Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

Protecting data in the AI ​​era

Critical Wing FTP Server Vulnerability (CVE-2025-47812)

EU material recovery rules to enhance waste batteries recycling

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » Ambiguous #Bat Malware uses fake Captcha pages to deploy rootkit R77 and avoid detection
Identity

Ambiguous #Bat Malware uses fake Captcha pages to deploy rootkit R77 and avoid detection

userBy userMarch 14, 2025No Comments3 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

March 14, 2025Ravi LakshmananThreat Intelligence/Malware

Unclear #Bat Malware

A new malware campaign has been observed that leverages social engineering tactics to provide an open source rootkit called the R77.

This activity, which denounced the ambiguous #BAT by Securonix, allows threat actors to establish persistence in the compromised system and avoid detection. It is currently unknown who is behind the campaign.

The rootkit “has the ability to MacCaulk or mask files, registry keys, or tasks starting with a specific prefix,” security researchers Den iuzvyk and Tim Peck said in a report shared with Hacker News. “We’re targeting users, either under the guise of legal software downloads or via fake Captcha social engineering scams.”

The campaign is designed primarily to target English-speaking individuals, particularly the US, Canada, Germany and the UK.

Cybersecurity

Obscure#BAT gets its name from the fact that the starting point of the attack is an obfuscated Windows batch script. This executes a PowerShell command to activate a multi-stage process that reaches its peak in a RootKit expansion.

At least two different initial access routes have been identified to allow users to run malicious batch scripts. One is the second way to employ malware as a legitimate tool, such as the Tor browser, VoIP software, messaging clients, using the infamous Clickfix strategy by directing users to a fake CloudFlare Captcha validation page.

It is not clear how users are being invited by software trapped in booby, but it is suspected to involve proven approaches such as fraud and search engine optimization (SEO) addiction.

Regardless of how you use it, the first stage payload is an archive containing batch scripts, invoking PowerShell commands to drop additional scripts, making changes to the Windows registry, and setting up scheduled tasks for persistence.

“Malware stores scripts in an esoteric way in the Windows registry, ensuring they run through scheduled tasks, allowing them to be secretly executed in the background,” the researchers said. “In addition, we will change the system registry key to register a fake driver (ACPIX86.SYS) and embed it further into the system.”

Unclear #Bat Malware

What unfolded during the course of the attack was a .NET payload that uses many tricks to avoid detection. This includes controlling flow obfuscation, string encryption, and using feature names that mix Arabic, Chinese and special characters.

Another payload loaded by PowerShell is executable, using an anti-malware scan interface (AMSI) patch to bypass anti-virus detection.

The .NET payload is responsible for dropping a system mode rootkit named “acpix86.sys” into the “c:\windows\system32\drivers\” folder. It also delivers a user-mode rootkit called R77 to hide files, processes, and registry keys that match the pattern ($nya-).

Malware also regularly monitors monitors for clipboard activity and command history, saving them in hidden files, possibly filtering them out.

Cybersecurity

“Obscure#BAT demonstrates a highly evasive attack chain and leverages observation, stealth technology and API hooks to sustain on compromised systems while avoiding detection,” the researchers said.

“From the initial execution of an obfuscated batch script (install.bat) to the creation of scheduled tasks and registry-saved scripts, malware ensures persistence even after a reboot. By injecting critical system processes such as Winlogon.exe, you can manipulate the behavior of the process to further manipulate complex detection.”

The findings occurred as Cofense details the Microsoft Copilot Spoofing campaign, where users are using phishing emails to take users to fake landing pages of artificial intelligence (AI) assistants designed to harvest user qualifications and two-factor authentication (2FA) codes.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleWaymo was slapped last year with nearly 600 parking tickets in sci-fi alone.
Next Article New Massjacker Malware targets copyright infringers and hijacks cryptocurrency transactions
user
  • Website

Related Posts

Protecting data in the AI ​​era

July 11, 2025

Critical Wing FTP Server Vulnerability (CVE-2025-47812)

July 11, 2025

CISA adds Citrix Netscaler CVE-2025-5777 to KEV catalog as an active exploit target enterprise

July 11, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Protecting data in the AI ​​era

Critical Wing FTP Server Vulnerability (CVE-2025-47812)

EU material recovery rules to enhance waste batteries recycling

Underwater gardeners restore marine forests

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

ICEX Forum 2025 Opens: FySelf’s TwinH Showcases AI Innovation

The Future of Process Automation is Here: Meet TwinH

Robots Play Football in Beijing: A Glimpse into China’s Ambitious AI Future

TwinH: A New Frontier in the Pursuit of Immortality?

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.