{
	"id": "782cac85-d063-40ea-8e71-7f6d15c00395",
	"created_at": "2026-04-06T00:09:11.129941Z",
	"updated_at": "2026-04-10T13:12:56.987395Z",
	"deleted_at": null,
	"sha1_hash": "9d77dda016eee2762c9f2fbd7dd6f5713bf4ba5d",
	"title": "Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4977934,
	"plain_text": "Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript\r\nFiles in Q4 2022 Attacks\r\nBy By: Junestherry Dela Cruz Jan 17, 2023 Read time: 10 min (2728 words)\r\nPublished: 2023-01-17 · Archived: 2026-04-05 15:44:12 UTC\r\nMalware\r\nWe discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water\r\nMinyades-related events (This is the intrusion set we track behind the creation of Batloader).\r\nWe discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water\r\nMinyades-related events (This is the intrusion set we track behind the creation of Batloader).\r\nBatloader (detected by Trend Micro as Trojan.Win32.BATLOADER), is an initial access malware family that is known for\r\nusing malvertising techniques and using script-based malware inside Microsoft Software Installation (MSI) packages\r\ndownloaded from legitimate-looking-yet-malicious websites. Earlier this year, Mandiant researchers observed Batloader\r\nusing search engine optimization (SEO) poisoning techniquesopen on a new tab in its attacks.\r\nBatloader is associated with an intrusion set that we have dubbed “Water Minyades.” The actors behind Water Minyades are\r\nknown for delivering other malware during the last quarter of 2022, such as Qakbot, RaccoonStealer, and Bumbleloader via\r\nsocial engineering techniques.\r\nIn this blog entry, we discuss notable Batloader campaigns that we’ve observed in the last quarter of 2022, including the\r\nabuse of custom action scripts from the Advanced Installer software and Windows Installer XML (WiX) toolset, the use of\r\nobfuscated JavaScript files as a first-stage payload, and the use of PyArmor tool to obfuscate Batloader Python scripts. We\r\nalso shed light on noteworthy Water Minyades-related events and give a detailed look at Batloader’s technical details.\r\nBatloader’s Capabilities\r\nThe table below summarizes the capabilities of Batloader:\r\nCapability Description\r\nAnti-sandbox\r\nBatloader is usually inflated to a very large size by being bundled to a legitimate installer file. This\r\ncan prevent sandboxes with file size limits from properly detonating and observing the behavior of\r\nthe file.\r\nFingerprints host\r\nBatloader fingerprints the host to determine if it is a legitimate victim. It checks for environment\r\nartifacts such as the user, computer name, and if it is domain-joined. \r\nCommunicates\r\nwith C\u0026C\r\nBatloader is a modular malware that communicates with its C\u0026C server and has been observed to\r\ndrop malware according to the specifications of the victim host it has infected. If the victim host\r\nbelongs to an enterprise environment, it is more likely to drop remote management tool Atera and\r\nCobalt Strike beacon, which would then lead to ransomware deployment.\r\nStops security\r\nsoftware services\r\nBatloader executes open-sourced scripts that attempt to stop services related to security software,\r\nsuch as Windows Defender.\r\nEscalates\r\nprivileges\r\nBatloader abuses legitimate tools like NirCmd.exe and Nsudo.exe to escalate privileges.\r\nEvades antivirus\r\n(AV) solutions\r\nBatloader uses different techniques to attempt evading antivirus solutions, such as hyperinflating\r\nMSI file sizes for antivirus engines that have file size limits, using noticeably short modular scripts\r\nthat can be hard to structurally detect, acquiring legitimate digital signatures for the MSI files,\r\nobfuscating scripts connecting to the Batloader command and control (C\u0026C) servers, and abusing\r\nlegitimate file sharing services to host malware payloads.