remote Access Software\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 9 of 15\n\nDefense Evasion\r\nT1014: Rootkit\r\nT1027: Obfuscated Files or Information\r\nT1027.010: Obfuscated Files or Information: Command Obfuscation\r\nT1036: Masquerading\r\nT1112: Modify Registry\r\nT1140: Deobfuscate/Decode Files or Information\r\nT1055: Process Injection\r\nT1620: Reflective Code Loading\r\nExecution\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1204.002: User Execution: Malicious File\r\nExfiltration T1102: Web Service\r\nPersistence T1053.005: Scheduled Task/Job: Scheduled Task\r\nResource Development\r\nT1583.001: Acquire Infrastructure: Domains\r\nT1583.008: Acquire Infrastructure: Malvertising\r\nRelevant Securonix detections\r\nEDR-ALL-1084-ERR\r\nEDR-ALL-1282-RU\r\nEDR-ALL-1123-RU\r\nWEL-ALL-1206-RU\r\nRelevant hunting queries\r\n(remove square brackets “[ ]” for IP addresses or URLs)\r\nindex = activity AND rg_functionality = “Next Generation Firewall” AND destinationaddress IN (\r\n“88.222.244[.]187,150.171.28[.]10,195.211.190[.]61,147.185.221[.]24,138.197.66[.]62,185.128.227[.]28,195.211.190[.]61,100.28.201[.]15\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “File created” OR\r\ndeviceaction = “File created (rule: FileCreate)”) AND TargetFileName CONTAINS “$nya-“\r\nindex = activity AND rg_functionality = “Microsoft Windows” AND baseeventid = “4698” AND CommandLine\r\nCONTAINS “$nya-“\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create”\r\nOR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =\r\n“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND\r\nchildprocesscommandline CONTAINS “$nya-“\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND transactionstring5 = “SetValue”\r\nAND customstring47 CONTAINS “$nya-“\r\nC2 and infrastructure\r\nC2 Address\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 10 of 15\n\nhxxps://eloquent-chebakia-e2667a.netlify[.]app\r\nhxxps://dashing-cassata-b94dd5.netlify[.]app\r\nhxxp://45.88.186[.]152:55553\r\nhxxps://klck[.]ai\r\nhxxps://kick[.]am\r\nhxxp://klck[.]pw\r\nhxxps://twitch.co[.]com\r\nhxxps://twltch[.]lol\r\nhxxp://twitch[.]cx\r\nhxxps://twitch.co[.]com\r\nhxxps://twitch[.]team\r\nhxxps://twltch[.]uno\r\nhxxps://rumble[.]tube\r\nhxxps://pnwthrive[.]com\r\nhxxp://cooinbase[.]net\r\nhxxp://tiktoklive[.]studio\r\nhxxp://secure-login-bing[.]com\r\nhxxp://char0nbaby[.]online\r\nhxxp://hyqyj[.]xyz\r\nhxxp://smallmonster[.]net\r\n*.gl.at.ply[.]gg\r\n88.222.244[.]187\r\n150.171.28[.]10\r\n195.211.190[.]61\r\n147.185.221[.]24\r\n138.197.66[.]62\r\n185.128.227[.]28\r\n195.211.190[.]61\r\n100.28.201[.]155\r\n37.114.46[.]25\r\nAnalyzed files/hashes\r\nFile Name SHA256\r\nsip.zip E33E05D3182F46F65554FDA2127D9D1D415A986B6C635485B323558A1821F56A\r\nEternal2.6.zip 