BatCloak Engine: Cybercriminals’ Undetectable Malware

Reading Time: ( Word Count: )

June 12, 2023

A highly effective malware obfuscation engine known as BatCloak Engine has been employed since September 2022 to distribute different types of malware while skillfully avoiding detection by antivirus programs.

According to researchers from Trend Micro, the samples allow “threat actors to effortlessly load numerous families of malware and exploits using heavily obfuscated batch files.” The cybersecurity company further revealed that approximately 79.6% of the 784 artifacts discovered remained undetected by all security solutions, emphasizing the capability of BatCloak to bypass conventional detection mechanisms.

At the core of an off-the-shelf batch file builder tool called Jlaive lies the BatCloak engine. This tool enables users to evade Antimalware Scan Interface (AMSI), compress and encrypt the primary payload, and achieve enhanced security evasion.

Although Jlaive was originally an open-source tool released on GitHub and GitLab in September 2022 by a developer named ch2sh, it has been marketed as an “EXE to BAT crypter.” Since then, other actors have cloned, modified, and ported to languages like Rust.

The final payload is concealed through three loader layers: a C# loader, a PowerShell loader, and a batch loader. The batch loader serves as the initial point for decoding and unpacking each stage, ultimately activating the hidden malware.

BatCloak Engine

“The batch loader consists of an obfuscated PowerShell loader and an encrypted C# stub binary,” researchers Peter Girnus and Aliakbar Zahravi explained. “In the end, Jlaive utilizes BatCloak as a file obfuscation engine to obscure the batch loader and store it on a disk.”

BatCloak has undergone numerous updates and adaptations since its emergence, with the most recent version being ScrubCrypt. Fortinet FortiGuard Labs initially brought attention to ScrubCrypt due to its association with a crypto-jacking operation carried out by the 8220 Gang.

The researchers noted that the transition from an open-source framework to a closed-source model, as seen with ScrubCrypt, can be attributed to the success of previous projects like Jlaive and the aim to monetize the project while protecting it against unauthorized replication.

Furthermore, ScrubCrypt is designed to be compatible with various well-known malware families, including Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, Warzone RAT.

“The evolution of BatCloak demonstrates the flexibility and adaptability of this engine, highlighting the development of fully undetectable batch obfuscators,” concluded the researchers. “This showcases the prevalence of this technique in the contemporary threat landscape.”

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *