Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/a\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\"><br \/>\n<meta property=\"og:title\" content=\"Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks\"><br \/>\n<meta property=\"og:description\" content=\"We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Batloader-Malware-Abuses-Legitimate-Tools-Uses-Obfuscated-JavaScript-Files-in-Q4-2022-Attacks-641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks\"><br \/>\n<meta name=\"twitter:description\" content=\"We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Batloader-Malware-Abuses-Legitimate-Tools-Uses-Obfuscated-JavaScript-Files-in-Q4-2022-Attacks-641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.341556863845\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"203373555\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7985074626866\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.149253731343\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).<\/p>\n<p class=\"article-details__author-by\">By: Junestherry Dela Cruz <time class=\"article-details__date\">January 17, 2023<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"42.336661911555\">\n<div readability=\"31.752496433666\">\n<p>We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).<\/p>\n<p>Batloader (detected by Trend Micro as Trojan.Win32.BATLOADER), is an initial access malware family that is known for using malvertising techniques and using script-based malware inside Microsoft Software Installation (MSI) packages downloaded from legitimate-looking-yet-malicious websites. Earlier this year, Mandiant researchers observed Batloader using <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/seo-poisoning-batloader-atera\" target=\"_blank\" rel=\"noopener\">search engine optimization (SEO) poisoning techniques<\/a> in its attacks.<\/p>\n<p>Batloader is associated with an intrusion set that we have dubbed \u201cWater Minyades.\u201d The actors behind Water Minyades are known for delivering other malware during the last quarter of 2022, such as Qakbot, RaccoonStealer, and Bumbleloader via social engineering techniques.<\/p>\n<p>In this blog entry, we discuss notable Batloader campaigns that we\u2019ve observed in the last quarter of 2022, including the abuse of custom action scripts from the Advanced Installer software and Windows Installer XML (WiX) toolset, the use of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor tool to obfuscate Batloader Python scripts. We also shed light on noteworthy Water Minyades-related events and give a detailed look at Batloader\u2019s technical details.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"47.660364464692\">\n<div class=\"responsive-table-wrap\" readability=\"41.272892938497\">\n<h2><span class=\"body-subhead-title\">Batloader\u2019s Capabilities<\/span><\/h2>\n<p>The table below summarizes the capabilities of Batloader:<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"30.5\">\n<tr>\n<td>Capability<\/td>\n<td>Description<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Anti-sandbox<\/td>\n<td>Batloader is usually inflated to a very large size by being bundled to a legitimate installer file. This can prevent sandboxes with file size limits from properly detonating and observing the behavior of the file.<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>Fingerprints host<\/td>\n<td>Batloader fingerprints the host to determine if it is a legitimate victim. It checks for environment artifacts such as the user, computer name, and if it is domain-joined. <\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>Communicates with C&C<\/td>\n<td>Batloader is a modular malware that communicates with its C&C server and has been observed to drop malware according to the specifications of the victim host it has infected. If the victim host belongs to an enterprise environment, it is more likely to drop remote management tool Atera and Cobalt Strike beacon, which would then lead to ransomware deployment.<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>Stops security software services<\/td>\n<td>Batloader executes open-sourced scripts that attempt to stop services related to security software, such as Windows Defender.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Escalates privileges<\/td>\n<td>Batloader abuses legitimate tools like NirCmd.exe and Nsudo.exe to escalate privileges.<\/td>\n<\/tr>\n<tr readability=\"12\">\n<td>Evades antivirus (AV) solutions<\/td>\n<td>Batloader uses different techniques to attempt evading antivirus solutions, such as hyperinflating MSI file sizes for antivirus engines that have file size limits, using noticeably short modular scripts that can be hard to structurally detect, acquiring legitimate digital signatures for the MSI files, obfuscating scripts connecting to the Batloader command and control (C&C) servers, and abusing legitimate file sharing services to host malware payloads.<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td>Installs other components<\/td>\n<td>Batloader uses a modular approach wherein the first-stage payload of the campaign is usually an MSI file bundled with custom action scripts. The other components of the campaign, including the legitimate tools it will download to escalate its privileges and download other malware, will be downloaded by these scripts.<\/td>\n<\/tr>\n<tr readability=\"16\">\n<td>Installs additional malware<\/td>\n<td>Batloader has been observed to drop several malware payloads, such as Ursnif, Vidar, Bumbleloader, RedLine Stealer, ZLoader, Cobalt Strike, and SmokeLoader. It can also drop legitimate remote management tools, such as Syncro and Atera. We have also seen Batloader being a key enabler for Royal ransomware, the second-most prevalent ransomware family we have been observing recently. <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 1. Batloader’s capabilities<\/p>\n<h2><span class=\"body-subhead-title\">Examining the Water Minyades Intrusion Set<\/span><\/h2>\n<p>Water Minyades is known for heavily relying on defense evasion techniques, one of which is deploying payloads with very large file sizes to evade sandbox analysis and antivirus engines\u2019 file size limits. Water Minyades also abuses legitimate tools, such as system management tool NSudo and email and file encryption tool Gpg4win, to elevate privileges and decrypt malicious payloads. This intrusion set also abuses MSI files\u2019 legitimate digital signatures, exploits vulnerabilities related to Windows\u2019 <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/seo-poisoning-batloader-atera\" target=\"_blank\" rel=\"noopener\">PE Authenticode signatures<\/a> to execute malicious scripts that have been appended to signed DLLs (dynamic-link libraries) and uses scripts that can be easily modified to evade scanning engines that rely on structural signature detection techniques.<\/p>\n<p>Using Trend Micro\u2122 Smart Protection Network\u2122 (SPN) feedback data, we determined that Batloader attacks are mostly deployed in the United States, Canada, Germany, Japan, and the United Kingdom.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<caption> <\/caption>\n<tbody>\n<tr>\n<td>Country<\/td>\n<td>Percentage of Attacks<\/td>\n<\/tr>\n<tr>\n<td>United States<\/td>\n<td>61<\/td>\n<\/tr>\n<tr>\n<td>Canada<\/td>\n<td>8<\/td>\n<\/tr>\n<tr>\n<td>Germany<\/td>\n<td>8<\/td>\n<\/tr>\n<tr>\n<td>Japan<\/td>\n<td>4<\/td>\n<\/tr>\n<tr>\n<td>United Kingdom<\/td>\n<td>3<\/td>\n<\/tr>\n<tr>\n<td>Australia<\/td>\n<td>2<\/td>\n<\/tr>\n<tr>\n<td>Brazil<\/td>\n<td>2<\/td>\n<\/tr>\n<tr>\n<td>Netherlands<\/td>\n<td>2<\/td>\n<\/tr>\n<tr>\n<td>Poland<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Singapore<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Others<\/td>\n<td>8<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 2. Distribution of Batloader attacks in Q4 2022<\/p>\n<p>After tracking the activities related to Water Minyades and back tracking since early 2020, we were able to determine several noteworthy events in this timeline:<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<caption> <\/caption>\n<tbody readability=\"14.64213836478\">\n<tr readability=\"2\">\n<td>Period<\/td>\n<td>Water Minyades attack details<\/td>\n<\/tr>\n<tr readability=\"5.6385542168675\">\n<td>H2 2020<\/td>\n<td>An open-source intelligence report indicates that this was when the intrusion set became active. During this time, the group\u2019s most dropped payload was the Smokeloader malware, and it also heavily used exploit kits such as <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2020\/09\/malvertising-campaigns-come-back-in-full-swing\" target=\"_blank\" rel=\"noopener\">Rig and Fallout<\/a>.<\/td>\n<\/tr>\n<tr readability=\"6.7377521613833\">\n<td>Oct. 2020<\/td>\n<td>The group behind the intrusion set stopped using exploit kits in favor of social engineering schemes, which meant that targets were no longer limited to Internet Explorer users. They posted malicious advertisements on <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2020\/11\/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme\" target=\"_blank\" rel=\"noopener\">porn websites<\/a> to lure victims into downloading a fake Java MSI, which then led to the deployment of Zloader payloads. <\/td>\n<\/tr>\n<tr readability=\"6.6901408450704\">\n<td>Feb. 2022<\/td>\n<td>The group behind Water Minyades distributed Batloader using SEO poisoning techniques to trick victims into downloading legitimate software and applications that were trojanized with malware script. During this time, Batloader dropped Zloader and legitimate remote-management tool Atera to enterprise victim machines. Batloader was also observed using the PE (portable executable) <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/seo-poisoning-batloader-atera\" target=\"_blank\" rel=\"noopener\">polyglotting technique<\/a>, which is the process of executing signed DLL files with appended malicious scripts.<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>Sep. 2022<\/td>\n<td>Initial Batloader infections were observed to have led to Cobalt Strike deployments and Royal ransomware infections.<\/td>\n<\/tr>\n<tr readability=\"2.3006134969325\">\n<td>Oct. 2022<\/td>\n<td>Water Minyades actors abused Google Ads and the legitimate <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/17\/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads\/\" target=\"_blank\" rel=\"noopener\">Keitaro Traffic Direction System (TDS)<\/a> to redirect victims into downloading Batloader malware.