Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits Archived: 2026-04-06 00:51:18 UTC Securonix Threat Research Security Advisory By Securonix Threat Research: Den Iuzvyk, Tim Peck Mar 13, 2025 tldr: The Securonix Threat Research team has been tracking a stealthy malware campaign leveraging social engineering and deceptive file downloads to trick users into executing heavily obfuscated code. This infection ultimately deploys a user-mode rootkit that manipulates system processes and registry entries to evade detection and maintain persistence. Tracked as OBSCURE#BAT, our team recently identified a malicious campaign that relies on batch script execution to kick off a deep-nested chain of malware resulting in a user-mode rootkit that we identified as r77 rootkit which has the ability to cloak or mask any file, registry key or task beginning with a specific prefix. It has been targeting users by either masquerading as legitimate software downloads or via fake captcha social engineering scams. The malware that gets installed leverages a user-mode rootkit to establish persistence and evade detection on compromised systems. The infection begins with highly obfuscated batch scripts, which execute a series of environment variable manipulations and PowerShell commands to deploy the next-stage payload. The malware stores obfuscated scripts in the Windows Registry and ensures execution via scheduled tasks, allowing it to run stealthily in the background. Additionally, it modifies system registry keys to register a fake driver ( ACPIx86.sys ), further embedding itself into the system. What makes this malware particularly dangerous is its ability to hide files, registry entries, and running processes using user-mode API hooking. Any artifacts matching a specific pattern ( $nya- ) become invisible to standard Windows tools like Task Manager, Explorer, and shell commands such as “dir” to list directory contents. The malware also interacts with critical system processes allowing it to embed deeper into legitimate processes and services. Security logs indicate it is capable of deleting evidence of its activity while remaining undetectable by conventional methods. Key observations Attackers are using several methods to get users to execute malicious batch scripts Obfuscated batch script initiates infection by executing dynamic PowerShell commands. Persistence established through scheduled tasks and registry injected PowerShell scripts. Files, registry entries and processes hidden using API hooking, preventing detection by users and standard tools. https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 1 of 15 Attempts to register a fake driver ( ACPIx86.sys ) via the Windows Registry for further persistence. Signs of process injection into legitimate Windows processes. The infected system prevents visibility of any files, processes or registry keys matching the “ $nya- ” prefix. PowerShell execution delays and hidden processes suggest advanced rootkit behavior. Final payloads include a user-mode rootkit and another system mode rootkit which gets executed as a service Malware regularly monitors for clipboard and command history and saves them into hidden files for exfiltration Initial infection Code execution begins when a user unknowingly or knowingly executes a malicious batch file. We observed several methods used by the attackers: Delivery method 1: Fake captcha to code execution: The idea behind this social engineering scam is to trick the user into executing malicious code by masquerading as a legitimate Cloudflare captcha. Many of the captchas we observed appeared to be behind typosquatted domains such as hxxps://cooinbase[.]net in one example we observed. We’ve all seen the dialog boxes and clicked the fire hydrants and crosswalks dozens of times. Attackers pray on these rather innocuous tasks in order to trick the user into executing malicious code instead.[a] As seen in the figure below, when a user clicks the “Verify you are human” checkbox, code is copied via JavaScript to the user’s keyboard. Instructions follow to hit Windows + R to open the run dialog box, paste in the just copied contents, and then hit OK. Figure 1: Initial code execution Delivery method 2: Masquerading as legitimate tooling The attackers also opted to spread the malware by masquerading as legitimate tools and software. We observed several file names that revealed some insight as to the tools they were masquerading as. As you’re see further down in the campaign, SIP (VoIP) software, the Tor Browser, Adobe software and other network and message client software. Unfortunately we were not able to obtain any information as to the download links, though we speculate that malvertising could have been an initial starting point. Initial code execution analysis While we were able to gather many of the attackers .bat files, we’ll focus on one in particular. This batch file was a part of a downloaded zip file “sip.zip” which contained a malicious batch file named “install.bat”. The rest of the files appeared to be legitimate and non-malicious. The install.bat file serves as the initial execution point for the malware, setting off a series of actions that establish persistence and deploy the embedded RAT malware and rootkit. When a user clicks on install.bat, it calls PowerShell to execute obfuscated commands, which in turn write additional scripts or payloads to disk, modify the registry, and schedule tasks for persistence, which we’ll dive into further down. Figure 2: sip.zip file contents – install.bat The batch file is highly obfuscated, making static analysis difficult. Because of this, detections were minimal. At the time of writing, we analyzed a few batch files identified as part of the OBSCURE#BAT campaign and they all scored very low (0–2 detections on VirusTotal). Figure 3: VirusTotal detections for install.bat At first glance, the batch scripts used in the campaign are massive. In this example, we’ll analyze “install.bat” which stood at over 6MB in size. After opening the batch file in a text editor, the reason for its size becomes apparent. The script contains thousands of lines of variables defined or concatenated to thwart analysis. https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 2 of 15 The script essentially consists of two main components: 1. The obfuscated batch script code which we’ll dive into now 2. A very large string of random characters at the last line of the script – an embedded payload we’ll discuss later. The obfuscated batch script relies heavily on padding the code with useless variables (defined by %…%) and character substitutions. Strings of commands are built from hundreds of predefined variables which, when parsed, execute the next-stage payload. Figure 4: Obfuscated contents of install.bat Deobfuscating the contents of install.bat took some time, but once we identified the variable sequences that built up the SET command, it started to come together. We replaced those sequences with the actual SET command. Once done, the remaining lines consisted of concatenated variable strings. By inserting an ECHO command before them, we could print the contents instead of executing them. Figure 5: Deobfuscation process of install.bat Once initial execution is completed, the install.bat file deletes itself, hiding malicious artifacts while the next-stage PowerShell code is executed. PowerShell Execution The PowerShell executed in the next stage performs key tasks. First, it performs odd system checks using Get-WmiObject Win32_DiskDrive to query the system’s physical disk drive information. The command retrieves details about all connected storage devices, while Select-Object -ExpandProperty Model extracts only the model names. The output is then piped to findstr /i 'WDS100T2B0A , which performs a case-insensitive search for the SSD model WDS100T2B0A (a Western Digital Blue SSD, 1TB SATA 2.5″). If this specific SSD is found, the script proceeds with additional checks (such as verifying if the F:\ drive is empty) – an anti-analysis technique to detect forensic environments. However, we could not determine why execution would be halted based on these checks. Figure 6: PowerShell execution – disk drive checks Lastly, the script either exits with error code 900 if the SSD (WDS100T2B0A) is detected and F:\ is empty, or continues normally. PowerShell Obfuscation The PowerShell script employs multiple obfuscation techniques to evade detection. One primary method is string obfuscation using concatenation and character replacements – evident from the extensive use of .Replace() functions. For example, one line uses PowerShell invoke expressions to run: '$rFUJ= [nKSnKynKsnKtnKemnK.nKSenKcnKunKrinKtnKynK.nKCnKrnKynKpnKtnKonKgnKrnKanKpnKhynK.nKAnKesnK]nK::nKCrnKenKanKtnKe(nK)nK;'.Replace('nK' ''); After removing “nK” characters, the command becomes: $rFUJ = [System.Security.Cryptography.Aes]::Create(); This reveals that AES encryption is used to decrypt and execute an encoded payload. The script also employs function aliasing and variable obfuscation to further mask its true purpose. Figure 7: PowerShell obfuscation in Invoke-Expressions https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 3 of 15 1. -InformationAction Ignore: This suppresses informational messages that could reveal execution details. 2. -Verbose: Used for debugging, though its effect is muted unless VerbosePreference is set to Continue. 