{"id":53075,"date":"2023-08-07T00:00:00","date_gmt":"2023-08-07T00:00:00","guid":{"rendered":"urn:uuid:3fdb21bd-5be0-960b-da57-2269023a57a9"},"modified":"2023-08-07T00:00:00","modified_gmt":"2023-08-07T00:00:00","slug":"latest-batloader-campaigns-use-pyarmor-pro-for-evasion","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/","title":{"rendered":"Latest Batloader Campaigns Use Pyarmor Pro for Evasion"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/batloader-pyarmor-cover:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we\u2019ve covered in previous blog entries.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,endpoints,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2023-08-07\"> <meta property=\"article:tag\" content=\"malware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/h\/batloader-campaigns-use-pyarmor-pro-for-evasion.html\"> <title>Latest Batloader Campaigns Use Pyarmor Pro for Evasion<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/h\/batloader-campaigns-use-pyarmor-pro-for-evasion.html\"><br \/>\n<meta property=\"og:title\" content=\"Latest Batloader Campaigns Use Pyarmor Pro for Evasion\"><br \/>\n<meta property=\"og:description\" content=\"In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we\u2019ve covered in previous blog entries.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/batloader-pyarmor-cover.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Latest Batloader Campaigns Use Pyarmor Pro for Evasion\"><br \/>\n<meta name=\"twitter:description\" content=\"In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we\u2019ve covered in previous blog entries.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/batloader-pyarmor-cover.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.64742406444\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1657041328\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7436708860759\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.917721518987\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we\u2019ve covered in previous blog entries.<\/p>\n<p class=\"article-details__author-by\">By: Junestherry Dela Cruz <time class=\"article-details__date\">August 07, 2023<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"36.478478478478\">\n<div readability=\"20.159159159159\">\n<p>In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we\u2019ve covered in <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/23\/a\/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html\">previous blog entries<\/a>. The group behind Batloader (which we named Water Minyades) have begun employing Pyarmor Pro \u2014 a more sophisticated version of the regular Pyarmor protector command-line tool \u2014 to obfuscate its main malicious python scripts. Batloader previously used the standard version of Pyarmor, which can be manually de-obfuscated using <a href=\"https:\/\/github.com\/Svenskithesource\/PyArmor-Unpacker\">open-source scripts<\/a>. Water Minyades had been using Pyarmor since December 2022, likely since many antivirus engines lack an unpacker engine for Pyarmor (even the non-pro variant), making it difficult to detect these kinds of scripts.<\/p>\n<p>Aside from this unique evasion technique, Batloader also uses a variety of other techniques to make it more difficult to detect. One example of this is the use of large MSI files as a delivery vessel. Figure 1 shows an example of this, with a 111MB Batloader MSI file.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"97605a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-1.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-1.png\" alt=\"Figure 1. A Batloader MSI file with a size of 111 MB\"> <\/a><figcaption>Figure 1. A Batloader MSI file with a size of 111 MB<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p>A custom action script that is used for starting Batloader&#8217;s kill chain is usually included with these MSI files. In the sample we analyzed, it will execute a Batch file named <i>Python2.bat<\/i>. The MSI File executes the following command line:<\/p>\n<p><span class=\"blockquote\">\u201dC:\\Windows\\System32\\cmd.exe&#8221; \/c C:\\Users\\\\AppData\\Local\\Reo\\App\\Python\\Python2.bat<\/span><\/p>\n<p>Figure 2 shows the content of the <i>Python2.bat<\/i> file. To summarize, the file will check if it has admin rights to the victim machine. If not, it will execute a User Account Control (UAC) prompt via a file named <i>getadmin.vbs<\/i>. Once it has obtained admin rights, it will silently install WinRAR using a renamed installer (<i>r.exe<\/i>) and expand the <i>openssl.zip<\/i> and <i>frameworkb.rar<\/i> archives, which are files used for the next stages of Batloader\u2019s execution chain.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"d3b8e3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-2.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-2.png\" alt=\"Figure 2. The content of \u201cPython2.bat\u201d\"> <\/a><figcaption>Figure 2. The content of \u201cPython2.bat\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The files <i>framework.py<\/i>, <i>frameworkb.py<\/i>, and the customized Python runtime environment libraries from the Pyarmor Pro application are extracted from the archive file named <i>frameworkb.rar<\/i>. These Pyarmor-protected scripts will be executed by the Batloader malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"18fa14\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-3.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-3.png\" alt=\"Figure 3. Extracting files and a library from the \u201cframeworkb.rar\u201d file\"> <\/a><figcaption>Figure 3. Extracting files and a library from the \u201cframeworkb.rar\u201d file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Figure 4 shows the snippet from one of the Pyarmor-protected scripts. Note that the top portion of the script denotes that it was made using <i>Pyarmor Pro 8.2.8<\/i> and that it\u2019s designed to load customized Python libraries from the directory <i>pyarmor_runtime_005214<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"68fcd9\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-4.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-4.png\" alt=\"Figure 4. Code snippet from a Pyarmor-protected script\"> <\/a><figcaption>Figure 4. Code snippet from a Pyarmor-protected script<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>Looking at the execution chain of <i>frameworkb.py <\/i>as seen from Trend Vision One\u2122 (Figure 5), we can observe that when the <i>frameworkb.py<\/i> script is executed by <i>cmd.exe<\/i>, the script will attempt to fingerprint the network infrastructure of the victim environment by executing <i>arp.exe<\/i>, mapping IP addresses to MAC addresses and retrieving the domain name via the WMI command-line (WMIC) utitlity. This information is then sent to the command-and-control (C&amp;C) server, which is <i>countingstatistic[.]com<\/i> in this case.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"d82fb9\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-5.