<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>Dec. 2022<\/td>\n<td>Water Minyades actors used JavaScript instead of MSI files as a first-stage payload. The group eventually obfuscated the downloader of the JavaScript files.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 3. Water Minyades\u2019 noteworthy events from 2020 to 2022<\/p>\n<h2><span class=\"body-subhead-title\">A Technical Analysis of Batloader<\/span><\/h2>\n<p>Batloader usually arrives via malicious websites that impersonate legitimate software or applications. Victims can be redirected to these websites via malvertising techniques and fake comments on forums containing links that lead to Batloader distribution websites.<\/p>\n<p>Based on our investigation, we determined that Batloader impersonates a slew of legitimate software and application websites in its campaign:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"> Adobe<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> AnyDesk<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Audacity<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Blender<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> CCleaner<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> FileZilla<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Fortinet<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Foxit<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> GetNotes<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Google Editor<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Grammarly<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Java<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> KMSAuto<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> LogmeIn<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Luminar<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Minersoft<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Putty<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Schwab<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Slack<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> TeamViewer<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> TradingView<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> uTorrent<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> WinRAR<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Zoho<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Zoom<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure1-batloader-q4-abuse-legitimate-tools-javascript-files.jpg\" alt=\"Examples of malicious websites that distribute Batloader\"><figcaption>Figure 1. Examples of malicious websites that distribute Batloader<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>When victims select the \u201cInstall\u201d or \u201cDownload\u201d option, the Batloader package will be downloaded to the system via a .ZIP file. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure2-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"The Batloader package\"><figcaption>Figure 2. The Batloader package<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure3-batloader-q4-abuse-legitimate-tools-javascript-files.jpg\" alt=\"Typical Batloader kill chain \"><figcaption>Figure 3. Typical Batloader kill chain <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.5\">\n<div readability=\"26\">\n<p>The stages below are typical Water Minyades techniques, tactics, and procedures (TTPs) but may vary slightly over time.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"18\">\n<tr>\n<td>Stage<\/td>\n<td>Stage No. <\/td>\n<td>Description<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Arrival<\/td>\n<td>1<\/td>\n<td>Water Minyades actors create malicious advertisements that abuse legitimate services such as Google Ads and Keitaro TDS. These malicious advertisements lead victims to malicious websites that aim to resemble the legitimate websites of popular software and applications. <\/td>\n<\/tr>\n<tr readability=\"8\">\n<td rowspan=\"3\">Infection<\/td>\n<td>2<\/td>\n<td>Victims are lured into installing a malicious file from the fake website. Based on recent Water Minyades activities, this can take the form of an MSI, VHD (Virtual Hard Disk), VHDX (Virtual Hard Disk v2), or a JavaScript file.<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>3<\/td>\n<td>Earlier campaigns that used MSI files were observed to drop PE polyglot binaries containing malicious appended scripts. These scripts can be executed by MSHTA.exe due to a vulnerability in the PE Authenticode verification process. The MSI and VHD files usually contain a custom action script that is designed to connect to Batloader\u2019s C&C server to download the next-stage payload.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>4<\/td>\n<td>Water Minyades\u2019 C&C server will decide which payload to drop.