3. -Debug: Enables detailed debugging output, which is unusual in malware and may be used to blend in with normal script behavior. Embedded payload – Decrypt, decode and execute With the code cleaned up for readability, we see that the PowerShell script implements a multi-layered decryption process on an embedded payload. The huge string at the end of “install.bat” is read in by PowerShell, decoded, extracted, and then executed. The decryption process involves three key functions as shown in the figure below: taBy , mDmV , and EHSd , which work together to extract and execute the final payload. Figure 8: Cleaned up PowerShell – decryption process of embedded payloads The EHSd function executes the final stage of the decoded payload. It takes two arguments, $iMqB and $GkzP , and processes $iMqB which stores the final decoded payload. Figure 9: PowerShell execution of embedded payload The function initializes a byte array using a series of .Replace() functions to remove obfuscation markers, assigns the result to $ySJh , and finally leverages [System.Reflection.Assembly] to execute the decoded payload directly in memory. We’ll dive into this payload further in the next section. Windows registry injection The final task of the script is injecting payloads into the Windows registry. In our case, the malware creates values under the HKLM:\SOFTWARE\OOhhhm key as part of the srh function. Figure 10: PowerShell execution – Windows registry injection These registry values include XFtkNtIDKz and YvrtRvSWmsUlsKkNV , which store AES and IV keys for decoding further payloads. These keys were also used to decode the initial payload that is reflectively loaded. Additional keys were created – for example, the first key in “ HKU\S-1-5-21-......-1001\Environment\onimaiuc ” contained a copy of the malicious PowerShell code from install.bat. The registry payload is stored in “ HKLM\SOFTWARE\OOhhhm=\NbPqJZCqG ”, which is dynamically generated. Figure 11: Log analysis – PowerShell and encrypted payloads injected into the Windows Registry Similar to install.bat, the PowerShell executed from the registry reads in encrypted payloads in chunks, replaces certain characters, decrypts them, and executes via reflection. Even stealthier persistence in Windows registry The malware employs advanced techniques to hide in the Windows registry to evade detection by tools like regedit. We logged additional keys and values created at: HKLM\SOFTWARE\$nya-dll64 HKLM\SOFTWARE\$nya-dll32 HKLM\SOFTWARE\$nya-config\paths\C:\Windows\system32\drivers\ACPIx86.sys HKLM\SOFTWARE\$nya-config\service_names\ACPIx86 HKLM\SOFTWARE\$nya-config\pid\3499344 https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 4 of 15 However, when browsing regedit, the created key $nya-dll64 did not exist! This is achieved via rootkit functionality that manipulates visible system data. The malware likely employs API hooking, process injection, and registry tampering to achieve stealth and persistence. For example, renaming the file with the PowerShell command Rename-Item makes hidden files visible because the filter is hardcoded to specific patterns. Figure 12: Viewing hidden binary payloads in the registry Such techniques are common in advanced malware and APT infections, where persistence and evasion are critical. Execution is handled by calling Windows environmental variables – in this case, %onimaiuc% is defined, and when referenced in PowerShell, its registry content is executed. Code execution from Windows registry Execution happens as Windows processes environment variables. The malware stores malicious PowerShell code in HKU\Environment\onimaiuc . Windows loads these variables when a user logs in. When a process references %onimaiuc% , it expands the stored registry content as a string. The malware ensures execution by using Invoke-Expression $env:onimaiuc or embedding it in another execution mechanism. This method is stealthy because: It avoids writing a visible script to disk. Environment variables in HKU\Environment reload automatically at logon. It can be executed indirectly via scripts or scheduled tasks. We can confirm execution by searching for instances of Invoke-Expression $env:onimaiuc or monitoring processes that retrieve the value of %onimaiuc% . Figure 13: Testing for the presence of the %onimaiuc% environmental variable Persistence through Scheduled Tasks (extreme stealth edition) The malware maintains persistence by leveraging Windows scheduled tasks. It creates an XML configuration file “ $nya-qX6Pb164 ” in C:\Windows\System32\Tasks . The screenshot below shows the XML contents: Figure 14: Screenshot of “ $nya-qX6Pb164 ” scheduled task configuration This task executes malicious PowerShell commands – the same script injected into the registry earlier. Let’s break down its key components. Key Components of the Scheduled Task Trigger: : Execute at each user logon. true: Task enabled upon logon. Execution Context & Privileges: HighestAvailable: Runs with the highest available privileges. BUILTIN\Users: In the current user’s context. Settings: IgnoreNew: No new instance if already running. true: Task runs if missed due to system off. https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 5 of 15 true: Task can be manually started. true: Task is enabled. true: Task is hidden from normal views. : Retries up to five times at one-minute intervals on failure. Action (execution of malicious code): At this point, the PowerShell code is executed. (Details as previously observed.) Overall, this scheduled task ensures the malicious PowerShell code runs at every login by hiding itself and retrying upon failure. It is responsible for decrypting and executing payloads stored in the registry ( HKLM:\SOFTWARE\$nya-OXD9Q ). The Stealthy side of Scheduled Task persistence The unusual name “ $nya-qX6Pb164 ” is reminiscent of the Windows registry key “ $nya-config ”. The screenshot below demonstrates this advanced hiding technique. Figure 15: The scheduled tasks file “ $nya-config ” hidden from view but readable via special methods Binary static analysis (Test.exe/.NET assemblies) Jumping back into the core components of the attack chain: we observed a binary payload decrypted and reflectively loaded via PowerShell. Let’s analyze this binary. Upon execution, we dumped the .NET binary payload containing the assemblies loaded by PowerShell. At a high level, the project is simply called “Test”. Figure 16: PE file information – “Test.exe” Cracking open the file in ILSpy reveals heavily obfuscated source code, making reverse engineering challenging. Figure 17: Obfuscated .NET assemblies The highlighted function shows advanced obfuscation techniques such as control-flow obfuscation, symbol renaming, and string encryption. Key techniques include: .NET obfuscation techniques breakdown: 1. Unicode and Symbol Mangling: 1. ڗ 튯\uF83C摊턝䵯\u20B1쨩ኟዚR늤㮌绂ꡛ\u25B9ጤꀰ䠛侪 – Function names using mixed Arabic, Chinese, and special characters. 2. Some functions start with Unicode escape sequences, hindering automated deobfuscation. 2. Array-Based Execution Flow Manipulation: 1. Multiple arrays (e.g. array, array2, array3) store variables and obfuscated logic assembled in random sequences. 2. “Fixed” statements lock arrays in memory for unsafe operations. 3. Control Flow Flattening & Dead Code Injection: 1. Multiple conditions (if, switch) obscure the true execution flow. 2. Redundant calculations mask variables or strings. 4. Pointer and Memory Manipulation: 1. Unsafe code (e.g., byte* ptr, IntPtr, fixed arrays) indicates raw memory operations. 2. Direct manipulation of memory regions for decryption or function resolution. Automated .NET deobfuscation tools yielded mixed results, offering only partial readability. https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 6 of 15 .NET API Calls By examining API calls (e.g., in kernel32.dll), we gain insight into potential process manipulation, code injection, and evasion techniques. Figure 18: .NET API calls SetThreadContext and GetThreadContext: These functions modify or retrieve a thread’s execution context, potentially redirecting execution flow. GetProcAddress and LoadLibrary: These functions resolve DLL function addresses dynamically to evade static detection. AddVectoredExceptionHandler: Registers an exception handler; malware may use it for anti-debugging or alternate execution flow. Overall, the API calls suggest process manipulation, API obfuscation, and anti-analysis techniques. AMSI bypass Debugging Test.exe revealed several anti-debugging traps, including AMSI patching to bypass antivirus detections. Figure 19: .NET AMSI bypass AMSI (Antimalware Scan Interface) is designed to block malicious scripts. By patching amsi.dll (using techniques like “calli”), the malware bypasses these scans. It achieves this by loading amsi.dll and using functions such as LoadLibrary and GetProcAddress to modify AMSI functions like AmsiScanBuffer. This patch forces AMSI to always return a “clean” result, allowing malicious code to execute undetected. Binary dynamic analysis (Test.exe/.NET assemblies) Execution of the PowerShell script that reflectively loaded the binary payload (Test.exe) showed that the payload began beaconing immediately, connecting to 86.54.42[.]120 on port 4782 – a common port for open-source QuasarRAT. Since QuasarRAT is written in CSharp, this aligns with our static analysis. Typically, such payloads are not obfuscated well; here, the threat actors took steps to make detection harder. Final payload analysis (ACPIx86.sys) As part of the attack chain, the .NET payload dropped a malicious file into C:\Windows\System32\Drivers\ called ACPIx86.sys . This occurred concurrently with the creation of malicious registry keys (see “Windows registry injection”). Windows services for persistence The malware registers and launches the