5F7EE1C0FDB813FCF6D8A8E136940AD570BF544B1263C03D288A5EF1B90CF0F3\r\neternaltool-main.zip E5386DB097DFC6BD1ACDE5302BC4B22309F151A478604713000BEDB77484881D\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 11 of 15\n\nDarius SS-2.rar 43CC98694575DEF427DD2ADFB9FCB5E7018AEDCDA525B5E5F5877E3FD02775BE\r\nDarius1378910 project\r\nexecutor-1.rar\r\nBE725B2992385BDCBCF54C995EC1807275B761A019645F707498C958B36346AD\r\nTest.exe (.NET\r\nassemblies)\r\nFF17477903ED742A4981F67515F1065689063703F86E0D38A1385E7B998084C5\r\n3367442F903D854AEE965023734F25BFB4BCA6C852D29DCB5774B9E64707FF4B\r\n47B28D3D1AB89E207F7D634B53622960931431DCBF73FC26875659A0C20BD70D\r\n504CC73800ED86C7627234A1D092EFA14ABCEA667AA084191E34FFF2A3EDC167\r\n53D2B22B91F39305B436A08EF9280D4A8FA3BD038D834B1ABEADB792F8E086A1\r\n844BE559DEBDDEC75F460FAA912490DAB6EA400FE325E59B91DF250C1E1AD4FC\r\nFB46FF16BF658AEB5F3A19559AE6AFC10DD2AE108B8AE23457011D6DC5A4B560\r\nF553759453259559CE7C4321898E83C9A3BDDD14758AECBD1567634CA4EA8D86\r\nF3B652503B20261B2F83D43EFC1CC20C655B68A339805714DD95ED14F659D4BE\r\nF180A6E4A5EC5B6EAF82C2BB31FF041A66699387483E9EB489613DBC1BACFE1B\r\nEDDAD50D490349749C5104C3394FAE49DFD6E9070BA0000C139DD8E24E2A06BA\r\nEA0DBC5CA8E96D8940337C5D19574498A4B398847049E62AF14F1D98346638B2\r\nE4CCE18562FDDC70C71A8969141C56ADEB56032196F05E10524374C1EB398D7D\r\nE2864BD791DF7E060B43598F04BE86C839E9907A1FA9C3614205B5139542D8C1\r\nDCBC1A43E1EE9D4C4C5A426CE862B151973545111F69F5B1C036E46E801ACC82\r\nDB82442D83C116211531F104B77ADC5C45CF531315CAFBD8F6E1F9C5DEC6C0D4\r\nD92C28680AF30136DFD52852EDDC07E5197AFE039D84F5B2255B14AE8E15AC02\r\nC08D8E742A34E9DC610ED5276E5CD0DCAD4F6139A03DDA07D9292D50FFD47D39\r\nBE4FADB015D35092F3EE59938A3E68C671DE8C075F04E90FD819B61C383D4501\r\n9B8CAE953C8F3DCB8E9E09D387D217FEA8FDF07C5E3001813A26D83AF7FCB4CC\r\n8F2541E5C425E6353BA1170079B238632ACB21498415861C1FD27A8615A86336\r\n879B9BA401A3B8B580980EA31050A35DD849AD3B6E00338CB81D106BBC02963F\r\n7E658C7C9A1BE6EBD7AF0150FA6FA289D59822B4E771167E13BEDE5C9A622448\r\n7C2A3A41217DA8A2A7D4B72BB5F0C5F45E2B7C6518526101F64B534070651DFC\r\n794D1FF3B3FE275B49138F82B0CC597C35E1FC0A91BE3136729598D97F1086FF\r\n72C5F9A11F126B4D1B79AC81BD03787622F2109560CEEFA762EA0C3A9E1A5E7B\r\n5F75A50AE9F6252D1F0F135726F4A605F4148EE36C9D36C4B2D3FA6404E03B10\r\n5322F5EEB9E789FE63A89CE7852C24593B8B2B6233D855A1646116C14BB8E88E\r\n40F0A201E85E6CF32C48A0CFC496A55A4BB87E8C13174E6C583DE9BF7ED70590\r\n3E88E710043B3CC9BF1AF3B373828E9EF023ABA5D697A82A9A568AE9E45CC544\r\n346EC63BDDAD6B1889D6647ED43DCD71432F687BA8642B726AC67F08E415D77E\r\n30A17C5C65FE87D961AEA290E97E8AA09A03C20D257E22D8AC63F5A7B67C0C6B\r\n2DA6D8FA510E66AE79BAB6B12849B123BB9B88D23DE3B0B383E7F48F9E9CFF69\r\n2BC694A9A6FC03043472F6FB88D3EEDA31722FACF5659AA7EDDB13C29A8FB754\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 