<\/td>\n<\/tr>\n<tr readability=\"10\">\n<td rowspan=\"3\">Post-infection<\/td>\n<td>\n<p>5<\/p>\n<\/td>\n<td>Batloader can install different malware families, such as:<\/p>\n<ul>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\"><span data-rte-class=\"rte-temp\"><b> <\/b>Bumble Loader<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Cobalt Strike<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Qakbot<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Raccoon Stealer<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> RedLine Stealer<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Smoke Loader<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> System BC<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Ursnif (Bot)<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> Vidar (Stealer)<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> ZLoader<\/span><\/li>\n<\/ul>\n<p>Based on our observations, these malware families\u2019 payloads are typically hyperinflated in size and are encrypted. Batloader can also install the following legitimate applications to aid with other stages of the kill chain, such as privilege escalation and defense evasion:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Nsudo \u2013 Is abused to run processes with elevated privileges<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Gpg4win \u2013 Is abused to decrypt next-stage payloads downloaded by Batloader.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">NirCmd \u2013 Is a command-line utility tool<\/span><\/li>\n<li><span class=\"rte-red-bullet\">PowerShell \u2013 Is abused to run malicious PowerShell scripts<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MsiExec.exe \u2013 Is abused to run MSI files with malicious custom action scripts<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Mshta.exe \u2013 Is abused to execute malicious code appended to PE files<\/span><\/li>\n<\/ul>\n<p>Batloader also abuses legitimate remote admin tools, such as Syncro and Atera, to facilitate ransomware deployment.<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>6<\/td>\n<td>Second-stage malware like Ursnif, Cobalt Strike Beacon, and Bumblebee usually connect to their own C&C server to execute follow-on activities.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>7<\/td>\n<td>Follow-on activities can include the deployment of ransomware families such as Royal.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 4. Water Minyades attack stages<\/p>\n<h2><span class=\"body-subhead-title\">Batloader\u2019s Notable Q4 Campaigns<\/span><\/h2>\n<p>In this section, we identify the different campaigns\u2019 techniques observed. We see from the campaigns above that although the Batloader malware is predominantly script-based, this intrusion set continuously finds ways to evade detection and improve its antianalysis techniques by utilizing legitimate tools to hide and obfuscate their scripts.<\/p>\n<p><b> Abuse of custom action scripts of the Advanced Installer software<\/b><\/p>\n<p>We have observed that some Batloader MSI packages were used to abuse a legitimate installer file via a custom action PowerShell script. Potentially, this was carried out by abusing the Advanced Installer software 30-day free trial application form.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure4-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"Advanced Installer\u2019s 30-day free trial form abused by Water Minyades actors\"><figcaption>Figure 4. Advanced Installer\u2019s 30-day free trial form abused by Water Minyades actors<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure5-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"An example of an MSI file with a custom action PowerShell script viewed using the Pe Studio tool\"><figcaption>Figure 5. An example of an MSI file with a custom action PowerShell script viewed using the Pe Studio tool<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>In Figure 6, we can see that the Batloader script was launched via the \u201cPowerShellScriptLauncher.dll\u201d file that was created using the Advanced Installer software.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure6-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"Batloader script launched via \u201cPowerShellScriptLauncher.dll\u201d\"><figcaption>Figure 6. Batloader script launched via \u201cPowerShellScriptLauncher.dll\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure7-batloader-q4-abuse-legitimate-tools-javascript-files.jpg\" alt=\"Batloader kill chain using compromised MSI package\"><figcaption>Figure 7. Batloader kill chain using compromised MSI package<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>From our tracking, this technique was used in a number of campaigns between September 2022 and December 2022.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure8-batloader-q4-abuse-legitimate-tools-javascript-files.jpg\" alt=\"Batloader C&C server activities abusing Advanced Installer software. Data taken from Trend Micro SPN.\"><figcaption>Figure 8. Batloader C&C server activities abusing Advanced Installer software. Data taken from Trend Micro SPN.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><b>Abuse of Windows Installer XML Toolset <\/b><\/p>\n<p>Another tool that was recently abused by Water Minyades actors was the WiX toolset.