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-5.png\" alt=\"Figure 5. The execution chain of frameworkb.py as seen from the Trend Vision One console\"> <\/a><figcaption>Figure 5. The execution chain of frameworkb.py as seen from the Trend Vision One console<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.462598425197\">\n<div readability=\"13.173228346457\">\n<p>The other python file, named <i>framework.py<\/i>, will also be executed once the second stage payload from the C&amp;C server is delivered. Based on previous Batloader attacks, this can be any malware, with the most observed being Ursnif, Vidar and <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/23\/c\/managed-xdr-exposes-spear-phishing-campaign-targeting-hospitalit.html\">Redline Stealer<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b57a45\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-6.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/batloader-pyarmor-6.png\" alt=\"Figure 6. The kill chain when \u201cframework.py\u201d is executed\"> <\/a><figcaption>Figure 6. The kill chain when \u201cframework.py\u201d is executed<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"50.413189448441\">\n<div readability=\"46.987050359712\">\n<p>As shown in the Vision One console screenshot seen in figure 6, the following kill chain occurs when <i>framework.py<\/i> is executed:<\/p>\n<p>(1): Python executes framework.py using the following command:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">cmd \/c python.exe framework.py<\/span><\/li>\n<\/ul>\n<p>(2): OpenSSL is used to decrypt the downloaded file (<i>a.exe.enc<\/i>) using AES-256 encryption in cipher-block chaining (CBC) mode with the password tor92SS2jds.<\/p>\n<p>The decrypted result is then saved in the file named <i>control.exe<\/i>, which is executed by <i>cmd.exe<\/i>:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">cmd \/c &#8220;openssl enc -aes-256-cbc -d -in a.exe.enc -out control.exe -pbkdf2 -pass pass:tor92SS2jds&#8221;<\/span><\/li>\n<\/ul>\n<p>(3, 4, and 5): The victim\u2019s network infrastructure is fingerprinted using the following commands:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">whoami \/groups<br \/><\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Windows\\system32\\cmd.exe \/c &#8220;arp -a&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">wmic computersystem get domain<br \/>&nbsp;<\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Batloader is a highly active initial access malware that can be used to deliver other malware, often ultimately leading to dangerous <a href=\"https:\/\/www.trendmicro.com\/vinfo\/ph\/security\/definition\/Ransomware\">ransomware<\/a> like <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-royal\">Royal<\/a> and <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/23\/e\/investigating-blacksuit-ransomwares-similarities-to-royal.html\">BlackSuit<\/a>. Furthermore, it is a stealthy malware, employing several evasion routines to elude detection engines. This includes techniques such as abusing digital signatures, using large installer sizes as a vessel to evade engines that have file size limits and as discussed in this blog entry. incorporating tools such as PyArmor Pro to obfuscate its primary Python scripts.<\/p>\n<p>Organizations can reduce the impact of malware such as Batloader by employing comprehensive detection and response technologies such as <a href=\"https:\/\/www.trendmicro.com\/en_ph\/business\/products\/one-platform.html\">Trend Vision One<\/a>. This solution offers robust extended detection and response (XDR) functionalities, gathering and intelligently connecting information from various security layers \u2014 encompassing email, endpoints, servers, cloud operations, and networks, thwarting potential security incidents and ensuring that they don\u2019t go unnoticed.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>Trend Vision One customers can use the following hunting query to search for this specific Batloader threat:<\/p>\n<p><span class=\"blockquote\">Go to SearchApp&gt; General &gt; Search&nbsp; &nbsp;parentCmd:\u201dcmd \/c python.exe framework*\u201d<\/span><\/p>\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/ioc-latest-batloader-campaigns-use-pyarmor-pro-for-evasion.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/h\/batloader-campaigns-use-pyarmor-pro-for-evasion.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we\u2019ve covered in previous blog entries. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":53076,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9509],"class_list":["post-53075","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Latest Batloader Campaigns Use Pyarmor Pro for Evasion 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Latest Batloader Campaigns Use Pyarmor Pro for Evasion 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-08-07T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion.png\" \/>\n\t<meta property=\"og:image:width\" content=\"532\" \/>\n\t<meta property=\"og:image:height\" content=\"284\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Latest Batloader Campaigns Use Pyarmor Pro for Evasion\",\"datePublished\":\"2023-08-07T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/\"},\"wordCount\":929,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/\",\"name\":\"Latest Batloader Campaigns Use Pyarmor Pro for Evasion 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion.png\",\"datePublished\":\"2023-08-07T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion.png\",\"width\":532,\"height\":284},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Latest Batloader Campaigns Use Pyarmor Pro for Evasion\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Latest Batloader Campaigns Use Pyarmor Pro for Evasion 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/","og_locale":"en_US","og_type":"article","og_title":"Latest Batloader Campaigns Use Pyarmor Pro for Evasion 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-08-07T00:00:00+00:00","og_image":[{"width":532,"height":284,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Latest Batloader Campaigns Use Pyarmor Pro for Evasion","datePublished":"2023-08-07T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/"},"wordCount":929,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/","url":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/","name":"Latest Batloader Campaigns Use Pyarmor Pro for Evasion 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion.png","datePublished":"2023-08-07T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion.png","width":532,"height":284},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/latest-batloader-campaigns-use-pyarmor-pro-for-evasion\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Latest Batloader Campaigns Use Pyarmor Pro for Evasion"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/53075","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=53075"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/53075\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/53076"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=53075"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=53075"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=53075"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}