12 of 15\n\n1F51F00B06D5C0358B662AF01DB9690D1EB379B33B1BF7A161BA2B6FE53D6574\r\n18D93547B1F14B452B7AD053A1A93122864D810D82A48ECC391D6D6B44FFD661\r\n0AE3E6A8AF0D7657F820986291DAB1F071007DE4197214C976893EB78E8E200F\r\n0A20A60EF5151F8ADAF9DCD819F970D9AFF20D8EB8F905FBA55CCC0E91C446BE\r\n033F50893BE3BB35EC8CC358D6D7FC764D327B00158617F8DEAC08A60E5F6883\r\n019BA14B03B42A1D3F3496659573E8BA9440340EA16166C3E294164F9BB8F3EF\r\nD0C8C833E2DE4F7D0D92FEBC6A9845CF2A2438013A9362CEFE0878897BD322A4\r\n682F7884B06695A44F19077EB5CD21F1823347B070C8A3773BACEBFC0439B8B8\r\n54CB466D399CE2D3FD24B1B800E276100C3272522FF84DAB4BB1DE73E5EAECDE\r\nFF22090E3E7D9DAC05879802BD0312D282C8A9A44B3C9A7C6AFD4B07C05624A2\r\nFEA5DF5596BE7448E2531CC352BD5A361E128BC6B15E1AC2CA9ABE12927DFB83\r\nF83D936E48BC89338EA9D639F39CF36C3ECAD1E59551F18E2B6D8D5AF6CF403B\r\nEB673D5C936238EED457BFE41AD02F2081F3EF42DD5F3935A0BB11394574C60D\r\nE060A451A4F310D4E4BC05A63B9027896B3126642182D8B176119B975689F217\r\nC3DCE9C45B659118211B573A802ECAC94DEDE201D59B2A5DCED29D68B7A82F3B\r\nC1FE08DEFD1651508B32FFE38892B52A519570F78E457467CCACB6FAE46B2439\r\nBB276B2DD3726F3A712E0904EF87D41D133CD36A72ECB97DA8CEFC6BA0D33A30\r\nBA8565D459CBCC972BBCA96122881E85F5736F4E7B56383853190C95D0334B5D\r\nA439F188BE62856F9DC6668D11C691C031C1CB5A9574A5CAB5CFC1856C7C7676\r\n9063336B99527F9F46B1D1F1D0DB44143B30F478CC708E217525C58CDE5FDDCD\r\n8B10E9C4E8C475FB7357E97205A0E3C8857908DBA93846F7C771E06726DB99FA\r\n79B898274B1AF26AC29F8BD23887244BB3766968B46D5E1012CC4485C6291CE9\r\n70FB59AC30B0FA16FEC656CCA60BC743A32CE6222E9FBDC1896BB2AFAD3EB868\r\n6F0BC6D96340807BAB7A76D132444DC3BA21D99A4C825BCD07363E8D1340CC85\r\n63F6BB98A3E3256F528734F1DEDA5524D97EF3540FB2A06624C92716BA1456FD\r\n519A389D0D183FA5CAE0390CE8CC2716247B8F50332DE8E4FC8BEE5026C8BA70\r\n51267FBD6AA2D09FD1ECD4C9F52557AA85F3F5AF0C60223AEA55ACB562DF9AA8\r\n4304A7028616787990476CEB92CE98842C8E049278AD9E4AFA24A1FCF1DAD782\r\n20217810AED81399374FEC1F556B1537FA35B6499133F65E08EEDA324A72680F\r\n31E9EA58C807633DBCC680303F1F741E2A6E58747E040E98DB133E076C6CBBED\r\n11E0596F453CCF8F30BA8177E7DF50517E364326585D1CEFB4C59DE277B0F6AA\r\nEF83368CAF9C9D53B4CB74B76A96E7092097E35DA214BA946A146580443D0792\r\nB6180699E895945D6178A61FD8228576629ED0FA03DE54D78E7EE16F271F1522\r\n2BE90FEEA3580358A7AB90D744B7C3028C8E7694863672A8A30F021B284CC94A\r\n0368BF651D5CE7E58305DD300A428D12E6A64D456A4805E845CB1985196BB5FC\r\nCCF58B300EC2A7D491CBD492373CCF5175056F55D4843889AD15C3F0B2DB815F\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 13 of 