malicious driver ( ACPIx86.sys ) as a Windows service. It writes entries under HKLM\SOFTWARE\$nya-config\service_names\ACPIx86 and HKLM\SOFTWARE\$nya-config\paths\C:\Windows\system32\drivers\ACPIx86.sys mapping the driver file to a service name. Additionally, by modifying HKLM\SYSTEM\CurrentControlSet\Services\ACPIx86 , the service is configured with its location, startup type, and execution parameters. It can be started via standard API calls or the command sc.exe start ACPIx86 . Figure 20: Registry details for the ACPIx86 service Dynamic execution in a controlled environment yielded limited results – likely due to anti-analysis techniques. r77 Rootkit analysis The rootkit used in OBSCURE#BAT appears to be a user-mode rootkit designed to manipulate Windows processes, files, and registry entries to remain hidden. https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 7 of 15 We identified it as r77 rootkit – an open-source ring-3 rootkit. According to its Github page, it offers functionality including: Files, directories Processes & CPU/GPU usage Registry keys & values Services TCP & UDP connections Junctions, named pipes, scheduled tasks By default, the r77 rootkit hides the “$77” file prefix; here it has been modified to hide the “$nya” prefix. The binary payloads for the rootkit are stored in the registry under HKLM\Software as $nya-dll32 and $nya-dll64 . These DLLs get injected into the PowerShell process invoked by the batch script. Although elevated, the rootkit remains in user space. Its tactics are similar to those seen in online projects like Chaos-Rootkit and S12URootkit, which hide their own process IDs and files. A user-mode rootkit operates in ring 3, avoids kernel modifications, and uses registry and scheduled tasks for persistence. Key observations include: 1. Operates in user space (ring 3) via a hidden PowerShell process 2. Uses API hooking rather than kernel hooking 3. Relies on registry and scheduled tasks for persistence 4. Injects into system processes such as winlogon.exe, explorer.exe, or powershell.exe 5. No evidence of active driver installation in Ring 0 6. No modification of SSDT or IRP hooks detected 7. Being user-mode, it evades many traditional kernel-based security tools We observed multiple stealth techniques to hide files, processes, scheduled tasks, and registry keys. Figure 21: Rootkit hiding under process ID: 6692 Based on our analysis, the r77 rootkit exhibits the following behaviors (observed during dynamic analysis): r77 Rootkit Capabilities: Process hiding: The malware hides its process from tasklist, Get-Process, and Task Manager, though Sysmon may still log its activity. Likely achieved via API hooking (e.g., NtQuerySystemInformation). May modify the System Process Information table to filter its own process ID. The malware registers active PIDs in the registry ( HKLM\SOFTWARE\$nya-config\pid ), possibly for tracking. File masking: Files matching $nya-* are hidden from Explorer, dir, and Get-Item. We verified this by renaming a file to $xxx- prefix . May hook into NtQueryDirectoryFile to filter file names. May manipulate NTFS metadata or redirect file queries. Registry tampering: Certain registry keys ( HKLM\SOFTWARE\$nya-config ) are hidden until specifically queried. Likely via API hooking in advapi32.dll intercepting RegQueryValueEx calls. Registry editors and standard queries cannot enumerate these keys due to selective filtering. Kernel interaction: The malware references a driver ( ACPIx86.sys ) in C:\Windows\System32\Drivers , executed as a service via registry modification. If the driver is loaded but hidden, kernel-mode techniques may be used. Could involve direct system calls to bypass user-mode detection. May leverage DKOM (Direct Kernel Object Manipulation) to alter process visibility. Stealthy endpoint and user monitoring https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 8 of 15 The malware monitors user interactions such as clipboard activity and PowerShell logging. An encrypted binary file is created daily and saved in the “%APPDATA%\Roaming” directory, using the $nya naming scheme, which causes the folder to be hidden from Explorer and command shells. Figure 22: Files containing encrypted user data Monitoring the r77 rootkit’s process via Procmon shows regular file writes and access to these date files, which are likely exfiltrated for decryption and analysis. Wrapping up… OBSCURE#BAT demonstrates a highly evasive attack chain, leveraging obfuscation, stealth techniques, and API hooking to persist on compromised systems while evading detection. From the initial execution of the obfuscated batch script (install.bat) to the creation of scheduled tasks and registry-stored scripts, the malware ensures persistence even after reboots. By injecting into critical system processes like