{
	"id": "884e44f7-9cec-46ee-8f33-2670f4b663c4",
	"created_at": "2026-04-06T00:19:26.031985Z",
	"updated_at": "2026-04-10T13:11:37.568099Z",
	"deleted_at": null,
	"sha1_hash": "b7c996279896c14ce8f999f64c57dcb45256b404",
	"title": "SEO Poisoning to Distribute BATLOADER and Atera Agent",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3484644,
	"plain_text": "SEO Poisoning to Distribute BATLOADER and Atera Agent\r\nBy Mandiant\r\nPublished: 2022-02-01 · Archived: 2026-04-05 16:29:43 UTC\r\nWritten by: Ng Choon Kiat, Angelo Del Rosario, Martin Co\r\nWhile defending our customers against threats, Mandiant Managed Defense continues to see new threats that\r\nabuse trust in legitimate tools and products to carry out their attacks. These attacks are effective in getting past\r\nsecurity defenses and staying undetected in a network.\r\nThrough proactive threat hunting, our Managed Defense frontline team uncovered a campaign that used search\r\nengine optimization (SEO) poisoning to lead victims to download the BATLOADER malware for the initial\r\ncompromise. We also observed a crafty defense evasion technique using mshta.exe, a Windows-native utility\r\ndesigned to execute Microsoft HTML Application (HTA) files.\r\nSEO poisoning is an attack method in which threat actors create malicious websites packed with keywords and\r\nuse search engine optimization techniques to make them show up prominently in search results.\r\nInfection Chain\r\nThe threat actor used “free productivity apps installation” or “free software development tools installation” themes\r\nas SEO keywords to lure victims to a compromised website and to download a malicious installer. The installer\r\ncontains legitimate software bundled with the BATLOADER malware. The BATLOADER malware is dropped\r\nand executed during the software installation process.\r\nThis initial BATLOADER compromise was the beginning of a multi-stage infection chain that provides the\r\nattackers with a foothold inside the target organization. Every stage was prepared for the next phase of the attack\r\nchain. And legitimate tools such as PowerShell, Msiexec.exe, and Mshta.exe allow proxy execution of malicious\r\npayloads to avoid detection.\r\nCVE-2020-1599 Patch Bypass\r\nOne notable sample found in the attack chain was a file named, “AppResolver.dll”. This DLL sample is an internal\r\ncomponent of the Microsoft Windows Operating System developed by Microsoft, but with malicious VBScript\r\nembedded inside in a way that the code signature remains valid. The DLL sample does not execute the VBScript\r\nwhen run by itself. But when run with Mshta.exe, Mshta.exe locates and executes the VBScript without any\r\nissues.\r\nThis issue most closely resembles CVE-2020-1599, PE Authenticode signature remains valid after appending\r\nHTA supported scripts signed by any software developer. These PE+HTA polyglot (.hta files) can be exploited\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 1 of 12\n\nthrough Mshta.exe to bypass security solutions that rely on Microsoft Windows code signing to decide if files are\r\ntrusted. This issue was patched as CVE-2020-1599.\r\nIn this case, we observed arbitrary script data was appended to the signature section beyond the end of the ASN.1\r\nof a legitimately signed Windows PE file. The resultant polyglot file maintains a valid signature as long as the file\r\nhas a file extension other than '.hta'. This polyglot file will successfully execute the script contents if it is executed\r\nwith Mshta.exe, as Mshta.exe will skip the PE's bytes, locate the script at the end, and execute it. This evasion\r\ntechnique was used several times during the attack chain to change the host settings and to launch payloads.\r\nAt the latter stages, goodware such as Gpg4win Utility, NSUDO Utility, ATERA, and SplashTop, are seen\r\ninstalled as part of the attack chain of this campaign. These are to support remote access, privilege escalation,\r\nlaunching of payloads, encryption, and persistence. There was also malware such as BEACON, URSNIF deployed\r\nto provide backdoor and credential-stealing capabilities.\r\nAttack chain of the BATLOADER campaign\r\nAn Alternate Infection Chain\r\nAlternatively, the Threat Actor may deploy ATERA directly as the initial compromise. Similarly, through SEO\r\npoisoning, victims were lured to download an ATERA Agent Installation Package. The installer masquerades as a\r\n“free legitimate software” to lure the victim into installing it onto the host for the initial compromise.