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure9-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"An example of an MSI file created using the WiX toolset viewed using the PE Studio tool\"><figcaption>Figure 9. An example of an MSI file created using the WiX toolset viewed using the PE Studio tool<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Using this toolset, malicious actors can insert a custom action script and identify when it will be executed. In Figure 10, we can see that the custom action “checkforupdate.bat” will be executed, which will also drop and execute additional malicious scripts inside the \u201cupdate.zip\u201d file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure10-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"A custom action created using the WiX toolset\"><figcaption>Figure 10. A custom action created using the WiX toolset<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure11rev-batloader-q4-abuse-legitimate-tools-javascript-files.jpg.png\" alt=\"Snippet of code from checkforupdate.bat\u2019s follow-on activities\"><figcaption>Figure 11. Snippet of code from checkforupdate.bat\u2019s follow-on activities<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>We also observed a significant number of campaigns using this technique during the month of November 2022.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure11-batloader-q4-abuse-legitimate-tools-javascript-files.jpg\" alt=\"Batloader C&C server activities abusing Windows Installer XML Toolset. Data taken from Trend Micro SPN.\"><figcaption>Figure 12. Batloader C&C server activities abusing Windows Installer XML Toolset. Data taken from Trend Micro SPN.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p><b>Use of JavaScript files instead of MSI files in campaigns<\/b><\/p>\n<p>Starting November 27, 2022, we observed that Water Minyades actors switched to using JavaScript files instead of MSI files as the initial Batloader payload.<\/p>\n<p>This technique uses small-sized JavaScript files that have straightforward commands, ones that are also used for non-malicious purposes. This is in direct contrast to the technique used with MSI files, wherein MSI file sizes are hyperinflated to evade scanning engines with file size limitations.<\/p>\n<p>From a detection point of view, this can also pose as a challenge because the only malicious parts of the file are the C&C URLs themselves, since a structure-based detection algorithm can also detect non-malicious JavaScript files.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure12-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"Contents of a Batloader JavaScript file named \u201cInstallerV61.js\u201d\"><figcaption>Figure 13. Contents of a Batloader JavaScript file named \u201cInstallerV61.js\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>This highlights the need for a multilayered security solution, one that can successfully detect malicious artifacts related to Batloader campaigns.<\/p>\n<p>After a few days of analyzing this Batloader campaign, we have observed that the malicious actors behind it have obfuscated the JavaScript files as an additional detection evasion measure.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure13-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"An obfuscated Batloader JavaScript file\"><figcaption>Figure 14. An obfuscated Batloader JavaScript file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure14-batloader-q4-abuse-legitimate-tools-javascript-files.jpg\" alt=\"A typical execution chain for the JavaScript Batloader campaign\"><figcaption>Figure 15. A typical execution chain for the JavaScript Batloader campaign<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>Based on the distribution domains used in this campaign, we believe that this campaign was launched during Black Friday:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"> logmeinofferblackfriday[.]com<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> anydeskofferblackfriday[.]com<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> zoomofferblackfriday[.]com<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> slackcloudservices[.]com<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> anydeskofferblackfriday[.]com<\/span><\/li>\n<\/ul>\n<p>According to our telemetry, a significant number of campaigns used this technique between the end of November to the first week of December 2022.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure15-batloader-q4-abuse-legitimate-tools-javascript-files.jpg\" alt=\"Batloader C&C server activities abusing JavaScript downloaders. Data taken from Trend Micro SPN.\"><figcaption>Figure 16. Batloader C&C server activities abusing JavaScript downloaders. Data taken from Trend Micro SPN.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.626801152738\">\n<div readability=\"18.808357348703\">\n<p><b>Use of PyArmor tool to obfuscate Batloader Python script<\/b><\/p>\n<p>After the JavaScript campaigns of Batloader, we observed since the second week of December 2022 that the group abused the Advanced Installer Software again. This time the malicious file that it executed in the end is a Python script protected with <a href=\"https:\/\/pyarmor.readthedocs.io\/en\/latest\/\" target=\"_blank\" rel=\"noopener\">PyArmor<\/a>.