winlogon.exe, it manipulates process behavior to further complicate detection. The most alarming aspect is the user-mode rootkit functionality, which systematically hides files, processes, and registry keys matching the pattern ( $nya- ). This requires deeper forensic and behavioral analysis to detect and neutralize. Victimology and attribution We believe the OBSCURE#BAT campaign primarily targets English-speaking individuals. All lure documents, file names, and websites are in English, and our analysis of the attacker’s infrastructure indicates a US base, with telemetry also from Canada, Germany, and the United Kingdom. However, we cannot definitively state which country or threat group is responsible. Updates will be provided as more information emerges. Securonix recommendations Maintain vigilance against social engineering, malvertising, and fake captcha scams that trick users into executing code. Always verify that software downloads come from legitimate websites. A legitimate captcha will never copy code to your clipboard and prompt execution. Be cautious with batch (.bat) files from unknown sources, as they are a common attack vector in phishing campaigns. Inspect batch files in a text editor before executing them. If infected, note that although the attacker may mask attribution, the original r77 rootkit author provides a remover or uninstaller. We strongly recommend deploying robust endpoint logging (e.g., Sysmon and PowerShell logging) for enhanced detection. Securonix customers can use the following hunting queries to scan endpoints. MITRE ATT&CK Matrix Tactics Techniques Initial Access T1566.001: Phishing: Spearphishing Attachment Command and Control T1071.001: Application Layer Protocol: Web Protocols T1132: Data Encoding T1219: Remote Access Software https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 9 of 15 Defense Evasion T1014: Rootkit T1027: Obfuscated Files or Information T1027.010: Obfuscated Files or Information: Command Obfuscation T1036: Masquerading T1112: Modify Registry T1140: Deobfuscate/Decode Files or Information T1055: Process Injection T1620: Reflective Code Loading Execution T1059.001: Command and Scripting Interpreter: PowerShell T1059.003: Command and Scripting Interpreter: Windows Command Shell T1204.002: User Execution: Malicious File Exfiltration T1102: Web Service Persistence T1053.005: Scheduled Task/Job: Scheduled Task Resource Development T1583.001: Acquire Infrastructure: Domains T1583.008: Acquire Infrastructure: Malvertising Relevant Securonix detections EDR-ALL-1084-ERR EDR-ALL-1282-RU EDR-ALL-1123-RU WEL-ALL-1206-RU Relevant hunting queries (remove square brackets “[ ]” for IP addresses or URLs) index = activity AND rg_functionality = “Next Generation Firewall” AND destinationaddress IN ( “88.222.244[.]187,150.171.28[.]10,195.211.190[.]61,147.185.221[.]24,138.197.66[.]62,185.128.227[.]28,195.211.190[.]61,100.28.201[.]15 index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “File created” OR deviceaction = “File created (rule: FileCreate)”) AND TargetFileName CONTAINS “$nya-“ index = activity AND rg_functionality = “Microsoft Windows” AND baseeventid = “4698” AND CommandLine CONTAINS “$nya-“ index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND childprocesscommandline CONTAINS “$nya-“ index = activity AND rg_functionality = “Endpoint Management Systems” AND transactionstring5 = “SetValue” AND customstring47 CONTAINS “$nya-“ C2 and infrastructure C2 Address https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 10 of 15 hxxps://eloquent-chebakia-e2667a.netlify[.]app hxxps://dashing-cassata-b94dd5.netlify[.]app hxxp://45.88.186[.]152:55553 hxxps://klck[.]ai hxxps://kick[.]am hxxp://klck[.]pw hxxps://twitch.co[.]com hxxps://twltch[.]lol hxxp://twitch[.]cx hxxps://twitch.co[.]com hxxps://twitch[.]team hxxps://twltch[.]uno hxxps://rumble[.]tube hxxps://pnwthrive[.]com hxxp://cooinbase[.]net hxxp://tiktoklive[.]studio hxxp://secure-login-bing[.]com hxxp://char0nbaby[.]online hxxp://hyqyj[.]xyz hxxp://smallmonster[.]net *.gl.at.ply[.]gg 88.222.244[.]187 150.171.28[.]10 195.211.190[.]61 147.185.221[.]24 138.197.66[.]62 185.128.227[.]28 195.211.190[.]61 100.28.201[.]155 37.114.46[.]25 Analyzed files/hashes File Name SHA256 sip.zip E33E05D3182F46F65554FDA2127D9D1D415A986B6C635485B323558A1821F56A Eternal2.6.zip 5F7EE1C0FDB813FCF6D8A8E136940AD570BF544B1263C03D288A5EF1B90CF0F3 eternaltool-main.zip E5386DB097DFC6BD1ACDE5302BC4B22309F151A478604713000BEDB77484881D https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 11 of 15 Darius SS-2.rar 43CC98694575DEF427DD2ADFB9FCB5E7018AEDCDA525B5E5F5877E3FD02775BE Darius1378910 project executor-1.rar BE725B2992385BDCBCF54C995EC1807275B761A019645F707498C958B36346AD Test.exe (.NET assemblies) FF17477903ED742A4981F67515F1065689063703F86E0D38A1385E7B998084C5 