15\n\nCC8E4C0C2E126938B827ACFCEC306DC9811D4AAF00934D397E3841FD6352F4D1\r\n7BF9BE59DB4C55F5B372576B7BAAA25CFF2716D2F7E24DB1B98724A0E0927ECB\r\n28A4EFF21C27F9E3B0E7B5383ABB407E0A3D69BFC1D094DDD4F0B5C18425C523\r\nE1070A6B5A406CE70CF1D1655169A4EC36FB69114C3064F00D28CC01CEDFB0E8\r\nAF9C847CC0A204E969A0FAB93AE676B06222892AFC5271186604E348852BAD37\r\n80AF77DC9C38A3BBFB68FA66635BB3F202D72DC093305D1218BB85811CE018C9\r\n52634530F53DFCE289317B2C4057811136FBBE873211D01E150AC32A94DD0F4A\r\n68A0F5040DCF9B7881D1557CAD827275271027906F830F6EE90E5521A00B72E4\r\n3B86B107B36AA1224DF2E46419F2652682C67F99222011FD63F7AB3ED43AB1D5\r\nB2BCBC0FB471660632B6589FA96656F935F72AD5308E9B659B2E59ACAF820E02\r\n7AA0D53BC4A08E7B61AA283C39BECCF7364AFC2174FFC958B3C5FD2D56DD9554\r\nE1070A6B5A406CE70CF1D1655169A4EC36FB69114C3064F00D28CC01CEDFB0E8\r\nCC8E4C0C2E126938B827ACFCEC306DC9811D4AAF00934D397E3841FD6352F4D1\r\nE1070A6B5A406CE70CF1D1655169A4EC36FB69114C3064F00D28CC01CEDFB0E8\r\nEE481AE34BE52DA5D9F2E8DBFAB3BDD228A7FDFA9FFF308E98B7691D3EB9D0FA\r\n28DC3771DC4AA5D8A19BA732479F3719C276E62CFFD0FE8ADE6159A1FD3BA880\r\n35BFF2270DAA66D092AFAF7E6CFA3210790E1D17DD77E0AF94B361DBF632B571\r\ninstall.bat C9AA237A2A30B901D52D0074731B5AC57F70322F1FDE81F6794588C17D6BB268\r\nLoader.bat 612FBFEBFDCC12D6EAA20F22835A1A360A747C043AE1058070D4A71EF20A59DA\r\ndownloaded_file.bat 0877653F6A24639BB02B547C94F670597C3C0CD96DF910A2AC891EAEAA9CC5F3\r\nchiani.bat 159057BA35F3454424A4901866DE6DE286BD11715E975D4D124D33B2E83055C7\r\nTorServer.bat 28BDD3E3C182A8E9A5082A4677DF2F2116C8973D4ECDAE023CF9FD3489B9F012\r\nAdobeUpdate.bat 7C684A112461478A8ED1F3885628D0235BC20081C11C55FF96CC98454E096944\r\nnouaconi.bat 2ACD42AD45F8DBB3866B537E6135672DAA48921EB00668B657243B666991C4AD\r\noni.bat 625E590FD62A1C8B4C85BC9F551188DE0627C5D43B234408CE57139F4EA0B7C0\r\nuacbypassv1.bat 160165D2E7F332B29B5980C27C044DE2804552469EC70458DF6E77DFD254765E\r\nCVerify.bat\r\nB6B68CDAC6CDB3956DC8B7C11454E4F493FBD9157F902FFD2539545D6F7315C7\r\n62F035A79382BF50E9959FCB272C19D5AAC64A7409DEEBF7C8E9B597F3954DB4\r\nB2528CB39295490B53428A98FEFAFDE2D5F32C957B268F528B66756AD8AB6896\r\nE3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855\r\n431435E3A7A8E38458CD2A2C1E97C6B3AEC993E9DFC3DE5CC665AC57C21BF528\r\nA79E4199BA0DAC6948DEA075C26CEC05DE18D3217A25000A3C7A0FCB45BA1B02\r\n1BB63CB3D89389F426F4CB5350E38FBD0C49CE1851F6311C5E5D246200F29DE8\r\ncloudflare.bat 96AA71F70D16E2784488FAD332AC65287F33D059CDE4CD2858B0DAB85340BA0D\r\nnewest.bat C1D0981485F8AFEA96D8C0CE85CB9888C96418387B8C43103B113BA283F8C59D\r\nMous Fix.bat C7D9A5FFA94EECFBF5C22781750E404C6E50BA12459E3071670783598839CFDF\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 14 of 15\n\nrepair.bat CF3F8D4D3EE1A8EFF414A221767EDE4C73424BB62D6A090AD3F65EA55FF22FA4\r\nsus_bat.bat D4B46254B03F3800038CC93F226BC7B5897C34FCAC0D16210F45731B57D4F86A\r\n32ram1.2.bat DD0396754DF3ACA8A482242EEBFA92DB7433781EBDD679507E329E34D4065C98\r\nimg.bat 