<\/p>\n<p>We found a sample MSI file (SHA256: 2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331), which is a trojanized Chat Mapper installer masquerading as an Anydesk.msi installer. This installer was created using Advanced Installer application, and one of its customized actions is to execute a file called \u201cviewer.exe\u201d with the command line \u201c#InstallPython.bat\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure16-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"Custom Action script of the latest Batloader campaign observed in Q4 2022\"><figcaption>Figure 17. Custom Action script of the latest Batloader campaign observed in Q4 2022<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The file InstallPython.bat will install Python 3.9.9, copy and extract the openssl.zip archive, and run the PyArmor encrypted Python script named main4.py.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure17-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"InstallPython.bat\"><figcaption>Figure 18. InstallPython.bat<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>PyArmor is a free-with-restrictions command line tool that can be used to obfuscate Python scripts. The obfuscated Python file in this case is named main4.py:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure18-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"Batloader PyArmor-protected Python script\"><figcaption>Figure 19. Batloader PyArmor-protected Python script<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.529247910864\">\n<div readability=\"10.509749303621\">\n<p>Deobfuscating this script using the techniques identified by <a href=\"https:\/\/github.com\/Svenskithesource\/PyArmor-Unpacker\" target=\"_blank\" rel=\"noopener\">PyArmor Unpacker<\/a>, we see that this script connects to the Batloader C&C updateclientssoftware[.]com. We\u2019ve observed this Batloader C&C server active from the second week of December until the second week of January 2023. We are continuously monitoring this campaign for any additional activities.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure19-batloader-q4-abuse-legitimate-tools-javascript-files.png\" alt=\"Connecting to the Batloader C&C\"><figcaption>Figure 20. Connecting to the Batloader C&C<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><span class=\"body-subhead-title\">Batloader\u2019s C&C Activities in Q4 2022<\/span><\/p>\n<p>We started observing an increase in Water Minyades activity in September 2022, which was also the time when we started seeing Batloader deploying Royal ransomware to its victims. The number of attacks peaked from November until the first week of December 2022.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure20-batloader-q4-abuse-legitimate-tools-javascript-files.jpg\" alt=\"Batloader requests to C&C domain from October to December 2022. Data taken from Trend Micro SPN.\"><figcaption>Figure 21. Batloader requests to C&C domain from October to December 2022. Data taken from Trend Micro SPN.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/figure21-batloader-q4-abuse-legitimate-tools-javascript-files.jpg\" alt=\"Most requested Batloader C&C domains from October to December 2022. Data taken from Trend Micro SPN.\"><figcaption>Figure 22. Most requested Batloader C&C domains from October to December 2022. Data taken from Trend Micro SPN.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43.214285714286\">\n<div readability=\"32.410714285714\">\n<p>The C&C domain with the most number of requests for Q4 2022 is \u201cinstallationupgrade6[.]com.\u201d Interestingly, this was the first C&C domain used in the Batloader campaign via JavaScript droppers and Black Friday Sale-related malicious distribution websites.<\/p>\n<p>This could mean that victims are more likely to fall for malvertising campaigns that promote sales or discounts. This highlights the massive impact social engineering lures have on the success of these malicious campaigns.<\/p>\n<h2><span class=\"body-subhead-title\">Conclusion<\/span><\/h2>\n<p>Based on our investigation, Batloader is a highly evasive and evolutionary malware family capable of deploying different types of malware, including loaders, bots, and ransomware. Batloader tricks victims by using different malvertising and social engineering techniques to distribute malicious payloads.<\/p>\n<p>Batloader is a prime example of a modern malware and a modular threat, and protecting systems against it requires not just one defensive strategy, but a robust and multilayered solution that provides shared visibility from a central place. <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\">Trend Micro Vision One\u2122<\/a> is a technology that can provide powerful XDR capabilities that collect and automatically correlate data across multiple security layers \u2014 from email and endpoints to servers, cloud workloads, and networks. Trend Vision One can prevent attacks via automated protection, while also ensuring that no significant incidents go unnoticed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43\">\n<div class=\"responsive-table-wrap\" readability=\"31\">\n<p>URLs<\/p>\n<p>105105105015[.]com Batloader C&C server<\/p>\n<p>24xpixeladvertising[.]com Batloader C&C server<\/p>\n<p>clodtechnology[.]com Batloader C&C server<\/p>\n<p>cloudupdatesss[.]com Batloader C&C server<\/p>\n<p>externalchecksso[.]com Batloader C&C server<\/p>\n<p>grammarlycheck2[.]com Batloader C&C