3367442F903D854AEE965023734F25BFB4BCA6C852D29DCB5774B9E64707FF4B 47B28D3D1AB89E207F7D634B53622960931431DCBF73FC26875659A0C20BD70D 504CC73800ED86C7627234A1D092EFA14ABCEA667AA084191E34FFF2A3EDC167 53D2B22B91F39305B436A08EF9280D4A8FA3BD038D834B1ABEADB792F8E086A1 844BE559DEBDDEC75F460FAA912490DAB6EA400FE325E59B91DF250C1E1AD4FC FB46FF16BF658AEB5F3A19559AE6AFC10DD2AE108B8AE23457011D6DC5A4B560 F553759453259559CE7C4321898E83C9A3BDDD14758AECBD1567634CA4EA8D86 F3B652503B20261B2F83D43EFC1CC20C655B68A339805714DD95ED14F659D4BE F180A6E4A5EC5B6EAF82C2BB31FF041A66699387483E9EB489613DBC1BACFE1B EDDAD50D490349749C5104C3394FAE49DFD6E9070BA0000C139DD8E24E2A06BA EA0DBC5CA8E96D8940337C5D19574498A4B398847049E62AF14F1D98346638B2 E4CCE18562FDDC70C71A8969141C56ADEB56032196F05E10524374C1EB398D7D E2864BD791DF7E060B43598F04BE86C839E9907A1FA9C3614205B5139542D8C1 DCBC1A43E1EE9D4C4C5A426CE862B151973545111F69F5B1C036E46E801ACC82 DB82442D83C116211531F104B77ADC5C45CF531315CAFBD8F6E1F9C5DEC6C0D4 D92C28680AF30136DFD52852EDDC07E5197AFE039D84F5B2255B14AE8E15AC02 C08D8E742A34E9DC610ED5276E5CD0DCAD4F6139A03DDA07D9292D50FFD47D39 BE4FADB015D35092F3EE59938A3E68C671DE8C075F04E90FD819B61C383D4501 9B8CAE953C8F3DCB8E9E09D387D217FEA8FDF07C5E3001813A26D83AF7FCB4CC 8F2541E5C425E6353BA1170079B238632ACB21498415861C1FD27A8615A86336 879B9BA401A3B8B580980EA31050A35DD849AD3B6E00338CB81D106BBC02963F 7E658C7C9A1BE6EBD7AF0150FA6FA289D59822B4E771167E13BEDE5C9A622448 7C2A3A41217DA8A2A7D4B72BB5F0C5F45E2B7C6518526101F64B534070651DFC 794D1FF3B3FE275B49138F82B0CC597C35E1FC0A91BE3136729598D97F1086FF 72C5F9A11F126B4D1B79AC81BD03787622F2109560CEEFA762EA0C3A9E1A5E7B 5F75A50AE9F6252D1F0F135726F4A605F4148EE36C9D36C4B2D3FA6404E03B10 5322F5EEB9E789FE63A89CE7852C24593B8B2B6233D855A1646116C14BB8E88E 40F0A201E85E6CF32C48A0CFC496A55A4BB87E8C13174E6C583DE9BF7ED70590 3E88E710043B3CC9BF1AF3B373828E9EF023ABA5D697A82A9A568AE9E45CC544 346EC63BDDAD6B1889D6647ED43DCD71432F687BA8642B726AC67F08E415D77E 30A17C5C65FE87D961AEA290E97E8AA09A03C20D257E22D8AC63F5A7B67C0C6B 2DA6D8FA510E66AE79BAB6B12849B123BB9B88D23DE3B0B383E7F48F9E9CFF69 2BC694A9A6FC03043472F6FB88D3EEDA31722FACF5659AA7EDDB13C29A8FB754 https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 12 of 15 1F51F00B06D5C0358B662AF01DB9690D1EB379B33B1BF7A161BA2B6FE53D6574 18D93547B1F14B452B7AD053A1A93122864D810D82A48ECC391D6D6B44FFD661 0AE3E6A8AF0D7657F820986291DAB1F071007DE4197214C976893EB78E8E200F 0A20A60EF5151F8ADAF9DCD819F970D9AFF20D8EB8F905FBA55CCC0E91C446BE 033F50893BE3BB35EC8CC358D6D7FC764D327B00158617F8DEAC08A60E5F6883 019BA14B03B42A1D3F3496659573E8BA9440340EA16166C3E294164F9BB8F3EF D0C8C833E2DE4F7D0D92FEBC6A9845CF2A2438013A9362CEFE0878897BD322A4 682F7884B06695A44F19077EB5CD21F1823347B070C8A3773BACEBFC0439B8B8 54CB466D399CE2D3FD24B1B800E276100C3272522FF84DAB4BB1DE73E5EAECDE FF22090E3E7D9DAC05879802BD0312D282C8A9A44B3C9A7C6AFD4B07C05624A2 FEA5DF5596BE7448E2531CC352BD5A361E128BC6B15E1AC2CA9ABE12927DFB83 F83D936E48BC89338EA9D639F39CF36C3ECAD1E59551F18E2B6D8D5AF6CF403B EB673D5C936238EED457BFE41AD02F2081F3EF42DD5F3935A0BB11394574C60D E060A451A4F310D4E4BC05A63B9027896B3126642182D8B176119B975689F217 C3DCE9C45B659118211B573A802ECAC94DEDE201D59B2A5DCED29D68B7A82F3B C1FE08DEFD1651508B32FFE38892B52A519570F78E457467CCACB6FAE46B2439 BB276B2DD3726F3A712E0904EF87D41D133CD36A72ECB97DA8CEFC6BA0D33A30 BA8565D459CBCC972BBCA96122881E85F5736F4E7B56383853190C95D0334B5D A439F188BE62856F9DC6668D11C691C031C1CB5A9574A5CAB5CFC1856C7C7676 9063336B99527F9F46B1D1F1D0DB44143B30F478CC708E217525C58CDE5FDDCD 8B10E9C4E8C475FB7357E97205A0E3C8857908DBA93846F7C771E06726DB99FA 79B898274B1AF26AC29F8BD23887244BB3766968B46D5E1012CC4485C6291CE9 70FB59AC30B0FA16FEC656CCA60BC743A32CE6222E9FBDC1896BB2AFAD3EB868 6F0BC6D96340807BAB7A76D132444DC3BA21D99A4C825BCD07363E8D1340CC85 63F6BB98A3E3256F528734F1DEDA5524D97EF3540FB2A06624C92716BA1456FD 519A389D0D183FA5CAE0390CE8CC2716247B8F50332DE8E4FC8BEE5026C8BA70 51267FBD6AA2D09FD1ECD4C9F52557AA85F3F5AF0C60223AEA55ACB562DF9AA8 4304A7028616787990476CEB92CE98842C8E049278AD9E4AFA24A1FCF1DAD782 20217810AED81399374FEC1F556B1537FA35B6499133F65E08EEDA324A72680F 31E9EA58C807633DBCC680303F1F741E2A6E58747E040E98DB133E076C6CBBED 11E0596F453CCF8F30BA8177E7DF50517E364326585D1CEFB4C59DE277B0F6AA EF83368CAF9C9D53B4CB74B76A96E7092097E35DA214BA946A146580443D0792 B6180699E895945D6178A61FD8228576629ED0FA03DE54D78E7EE16F271F1522 2BE90FEEA3580358A7AB90D744B7C3028C8E7694863672A8A30F021B284CC94A 0368BF651D5CE7E58305DD300A428D12E6A64D456A4805E845CB1985196BB5FC CCF58B300EC2A7D491CBD492373CCF5175056F55D4843889AD15C3F0B2DB815F https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 13 of 15 CC8E4C0C2E126938B827ACFCEC306DC9811D4AAF00934D397E3841FD6352F4D1 7BF9BE59DB4C55F5B372576B7BAAA25CFF2716D2F7E24DB1B98724A0E0927ECB 28A4EFF21C27F9E3B0E7B5383ABB407E0A3D69BFC1D094DDD4F0B5C18425C523 