04DBC65A0EC0A3D95AEEC8161816352A22CE74C19FCD002F631879E990C2D468\r\nEternal2.6.bat FC6A52FA9D578565E4B6C47BE3A4F0358A01ACE3ED601C0EB88E46DD88203EBF\r\nLoli.bat 6CD9BDC704701AB3618BE8546E471F335431929A96D10BC59F66872B144770CE\r\nDarius1378910 Project\r\nSS.bat\r\n9BA76C05333A17C734B4B6174E68222F689F298EF48FE5DD03D25DA7E01904F5\r\nBootstrapper.bat F6E19E1C17291B9B4B2436D561D8373CF8A18841B5C4393205845BCC6BA31616\r\ntest.bat 9B7CFE2A7F46AAD42C8AEB5FCB668F2286B24FCD0241AD7C1B1B3D00856C2B18\r\nJava_installer.bat 903391CC79136EB1EFDCA469686B96FD04FAF257D87796DDE594C500AB226150\r\ninstall_apache.bat\r\npython_installer.bat\r\n7F970EE9B2FEF5C77DB4CDB7FE536377E165E056AA056299624A224EF8E0CBA9\r\ninstaller.bat C4DF50417827B20CAFC1E724948D576CD1B90636E5D68D577856824CB9CEB328  \r\nChatGPT+.bat 8713DD146895B8262E5096E49399DBDF4DC796D37A532912C0EBBB46DE059EAF\r\nshare.bat EFC09D4380483145573AC4F1A2B4FE308E9BD4378BFFBC44EFD00739D2E055A7\r\nuacbypassv1.bat 160165D2E7F332B29B5980C27C044DE2804552469EC70458DF6E77DFD254765E\r\nuacbypassoff3925.bat F3D48BB2DC545F0864D8B85D93AEA9C2B9A55F0FC9C7435F1DEE000802A261DA\r\nuacon31025.bat 53B9C02EE582BF97385BEB39EE140C49F73C557CCECF3BF44C795899083A3519\r\nAsyncClient.exe 5906FE2B69A5874697B84882DF732F77DD3160221D0746F9688E9AA9B8E0AF31\r\nautoruns.exe F41051697B220757F3612ECD00749B952CE7BCAADD9DC782D79EF0338E45C3B6\r\nDefenderUpdate.exe C7BDCEBE60356900DC4B4F8BC8B75ACC1536DF33AE7A1049BFA27192B8C62D0A\r\nqexplorer32.exe 48B7AAE41C1F229DADD80E7635A142175CBA75D03D54F08952269720C5F2735B\r\nrem_edge.exe E0C27D9A377E5F18AE850D1D0EF1D69934934CABDB95172E21FE0E36807243C8\r\nrem_edgev6.exe BDE4436AAC1E27FE22B134CADC1E19DD954D350A5619C3593EFAC659AB1BBEFD\r\n$nya-qX6Pb164 0ABECC48522A2AA66C798E817F0412DC71DF2875B8908255208642FE019AB9D3\r\nnya-dll32.dll 1BAD202E452B1D1F8B365E946C446F889B2479A6198A17A3DEA1D6A4E5D12052\r\nnya-dll64.dll 8004DF38975733770A7E2A0C71D284BC3439EB7EE74077F950AD7C0BAF2512AA \r\nReferences:\r\n1. When a Quasar Remote Access Tool Falls Into the Wrong Hands https://darktrace.com/blog/quasar-remote-access-tool-when-a-legitimate-admin-tool-falls-into-the-wrong-hands\r\n2. What is Malvertising? https://www.crowdstrike.com/en-us/cybersecurity-101/malware/malvertising/\r\n[a] Change to paragraphs\r\nSource: https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nhttps://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits"
	],
	"report_names": [
		"analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits"
	],
	"threat_actors": [],
	"ts_created_at": 1775439069,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/52fd3849db36a54a40c091732817776e3c52e384.pdf",
		"text": "https://archive.orkl.eu/52fd3849db36a54a40c091732817776e3c52e384.txt",
		"img": "https://archive.orkl.eu/52fd3849db36a54a40c091732817776e3c52e384.jpg"
	}
}