\r\nATERA is a Remote Monitoring Management Software. It provides IT Automation, Host, and Network Discovery\r\nfeatures. SplashTop is software that can be integrated into ATERA is to provide remote access to a host. The\r\ninfection chain is as follows:\r\nA user performs a Google search and clicks a link to an actor-created page on a compromised website\r\n(Figure 1).\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 2 of 12\n\nFigure 1: Google search results with link to the actor-created content on the compromised website\r\nThe benign blog post (Figure 2) will abuse a Traffic Direction System (TDS) to decide if the user should be\r\ndirected to a webpage that masquerades as a message board that has posted a download link (Figure 3).\r\nFigure 2: Benign blog post\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 3 of 12\n\nFigure 3: Actor-created discussion board with malicious download link\r\nThe download link delivers the ATERA Agent Installer Package, named after the search term. (Figure 4 and\r\nFigure 5).\r\nFigure 4: Atera Agent Installer Package named after the search term\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 4 of 12\n\nFigure 5: ATERA Agent Installer Package Masquerading as Microsoft Community Visual Studio 2015\r\nAn example of the installation of an ATERA Agent masquerading as “Microsoft Community Visual Studio\r\n2015 Free.msi” (Figure 6).\r\nFigure 6: Installation of an Atera Agent\r\nAfter the successful ATERA Agent installation, the Splashtop will be downloaded to the C:\\Windows\\Temp\r\ndirectory, and installed on the victim’s host to maintain persistence (Figure 7 and Figure 8).\r\nAfter the successful ATERA Agent installation, the ATERA Remote Monitoring \u0026 Management\r\ncapabilities will push down pre-configured scripts, tools such as Splashtop Streamer to be installed and run\r\non the victim’s host in a real-time and automated fashion.\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 5 of 12\n\nFigure 7: Auto Deployment of the Splashtop Software\r\nThe ATERA Agent will remove itself after the successful Splashtop Streamer installation. The default\r\nconfiguration of the Splashtop Streamer is set to AutoStart running in background without security\r\nauthentication to connect to the victim’s host to maintain persistence.\r\nFigure 8: Splashtop Streamer Default Configuration\r\nScripts were also pushed down by ATERA Agent to perform malicious task such as disabling\r\nfunctionalities and adding process and file exclusions for Microsoft Windows Defender (Figure 9 and\r\nFigure 10).\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 6 of 12\n\nFigure 9: Malicious Script that was consistent of disabling Microsoft Windows Defender functionalities\r\nFigure 10: Malicious Script to download further payload\r\nAttribution\r\nIn August 2021, a disgruntled CONTI affiliate leaked training documents, playbooks, and tools used to assist in\r\nCONTI ransomware operations. Mandiant has determined that some of the activity listed above overlaps with\r\ntechniques in the playbooks disclosed in August.\r\nAt this time, due to the public release of this information, other unaffiliated actors may be replicating the\r\ntechniques for their own motives and objectives. These victims seem to operate in a wide range of industries. The\r\nthreat group's motivations are currently unknown, but we suspect that the group is financially motivated based on\r\nthe seemingly industry-agnostic leading to ransomware activity.\r\nManaged Defense Threat Hunting\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 7 of 12\n\nExperienced defenders from Managed Defense are constantly inspired by Mandiant’s global cyber threat\r\nintelligence and incident response experiences gained on the frontlines of the world’s most consequential cyber-attacks. Fueled by up-to-the-minute threat intelligence, the Managed Defense threat hunting team designs and\r\nconducts hunt missions to reveal the stealthiest threat actors. Mandiant threat hunting combines powerful data\r\nanalytics, automation and elite experts with intuition and frontline experience. You can follow our hunters as their\r\nwork unfolds in the Managed Defense portal. Each mission is mapped to the MITRE ATT\u0026CK framework and\r\nincludes related intelligence so you can take decisive action throughout your environment.