E1070A6B5A406CE70CF1D1655169A4EC36FB69114C3064F00D28CC01CEDFB0E8 AF9C847CC0A204E969A0FAB93AE676B06222892AFC5271186604E348852BAD37 80AF77DC9C38A3BBFB68FA66635BB3F202D72DC093305D1218BB85811CE018C9 52634530F53DFCE289317B2C4057811136FBBE873211D01E150AC32A94DD0F4A 68A0F5040DCF9B7881D1557CAD827275271027906F830F6EE90E5521A00B72E4 3B86B107B36AA1224DF2E46419F2652682C67F99222011FD63F7AB3ED43AB1D5 B2BCBC0FB471660632B6589FA96656F935F72AD5308E9B659B2E59ACAF820E02 7AA0D53BC4A08E7B61AA283C39BECCF7364AFC2174FFC958B3C5FD2D56DD9554 E1070A6B5A406CE70CF1D1655169A4EC36FB69114C3064F00D28CC01CEDFB0E8 CC8E4C0C2E126938B827ACFCEC306DC9811D4AAF00934D397E3841FD6352F4D1 E1070A6B5A406CE70CF1D1655169A4EC36FB69114C3064F00D28CC01CEDFB0E8 EE481AE34BE52DA5D9F2E8DBFAB3BDD228A7FDFA9FFF308E98B7691D3EB9D0FA 28DC3771DC4AA5D8A19BA732479F3719C276E62CFFD0FE8ADE6159A1FD3BA880 35BFF2270DAA66D092AFAF7E6CFA3210790E1D17DD77E0AF94B361DBF632B571 install.bat C9AA237A2A30B901D52D0074731B5AC57F70322F1FDE81F6794588C17D6BB268 Loader.bat 612FBFEBFDCC12D6EAA20F22835A1A360A747C043AE1058070D4A71EF20A59DA downloaded_file.bat 0877653F6A24639BB02B547C94F670597C3C0CD96DF910A2AC891EAEAA9CC5F3 chiani.bat 159057BA35F3454424A4901866DE6DE286BD11715E975D4D124D33B2E83055C7 TorServer.bat 28BDD3E3C182A8E9A5082A4677DF2F2116C8973D4ECDAE023CF9FD3489B9F012 AdobeUpdate.bat 7C684A112461478A8ED1F3885628D0235BC20081C11C55FF96CC98454E096944 nouaconi.bat 2ACD42AD45F8DBB3866B537E6135672DAA48921EB00668B657243B666991C4AD oni.bat 625E590FD62A1C8B4C85BC9F551188DE0627C5D43B234408CE57139F4EA0B7C0 uacbypassv1.bat 160165D2E7F332B29B5980C27C044DE2804552469EC70458DF6E77DFD254765E CVerify.bat B6B68CDAC6CDB3956DC8B7C11454E4F493FBD9157F902FFD2539545D6F7315C7 62F035A79382BF50E9959FCB272C19D5AAC64A7409DEEBF7C8E9B597F3954DB4 B2528CB39295490B53428A98FEFAFDE2D5F32C957B268F528B66756AD8AB6896 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 431435E3A7A8E38458CD2A2C1E97C6B3AEC993E9DFC3DE5CC665AC57C21BF528 A79E4199BA0DAC6948DEA075C26CEC05DE18D3217A25000A3C7A0FCB45BA1B02 1BB63CB3D89389F426F4CB5350E38FBD0C49CE1851F6311C5E5D246200F29DE8 cloudflare.bat 96AA71F70D16E2784488FAD332AC65287F33D059CDE4CD2858B0DAB85340BA0D newest.bat C1D0981485F8AFEA96D8C0CE85CB9888C96418387B8C43103B113BA283F8C59D Mous Fix.bat C7D9A5FFA94EECFBF5C22781750E404C6E50BA12459E3071670783598839CFDF https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 14 of 15 repair.bat CF3F8D4D3EE1A8EFF414A221767EDE4C73424BB62D6A090AD3F65EA55FF22FA4 sus_bat.bat D4B46254B03F3800038CC93F226BC7B5897C34FCAC0D16210F45731B57D4F86A 32ram1.2.bat DD0396754DF3ACA8A482242EEBFA92DB7433781EBDD679507E329E34D4065C98 img.bat 04DBC65A0EC0A3D95AEEC8161816352A22CE74C19FCD002F631879E990C2D468 Eternal2.6.bat FC6A52FA9D578565E4B6C47BE3A4F0358A01ACE3ED601C0EB88E46DD88203EBF Loli.bat 6CD9BDC704701AB3618BE8546E471F335431929A96D10BC59F66872B144770CE Darius1378910 Project SS.bat 9BA76C05333A17C734B4B6174E68222F689F298EF48FE5DD03D25DA7E01904F5 Bootstrapper.bat F6E19E1C17291B9B4B2436D561D8373CF8A18841B5C4393205845BCC6BA31616 test.bat 9B7CFE2A7F46AAD42C8AEB5FCB668F2286B24FCD0241AD7C1B1B3D00856C2B18 Java_installer.bat 903391CC79136EB1EFDCA469686B96FD04FAF257D87796DDE594C500AB226150 install_apache.bat python_installer.bat 7F970EE9B2FEF5C77DB4CDB7FE536377E165E056AA056299624A224EF8E0CBA9 installer.bat C4DF50417827B20CAFC1E724948D576CD1B90636E5D68D577856824CB9CEB328   ChatGPT+.bat 8713DD146895B8262E5096E49399DBDF4DC796D37A532912C0EBBB46DE059EAF share.bat EFC09D4380483145573AC4F1A2B4FE308E9BD4378BFFBC44EFD00739D2E055A7 uacbypassv1.bat 160165D2E7F332B29B5980C27C044DE2804552469EC70458DF6E77DFD254765E uacbypassoff3925.bat F3D48BB2DC545F0864D8B85D93AEA9C2B9A55F0FC9C7435F1DEE000802A261DA uacon31025.bat 53B9C02EE582BF97385BEB39EE140C49F73C557CCECF3BF44C795899083A3519 AsyncClient.exe 5906FE2B69A5874697B84882DF732F77DD3160221D0746F9688E9AA9B8E0AF31 autoruns.exe F41051697B220757F3612ECD00749B952CE7BCAADD9DC782D79EF0338E45C3B6 DefenderUpdate.exe C7BDCEBE60356900DC4B4F8BC8B75ACC1536DF33AE7A1049BFA27192B8C62D0A qexplorer32.exe 48B7AAE41C1F229DADD80E7635A142175CBA75D03D54F08952269720C5F2735B rem_edge.exe E0C27D9A377E5F18AE850D1D0EF1D69934934CABDB95172E21FE0E36807243C8 rem_edgev6.exe BDE4436AAC1E27FE22B134CADC1E19DD954D350A5619C3593EFAC659AB1BBEFD $nya-qX6Pb164 0ABECC48522A2AA66C798E817F0412DC71DF2875B8908255208642FE019AB9D3 nya-dll32.dll 1BAD202E452B1D1F8B365E946C446F889B2479A6198A17A3DEA1D6A4E5D12052 nya-dll64.dll 8004DF38975733770A7E2A0C71D284BC3439EB7EE74077F950AD7C0BAF2512AA  References: 1. When a Quasar Remote Access Tool Falls Into the Wrong Hands https://darktrace.com/blog/quasar-remote-access-tool-when-a-legitimate-admin-tool-falls-into-the-wrong-hands 2. What is Malvertising? https://www.crowdstrike.com/en-us/cybersecurity-101/malware/malvertising/ [a] Change to paragraphs Source: https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits Page 15 of 15