\r\nInstalls other\r\ncomponents\r\nBatloader uses a modular approach wherein the first-stage payload of the campaign is usually an\r\nMSI file bundled with custom action scripts. The other components of the campaign, including the\r\nlegitimate tools it will download to escalate its privileges and download other malware, will be\r\ndownloaded by these scripts.\r\nInstalls additional\r\nmalware\r\nBatloader has been observed to drop several malware payloads, such as Ursnif, Vidar,\r\nBumbleloader, RedLine Stealer, ZLoader, Cobalt Strike, and SmokeLoader. It can also drop\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 1 of 14\n\nlegitimate remote management tools, such as Syncro and Atera. We have also seen Batloader\r\nbeing a key enabler for Royal ransomware, the second-most prevalent ransomware family we have\r\nbeen observing recently. \r\nTable 1. Batloader's capabilities\r\nExamining the Water Minyades Intrusion Set\r\nWater Minyades is known for heavily relying on defense evasion techniques, one of which is deploying payloads with very\r\nlarge file sizes to evade sandbox analysis and antivirus engines’ file size limits. Water Minyades also abuses legitimate tools,\r\nsuch as system management tool NSudo and email and file encryption tool Gpg4win, to elevate privileges and decrypt\r\nmalicious payloads. This intrusion set also abuses MSI files’ legitimate digital signatures, exploits vulnerabilities related to\r\nWindows’ PE Authenticode signaturesopen on a new tab to execute malicious scripts that have been appended to signed\r\nDLLs (dynamic-link libraries) and uses scripts that can be easily modified to evade scanning engines that rely on structural\r\nsignature detection techniques.\r\nUsing Trend Micro™ Smart Protection Network™ (SPN) feedback data, we determined that Batloader attacks are mostly\r\ndeployed in the United States, Canada, Germany, Japan, and the United Kingdom.\r\n \r\nCountry Percentage of Attacks\r\nUnited States 61\r\nCanada 8\r\nGermany 8\r\nJapan 4\r\nUnited Kingdom 3\r\nAustralia 2\r\nBrazil 2\r\nNetherlands 2\r\nPoland 1\r\nSingapore 1\r\nOthers 8\r\nTable 2. Distribution of Batloader attacks in Q4 2022\r\nAfter tracking the activities related to Water Minyades and back tracking since early 2020, we were able to determine\r\nseveral noteworthy events in this timeline:\r\n \r\nPeriod Water Minyades attack details\r\nH2\r\n2020\r\nAn open-source intelligence report indicates that this was when the intrusion set became active. During this\r\ntime, the group’s most dropped payload was the Smokeloader malware, and it also heavily used exploit kits\r\nsuch as Rig and Falloutopen on a new tab.\r\nOct.\r\n2020\r\nThe group behind the intrusion set stopped using exploit kits in favor of social engineering schemes, which\r\nmeant that targets were no longer limited to Internet Explorer users. They posted malicious advertisements on\r\nporn websitesopen on a new tab to lure victims into downloading a fake Java MSI, which then led to the\r\ndeployment of Zloader payloads. \r\nFeb.\r\n2022\r\nThe group behind Water Minyades distributed Batloader using SEO poisoning techniques to trick victims into\r\ndownloading legitimate software and applications that were trojanized with malware script. During this time,\r\nBatloader dropped Zloader and legitimate remote-management tool Atera to enterprise victim machines.\r\nBatloader was also observed using the PE (portable executable) polyglotting techniqueopen on a new tab,\r\nwhich is the process of executing signed DLL files with appended malicious scripts.\r\nSep.\r\n2022\r\nInitial Batloader infections were observed to have led to Cobalt Strike deployments and Royal ransomware\r\ninfections.\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 2 of 14\n\nOct.\r\n2022\r\nWater Minyades actors abused Google Ads and the legitimate Keitaro Traffic Direction System (TDS)open\r\non a new tab to redirect victims into downloading Batloader malware.\r\nDec.\r\n2022\r\nWater Minyades actors used JavaScript instead of MSI files as a first-stage payload. The group eventually\r\nobfuscated the downloader of the JavaScript files.\r\nTable 3. Water Minyades’ noteworthy events from 2020 to 2022\r\nA Technical Analysis of Batloader\r\nBatloader usually arrives via malicious websites that impersonate legitimate software or applications. Victims can be\r\nredirected to these websites via malvertising techniques and fake comments on forums containing links that lead to\r\nBatloader distribution websites.\r\nBased on our investigation, we determined that Batloader impersonates a slew of legitimate software and application\r\nwebsites in its campaign:\r\n            Adobe\r\n            AnyDesk\r\n            Audacity\r\n            Blender\r\n            CCleaner\r\n            FileZilla\r\n            Fortinet\r\n            Foxit\r\n            GetNotes\r\n            Google Editor\r\n            Grammarly\r\n            Java\r\n            KMSAuto\r\n            LogmeIn\r\n            Luminar\r\n            Minersoft\r\n            Putty\r\n            Schwab\r\n            Slack\r\n            TeamViewer\r\n            TradingView\r\n            uTorrent\r\n            WinRAR\r\n            Zoho\r\n            Zoom\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 3 of 14\n\nFigure 1. Examples of malicious websites that distribute Batloader\r\nWhen victims select the “Install” or “Download” option, the Batloader package will be downloaded to the system via a .ZIP\r\nfile. \r\nFigure 2. The Batloader package\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 4 of 14\n\nFigure 3. Typical Batloader kill chain\r\nThe stages below are typical Water Minyades techniques, tactics, and procedures (TTPs) but may vary slightly over time.\r\nStage\r\nStage\r\nNo. \r\nDescription\r\nArrival 1\r\nWater Minyades actors create malicious advertisements that abuse legitimate services such as\r\nGoogle Ads and Keitaro TDS. These malicious advertisements lead victims to malicious\r\nwebsites that aim to resemble the legitimate websites of popular software and applications. \r\nInfection\r\n2\r\nVictims are lured into installing a malicious file from the fake website. Based on recent Water\r\nMinyades activities, this can take the form of an MSI, VHD (Virtual Hard Disk), VHDX (Virtual\r\nHard Disk v2), or a JavaScript file.\r\n3\r\nEarlier campaigns that used MSI files were observed to drop PE polyglot binaries containing\r\nmalicious appended scripts. These scripts can be executed by MSHTA.exe due to a vulnerability\r\nin the PE Authenticode verification process. The MSI and VHD files usually contain a custom\r\naction script that is designed to connect to Batloader’s C\u0026C server to download the next-stage\r\npayload.\r\n4 Water Minyades’ C\u0026C server will decide which payload to drop.\r\nPost-infection\r\n5\r\nBatloader can install different malware families, such as:\r\n \r\n       Bumble Loader\r\n       Cobalt Strike\r\n       Qakbot\r\n       Raccoon Stealer\r\n       RedLine Stealer\r\n       Smoke Loader\r\n       System BC\r\n       Ursnif (Bot)\r\n       Vidar (Stealer)\r\n       ZLoader\r\nBased on our observations, these malware families’ payloads are typically hyperinflated in size\r\nand are encrypted. Batloader can also install the following legitimate applications to aid with\r\nother stages of the kill chain, such as privilege escalation and defense evasion:\r\nNsudo – Is abused to run processes with elevated privileges\r\nGpg4win – Is abused to decrypt next-stage payloads downloaded by Batloader.\r\nNirCmd – Is a command-line utility tool\r\nPowerShell – Is abused to run malicious PowerShell scripts\r\nMsiExec.exe – Is abused to run MSI files with malicious custom action scripts\r\nMshta.exe – Is abused to execute malicious code appended to PE files\r\nBatloader also abuses legitimate remote admin tools, such as Syncro and Atera, to facilitate\r\nransomware deployment.\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 5 of 14\n\n6\r\nSecond-stage malware like Ursnif, Cobalt Strike Beacon, and Bumblebee usually connect to\r\ntheir own C\u0026C server to execute follow-on activities.\r\n7 Follow-on activities can include the deployment of ransomware families such as Royal.\r\nTable 4. Water Minyades attack stages\r\nBatloader’s Notable Q4 Campaigns\r\nIn this section, we identify the different campaigns’ techniques observed. We see from the campaigns above that although\r\nthe Batloader malware is predominantly script-based, this intrusion set continuously finds ways to evade detection and\r\nimprove its antianalysis techniques by utilizing legitimate tools to hide and obfuscate their scripts.\r\n Abuse of custom action scripts of the Advanced Installer software\r\nWe have observed that some Batloader MSI packages were used to abuse a legitimate installer file via a custom action\r\nPowerShell script. Potentially, this was carried out by abusing the Advanced Installer software 30-day free trial application\r\nform.\r\nFigure 4. Advanced Installer’s 30-day free trial form abused by Water Minyades actors\r\nFigure 5. An example of an MSI file with a custom action PowerShell script viewed using the Pe Studio tool\r\nIn Figure 6, we can see that the Batloader script was launched via the “PowerShellScriptLauncher.dll” file that was created\r\nusing the Advanced Installer software.\r\nFigure 6. Batloader script launched via “PowerShellScriptLauncher.dll”\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 6 of 14\n\nFigure 7. Batloader kill chain using compromised MSI package\r\nFrom our tracking, this technique was used in a number of campaigns between September 2022 and December 2022.\r\nFigure 8. Batloader C\u0026C server activities abusing Advanced Installer software. Data taken from Trend Micro\r\nSPN.\r\nAbuse of Windows Installer XML Toolset \r\nAnother tool that was recently abused by Water Minyades actors was the WiX toolset.\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 7 of 14\n\nFigure 9. An example of an MSI file created using the WiX toolset viewed using the PE Studio tool\r\nUsing this toolset, malicious actors can insert a custom action script and identify when it will be executed. In Figure 10, we\r\ncan see that the custom action \"checkforupdate.bat\" will be executed, which will also drop and execute additional malicious\r\nscripts inside the “update.zip” file.\r\nFigure 10. A custom action created using the WiX toolset\r\nFigure 11. Snippet of code from checkforupdate.bat’s follow-on activities\r\nWe also observed a significant number of campaigns using this technique during the month of November 2022.\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 8 of 14\n\nFigure 12. Batloader C\u0026C server activities abusing Windows Installer XML Toolset. Data taken from Trend\r\nMicro SPN.\r\nUse of JavaScript files instead of MSI files in campaigns\r\nStarting November 27, 2022, we observed that Water Minyades actors switched to using JavaScript files instead of MSI files\r\nas the initial Batloader payload.\r\nThis technique uses small-sized JavaScript files that have straightforward commands, ones that are also used for non-malicious purposes. This is in direct contrast to the technique used with MSI files, wherein MSI file sizes are hyperinflated\r\nto evade scanning engines with file size limitations.\r\nFrom a detection point of view, this can also pose as a challenge because the only malicious parts of the file are the C\u0026C\r\nURLs themselves, since a structure-based detection algorithm can also detect non-malicious JavaScript files.\r\nFigure 13. Contents of a Batloader JavaScript file named “InstallerV61.js”\r\nThis highlights the need for a multilayered security solution, one that can successfully detect malicious artifacts related to\r\nBatloader campaigns.\r\nAfter a few days of analyzing this Batloader campaign, we have observed that the malicious actors behind it have obfuscated\r\nthe JavaScript files as an additional detection evasion measure.\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 9 of 14\n\nFigure 14. An obfuscated Batloader JavaScript file\r\nFigure 15. A typical execution chain for the JavaScript Batloader campaign\r\nBased on the distribution domains used in this campaign, we believe that this campaign was launched during Black Friday:\r\n       logmeinofferblackfriday[.]com\r\n       anydeskofferblackfriday[.]com\r\n       zoomofferblackfriday[.]com\r\n       slackcloudservices[.]com\r\n       anydeskofferblackfriday[.]com\r\nAccording to our telemetry, a significant number of campaigns used this technique between the end of November to the first\r\nweek of December 2022.\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 10 of 14\n\nFigure 16. Batloader C\u0026C server activities abusing JavaScript downloaders. Data taken from Trend Micro\r\nSPN.\r\nUse of PyArmor tool to obfuscate Batloader Python script\r\nAfter the JavaScript campaigns of Batloader, we observed since the second week of December 2022 that the group abused\r\nthe Advanced Installer Software again. This time the malicious file that it executed in the end is a Python script protected\r\nwith PyArmoropen on a new tab.\r\nWe found a sample MSI file (SHA256: 2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331), which\r\nis a trojanized Chat Mapper installer masquerading as an Anydesk.msi installer. This installer was created using Advanced\r\nInstaller application, and one of its customized actions is to execute a file called “viewer.exe” with the command line\r\n“#InstallPython.bat”.\r\nFigure 17. Custom Action script of the latest Batloader campaign observed in Q4 2022\r\nThe file InstallPython.bat will install Python 3.9.9, copy and extract the openssl.zip archive, and run the PyArmor encrypted\r\nPython script named main4.py.\r\nFigure 18. InstallPython.bat\r\nPyArmor is a free-with-restrictions command line tool that can be used to obfuscate Python scripts. The obfuscated Python\r\nfile in this case is named main4.py:\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 11 of 14\n\nFigure 19. Batloader PyArmor-protected Python script\r\nDeobfuscating this script using the techniques identified by PyArmor Unpackeropen on a new tab, we see that this script\r\nconnects to the Batloader C\u0026C updateclientssoftware[.]com. We’ve observed this Batloader C\u0026C server active from the\r\nsecond week of December until the second week of January 2023. We are continuously monitoring this campaign for any\r\nadditional activities.\r\nFigure 20. Connecting to the Batloader C\u0026C\r\nBatloader’s C\u0026C Activities in Q4 2022\r\nWe started observing an increase in Water Minyades activity in September 2022, which was also the time when we started\r\nseeing Batloader deploying Royal ransomware to its victims. The number of attacks peaked from November until the first\r\nweek of December 2022.\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 12 of 14\n\nFigure 21. Batloader requests to C\u0026C domain from October to December 2022. Data taken from Trend Micro\r\nSPN.\r\nFigure 22. Most requested Batloader C\u0026C domains from October to December 2022. Data taken from Trend\r\nMicro SPN.\r\nThe C\u0026C domain with the most number of requests for Q4 2022 is “installationupgrade6[.]com.” Interestingly, this was the\r\nfirst C\u0026C domain used in the Batloader campaign via JavaScript droppers and Black Friday Sale-related malicious\r\ndistribution websites.\r\nThis could mean that victims are more likely to fall for malvertising campaigns that promote sales or discounts. This\r\nhighlights the massive impact social engineering lures have on the success of these malicious campaigns.