\r\nTechnical Indicators \u0026 Warnings\r\nMD5\r\n1440caafb45e52b0b315c7467fcde11f\r\n2077d8a65c8b08d64123c4ba3f03cbdd\r\n2141919f65ab3ff4eab25e5032e25598\r\n229152f0b00d55796780b00c233bf641\r\n29bc15a6f0ff99084e986c3e6ab1208c\r\n2b16a731a2e4dedfa3db0bf3068614bc\r\n32885d012fa3b50199d7cde9735bcb8a\r\n32cd02c4cd8938645a744b915056d133\r\n3393bd9d04be1ff4e537464e1b79d078\r\n3abbec0420aaf7a9960d9eabc08006d5\r\n3e06c87faede153d4dab5ef1066fe0d7\r\n3ed96f460438e7fddaa48e96c65cb44c\r\n428166c513ed98c72e35fe127a9b5be6\r\n48942b45679b3646000ac2fb6a99e0ed\r\n5376112bebb371cdbe6b2a996fb6dae6\r\n5cae01aea8ed390ce9bec17b6c1237e4\r\n5cae01aea8ed390ce9bec17b6c1237e4\r\n60db9dff2e50e00e937661d2a6950562\r\n67a4f35cae2896e3922f6f4ab5966e2b\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 8 of 12\n\n67a4f35cae2896e3922f6f4ab5966e2b\r\n6ad4e37221adf3861bfa99a1c1d5faaa\r\n6cd13e6429148e7f076b479664084488\r\n7127cbc56e42fc59a09fd9006dd09daa\r\n7575ecc5ac5ac568054eb36a5c8656c4\r\n849b46e14df68dd687e71c7df8223082\r\n8eb5f0bbd73b5ca32e60deb34e435320\r\n9ed2084c6c01935dc5bb2508357be5a6\r\n9f03ad59cb06b40e6187ef6d22d3b76b\r\na046e40693a33a1db2aec6d171d352ce\r\na0b793ff07493951ed392cdc641d3d62\r\na45c0a83ce2ea52d8edf915b1e169b8f\r\nb4a8b58857649fad1cf8f247a0496c95\r\nb850920c95b694f63aa47fc991396457\r\nb9c9da113335874d0341f0ac1f5e225d\r\nbd20223cb57c55559db81f17ef616070\r\nc02916697ed71e5868d8ea456a4a1871\r\nc08de039a30c3d3e1b1d18a9d353f44c\r\nc12452167e810cde373d7a59d3302370\r\nc9be3451e713382ecf0f7da656cef657\r\ncb1fcc1c0c35cd4e0515b8bf02ba3303\r\nd14b4a96edf70c74afe3d99101daaff8\r\ne33847174fbd2b09abc418c1338fceec\r\ne5decd05056634eace35396a22148bf1\r\ne66ba648666c823433c473e6cfc2e4fc\r\ne6c2dd8956074363e7d6708fb8063001\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 9 of 12\n\ne6c2dd8956074363e7d6708fb8063001\r\nf535505f337708fbb41cdd0830c6a2d4\r\nNetwork Indicators\r\ncmdadminu[.]com\r\nzoomvideo-s[.]com\r\ncloudfiletehnology[.]com\r\ncommandaadmin[.]com\r\nclouds222[.]com\r\nwebsekir[.]com\r\nteam-viewer[.]site\r\nzoomvideo[.]site\r\nsweepcakesoffers[.]com\r\npornofilmspremium[.]com\r\nkdsjdsadas[.]online\r\nbartmaaz[.]com\r\nfirsone1[.]online\r\n178.21.11[.]77\r\n193.124.18[.]128\r\nYARA\r\nrule M_Hunting_Downloader_BATLOADER_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2021-10-28\"\r\ndate_modified = \"2021-10-28\"\r\nversion = \"1.0\"\r\ndescription = \"Detects strings for BATLOADER sample\"\r\nmd5 = \"6cd13e6429148e7f076b479664084488\"\r\nstrings:\r\n$s1 = \"launch.bat\" ascii\r\n$s2 = \"Error writing to batch file:\" ascii\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 10 of 12\n\n$s3 = \"cmd.exe\" ascii\r\n$s4 = \"/C\" ascii\r\n$s5 = \"You entered an invalid email, please enter the email that was registered on website.\" ascii\r\ncondition:\r\nuint16(0) == 0x5A4D and filesize \u003e 4KB and filesize \u003c 5MB and all of them\r\n}\r\nMITRE ATT\u0026CK Mapping\r\nATT\u0026CK Tactic Category Techniques\r\nReconnaissance\r\nSearch Open Websites/Domains (T1593.002)\r\nSearch Engines (T1593.002)\r\nResource Development\r\nCompromise Infrastructure (T1584)\r\nStage Capabilities (T1608)\r\nUpload Malware (T1608.001)\r\nDevelop Capabilities (T1587)\r\nMalware (T1587.001)\r\nInitial Access Supply Chain Compromise (T1195)\r\nExecution\r\nUser Execution (T1204)\r\nMalicious File (T1204.002)\r\nCommand and Scripting Interpreter (T1059)\r\nPowerShell (T1059.001)\r\nWindows Command Shell (T1059.003)\r\nVisual Basic (T1059.005)\r\nPersistence\r\nBoot or Logon Autostart Execution (T1547)\r\nRegistry Run Keys / Startup Folder (T1547.001)\r\nPrivilege Escalation External Remote Services (T1133)\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 11 of 12\n\nDefense Evasion\r\nMasquerading (T1036)\r\nObfuscated Files or Information (T1027)\r\nIndicator Removal on Host (T1070)\r\nFile Deletion (T1070.004)\r\nSigned Binary Proxy Execution (T1218)\r\nMshta (T1218.005)\r\nMsiexec (T1218.007)\r\nImpair Defenses (T1562)\r\nImpair Defenses: Disable or Modify Tools (T1562.001)\r\nCredential Access Steal or Forge Kerberos Tickets: Kerberoasting (T1558)\r\nDiscovery\r\nSystem Information Discovery (T1082)\r\nSystem Network Configuration Discovery (T1016)\r\nCommand and Control Remote Access Software (T1219)\r\nAcknowledgements\r\nSpecial Thanks to Alip Asri in creating the IOCs for the Hunting Missions. And Ana Maria Martinez Gomez,\r\nTufail Ahmed, Stephen Eckels, Dhanesh Kizhakkinan and Jacob Thompson for their assistance on the topic.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nhttps://www.mandiant.com/resources/seo-poisoning-batloader-atera\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mandiant.com/resources/seo-poisoning-batloader-atera"
	],
	"report_names": [
		"seo-poisoning-batloader-atera"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434766,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b7c996279896c14ce8f999f64c57dcb45256b404.pdf",
		"text": "https://archive.orkl.eu/b7c996279896c14ce8f999f64c57dcb45256b404.txt",
		"img": "https://archive.orkl.eu/b7c996279896c14ce8f999f64c57dcb45256b404.jpg"
	}
}