{
	"id": "1b12d931-ebd5-459c-9bf5-e306ef0617ca",
	"created_at": "2026-04-10T03:21:21.087585Z",
	"updated_at": "2026-04-10T03:22:17.16903Z",
	"deleted_at": null,
	"sha1_hash": "daa19885b367dd2c6a3d21c13aeeaba0af07bbe1",
	"title": "Latest Batloader Campaigns Use Pyarmor Pro for Evasion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 186782,
	"plain_text": "Latest Batloader Campaigns Use Pyarmor Pro for Evasion\r\nBy Junestherry Dela Cruz ( words)\r\nPublished: 2023-08-07 · Archived: 2026-04-10 02:52:16 UTC\r\nIn June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access\r\nmalware, which we’ve covered in previous blog entries. The group behind Batloader (which we named Water\r\nMinyades) have begun employing Pyarmor Pro — a more sophisticated version of the regular Pyarmor protector\r\ncommand-line tool — to obfuscate its main malicious python scripts. Batloader previously used the standard\r\nversion of Pyarmor, which can be manually de-obfuscated using open-source scripts. Water Minyades had been\r\nusing Pyarmor since December 2022, likely since many antivirus engines lack an unpacker engine for Pyarmor\r\n(even the non-pro variant), making it difficult to detect these kinds of scripts.\r\nAside from this unique evasion technique, Batloader also uses a variety of other techniques to make it more\r\ndifficult to detect. One example of this is the use of large MSI files as a delivery vessel. Figure 1 shows an\r\nexample of this, with a 111MB Batloader MSI file. \r\nA custom action script that is used for starting Batloader's kill chain is usually included with these MSI files. In\r\nthe sample we analyzed, it will execute a Batch file named Python2.bat. The MSI File executes the following\r\ncommand line:\r\n”C:\\Windows\\System32\\cmd.exe\" /c C:\\Users\\\\AppData\\Local\\Reo\\App\\Python\\Python2.bat\r\nFigure 2 shows the content of the Python2.bat file. To summarize, the file will check if it has admin rights to the\r\nvictim machine. If not, it will execute a User Account Control (UAC) prompt via a file named getadmin.vbs. Once\r\nit has obtained admin rights, it will silently install WinRAR using a renamed installer (r.exe) and expand the\r\nopenssl.zip and frameworkb.rar archives, which are files used for the next stages of Batloader’s execution chain.\r\nThe files framework.py, frameworkb.py, and the customized Python runtime environment libraries from the\r\nPyarmor Pro application are extracted from the archive file named frameworkb.rar. These Pyarmor-protected\r\nscripts will be executed by the Batloader malware.\r\nopen on a new tab\r\nFigure 3. Extracting files and a library from the “frameworkb.rar” file\r\nhttps://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html\r\nPage 1 of 3\n\nFigure 4 shows the snippet from one of the Pyarmor-protected scripts. Note that the top portion of the script\r\ndenotes that it was made using Pyarmor Pro 8.2.8 and that it’s designed to load customized Python libraries from\r\nthe directory pyarmor_runtime_005214.\r\nLooking at the execution chain of frameworkb.py as seen from Trend Vision One™ (Figure 5), we can observe\r\nthat when the frameworkb.py script is executed by cmd.exe, the script will attempt to fingerprint the network\r\ninfrastructure of the victim environment by executing arp.exe, mapping IP addresses to MAC addresses and\r\nretrieving the domain name via the WMI command-line (WMIC) utitlity. This information is then sent to the\r\ncommand-and-control (C\u0026C) server, which is countingstatistic[.]com in this case.\r\nopen on a new tab\r\nFigure 5. The execution chain of frameworkb.py as seen from the Trend Vision One console\r\nThe other python file, named framework.py, will also be executed once the second stage payload from the C\u0026C\r\nserver is delivered. Based on previous Batloader attacks, this can be any malware, with the most observed being\r\nUrsnif, Vidar and Redline Stealer.\r\nAs shown in the Vision One console screenshot seen in figure 6, the following kill chain occurs when\r\nframework.py is executed:\r\n(1): Python executes framework.py using the following command:\r\ncmd /c python.exe framework.py\r\n(2): OpenSSL is used to decrypt the downloaded file (a.exe.enc) using AES-256 encryption in cipher-block\r\nchaining (CBC) mode with the password tor92SS2jds.\r\nThe decrypted result is then saved in the file named control.exe, which is executed by cmd.exe:\r\ncmd /c \"openssl enc -aes-256-cbc -d -in a.exe.enc -out control.exe -pbkdf2 -pass pass:tor92SS2jds\"\r\n(3, 4, and 5): The victim’s network infrastructure is fingerprinted using the following commands:\r\nwhoami /groups\r\nC:\\Windows\\system32\\cmd.exe /c \"arp -a\"\r\nhttps://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html\r\nPage 2 of 3\n\nwmic computersystem get domain\r\n \r\nConclusion\r\nBatloader is a highly active initial access malware that can be used to deliver other malware, often ultimately\r\nleading to dangerous ransomware like Royalnews article and BlackSuit. Furthermore, it is a stealthy malware,\r\nemploying several evasion routines to elude detection engines. This includes techniques such as abusing digital\r\nsignatures, using large installer sizes as a vessel to evade engines that have file size limits and as discussed in this\r\nblog entry. incorporating tools such as PyArmor Pro to obfuscate its primary Python scripts.\r\nTrend Micro solutions\r\nOrganizations can reduce the impact of malware such as Batloader by employing comprehensive detection and\r\nresponse technologies such as Trend Vision Oneone-platform. This solution offers robust extended detection and\r\nresponse (XDR) functionalities, gathering and intelligently connecting information from various security layers —\r\nencompassing email, endpoints, servers, cloud operations, and networks, thwarting potential security incidents and\r\nensuring that they don’t go unnoticed.\r\nTrend Vision One customers can use the following hunting query to search for this specific Batloader threat:\r\nGo to SearchApp\u003e General \u003e Search   parentCmd:”cmd /c python.exe framework*”\r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html\r\nhttps://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html"
	],
	"report_names": [
		"batloader-campaigns-use-pyarmor-pro-for-evasion.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791281,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/daa19885b367dd2c6a3d21c13aeeaba0af07bbe1.pdf",
		"text": "https://archive.orkl.eu/daa19885b367dd2c6a3d21c13aeeaba0af07bbe1.txt",
		"img": "https://archive.orkl.eu/daa19885b367dd2c6a3d21c13aeeaba0af07bbe1.jpg"
	}
}