\r\nConclusion\r\nBased on our investigation, Batloader is a highly evasive and evolutionary malware family capable of deploying different\r\ntypes of malware, including loaders, bots, and ransomware. Batloader tricks victims by using different malvertising and\r\nsocial engineering techniques to distribute malicious payloads.\r\nBatloader is a prime example of a modern malware and a modular threat, and protecting systems against it requires not just\r\none defensive strategy, but a robust and multilayered solution that provides shared visibility from a central place. Trend\r\nMicro Vision One™products is a technology that can provide powerful XDR capabilities that collect and automatically\r\ncorrelate data across multiple security layers — from email and endpoints to servers, cloud workloads, and networks. Trend\r\nVision One can prevent attacks via automated protection, while also ensuring that no significant incidents go unnoticed.\r\nIndicators of Compromise (IOCs)\r\nURLs\r\n105105105015[.]com              Batloader C\u0026C server\r\n24xpixeladvertising[.]com       Batloader C\u0026C server\r\nclodtechnology[.]com              Batloader C\u0026C server\r\ncloudupdatesss[.]com             Batloader C\u0026C server\r\nexternalchecksso[.]com          Batloader C\u0026C server\r\ngrammarlycheck2[.]com         Batloader C\u0026C server\r\ninstallationsoftware1[.]com   Batloader C\u0026C server\r\ninstallationupgrade6[.]com    Batloader C\u0026C server\r\ninternalcheckssso[.]com         Batloader C\u0026C server\r\nt1pixel[.]com                             Batloader C\u0026C server\r\nupdatea1[.]com                       Batloader C\u0026C server\r\nupdateclientssoftware[.]com Batloader C\u0026C server\r\nupdatecloudservice1[.]com    Batloader C\u0026C server\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 13 of 14\n\nSHA256 Description Detection\r\n23373654d02cb7eace932609826cca4f82fcac67ca44b9328baba385acc00c67 -\r\nComponent of\r\n2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331\r\nBatloader\r\nFile\r\nTrojan.BAT.BATLOADER.A\r\nf8f3f22425ea72fafba5453c70c299367bd144c95e61b348d1e6dda0c469e219 -\r\nComponent of\r\n2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331\r\nBatloader\r\nFile\r\nTrojan.Python.BATLOADER.A\r\n61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc\r\nBatloader\r\nFile\r\nTrojan.JS.BATLOADER.SMYXCLAZ\r\n91730741d72584f96ccba99ac9387e09b17be6d64728673871858ea917543c1e\r\nBatloader\r\nFile\r\nTrojan.JS.BATLOADER.SMYXCLAZ\r\naef18b7ab1710aaeb0d060127750ba9d17413035309ec74213d538fb1b1bdf79\r\nBatloader\r\nFile\r\nTrojan.JS.BATLOADER.SMYXCLAZ\r\ne7735cb541e7afd50759eae860b7d1a43d627fbf5cd96d016241084e91659817\r\nBatloader\r\nFile\r\nTrojan.JS.BATLOADER.SMYXCLAZ\r\n23a5981d086242349f6e3476eff11ea3244cebef3d65c76c7bc74470c1ec4b49\r\nBatloader\r\nFile\r\nTrojan.Win32.BATLOADER.SMYXCK3Z\r\n3707ad9d9ea318757883ede9691e5c4e8d778c839a056f8b4a94ed47a76da2c8\r\nBatloader\r\nFile\r\nTrojan.Win32.BATLOADER.SMYXCK3Z\r\n86f6af51d30159f4d2e00ed733a88dc05cc5dd846b1b2d1ba30582f6e33ac998\r\nBatloader\r\nFile\r\nTrojan.Win32.BATLOADER.SMYXCK3Z\r\nb28047cda1c688c844f676e94770c08cf570f4d65fa4c5e4454ae449c2439e3f\r\nBatloader\r\nFile\r\nTrojan.Win32.BATLOADER.SMYXCK3Z\r\ne1dcc098a6585dbbf4df64f09f8e8508e218485e1958fe6fe04b91547e109a83\r\nBatloader\r\nFile\r\nTrojan.Win32.BATLOADER.SMYXCK3Z\r\ne528cb5e7a2d04269d955ce771b7326bae929355807039f49106126b1a5ff227\r\nBatloader\r\nFile\r\nTrojan.Win32.FRS.VSNW1DK22/Trojan.PS1.BATL\r\nfcbfbc2ae4ed3e51631ecb3184004d96f0a6fd5e9de55400dedfa6b5cafc7c41\r\nBatloader\r\nFile\r\nTrojan.Win32.FRS.VSNW1DK22/Trojan.PS1.BATL\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nhttps://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html"
	],
	"report_names": [
		"batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434151,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d77dda016eee2762c9f2fbd7dd6f5713bf4ba5d.pdf",
		"text": "https://archive.orkl.eu/9d77dda016eee2762c9f2fbd7dd6f5713bf4ba5d.txt",
		"img": "https://archive.orkl.eu/9d77dda016eee2762c9f2fbd7dd6f5713bf4ba5d.jpg"
	}
}