server<\/p>\n<p>installationsoftware1[.]com Batloader C&C server<\/p>\n<p>installationupgrade6[.]com Batloader C&C server<\/p>\n<p>internalcheckssso[.]com Batloader C&C server<\/p>\n<p>t1pixel[.]com Batloader C&C server<\/p>\n<p>updatea1[.]com Batloader C&C server<\/p>\n<p>updateclientssoftware[.]com Batloader C&C server<\/p>\n<p>updatecloudservice1[.]com Batloader C&C server<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"26\">\n<tr>\n<td><b>SHA256<\/b><\/td>\n<td><b>Description<\/b><\/td>\n<td><b>Detection<\/b><\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>23373654d02cb7eace932609826cca4f82fcac67ca44b9328baba385acc00c67 – Component of 2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.BAT.BATLOADER.A<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>f8f3f22425ea72fafba5453c70c299367bd144c95e61b348d1e6dda0c469e219 – Component of 2e65cfebde138e4dd816d3e8b8105e796c4eb38cfa27015938c0445ee5be8331<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.Python.BATLOADER.A<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.JS.BATLOADER.SMYXCLAZ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>91730741d72584f96ccba99ac9387e09b17be6d64728673871858ea917543c1e<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.JS.BATLOADER.SMYXCLAZ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>aef18b7ab1710aaeb0d060127750ba9d17413035309ec74213d538fb1b1bdf79<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.JS.BATLOADER.SMYXCLAZ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>e7735cb541e7afd50759eae860b7d1a43d627fbf5cd96d016241084e91659817<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.JS.BATLOADER.SMYXCLAZ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>23a5981d086242349f6e3476eff11ea3244cebef3d65c76c7bc74470c1ec4b49<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.Win32.BATLOADER.SMYXCK3Z<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>3707ad9d9ea318757883ede9691e5c4e8d778c839a056f8b4a94ed47a76da2c8<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.Win32.BATLOADER.SMYXCK3Z<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>86f6af51d30159f4d2e00ed733a88dc05cc5dd846b1b2d1ba30582f6e33ac998<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.Win32.BATLOADER.SMYXCK3Z<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>b28047cda1c688c844f676e94770c08cf570f4d65fa4c5e4454ae449c2439e3f<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.Win32.BATLOADER.SMYXCK3Z<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>e1dcc098a6585dbbf4df64f09f8e8508e218485e1958fe6fe04b91547e109a83<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.Win32.BATLOADER.SMYXCK3Z<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>e528cb5e7a2d04269d955ce771b7326bae929355807039f49106126b1a5ff227<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.Win32.FRS.VSNW1DK22\/Trojan.PS1.BATLOADER.SMYXCK3Z<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>fcbfbc2ae4ed3e51631ecb3184004d96f0a6fd5e9de55400dedfa6b5cafc7c41<\/td>\n<td>Batloader File<\/td>\n<td>Trojan.Win32.FRS.VSNW1DK22\/Trojan.PS1.BATLOADER.SMYXCK3Z<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/a\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader). Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":50145,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9509],"class_list":["post-50144","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-17T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Batloader-Malware-Abuses-Legitimate-Tools-Uses-Obfuscated-JavaScript-Files-in-Q4-2022-Attacks-641.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks\",\"datePublished\":\"2023-01-17T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/\"},\"wordCount\":3393,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/\",\"name\":\"Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks.jpg\",\"datePublished\":\"2023-01-17T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks.jpg\",\"width\":1076,\"height\":1277},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-01-17T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Batloader-Malware-Abuses-Legitimate-Tools-Uses-Obfuscated-JavaScript-Files-in-Q4-2022-Attacks-641.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks","datePublished":"2023-01-17T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/"},"wordCount":3393,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/01\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/","url":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/","name":"Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/01\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks.jpg","datePublished":"2023-01-17T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/01\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/01\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks.jpg","width":1076,"height":1277},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javascript-files-in-q4-2022-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50144"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50144\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/50145"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Batloader-Malware-Abuses-Legitimate-Tools-Uses-Obfuscated-JavaScript-Files-in-Q4-2022-Attacks-641.png\")