October 2, 2023

Researchers have warned bout a batch file obfuscation tool dubbed “BatCloak” has an 80% success rate when it comes to allowing malicious BAT files to slip past AV detection engines.

According to a report BAT file hidden by BatCloak demonstrate “a remarkable ability to persistently evade security solutions.”  

Most of these samples gathered since 2022 are capable of persistently evading antivirus detection, granting threat actors the ability to load numerous malware families and exploits with ease through highly obfuscated batch files.

Researchers are classifying BatCloak as “fully undetectable malware” or FUD. The term FUD should not be confused with the acronym FUD, a popular shorthand in information security circles for overhyped, underinformed analysis that spreads unnecessary fear, uncertainty, and doubt (FUD).


To achieve FUD status, a piece of malware might employ combined techniques such as encryption, obfuscation, and polymorphism, The goal of a piece of FUD malware is to remain completely undetected in compromised systems, allowing threat actors to carry out a wide range of malicious activities that include but are not limited to cyberespionage,” they wrote.

Malicious BAT files have always been a challenge for antivirus engines. As one article put it “batch scripts are too variable to write a working malicious script detector that catches new or ‘custom’ malware scripts. You’re likely to see the AV catching anything particularly prolific, but almost certainly not anything new or custom.”

Researchers tie BatCloak closely to another, now abandoned, BAT obfuscation tool called Jlaive, an antivirus evasion tool that can convert executables into undetectable batch files. Obfuscated .NET assemblies are not guaranteed to work.

The two .cs instructions work together to create the Jlaive obfuscation algorithm. The FileObfuscation.cs algorithm contains the logic responsible for obfuscating batch files. The code responsible is organized within the namespace BatCloak, containing a single class named FileObfuscation that contains the Process method.

Threat actors behind Jlaive contributed to numerous iterations and adaptations of the BatCloak engine, Other obfuscation projects include CryBat, Exe2Bat, SeroXen and the most recent version ScrubCrypt.


Unlike the open-source toolkit Jlaive, the ScrubCrypt is closed-source. Beyond the inclusion of the BatCloak obfuscation engine, ScrubCrypt is a pedestrian crime tool offering crimeware staples such as user account control bypass and point-and-click options to plant a host of remote access trojan (RAT) malware families such as SmokeLoader and VenomRAT on targeted systems.

Researchers warns that adversaries will likely continue to push the highly-effective BatCloak engine in future crime tools, and the presence of BatCloak in numerous malware families serves as a compelling testament to the engine’s inherent modularity.

This research was documented by the researchers from TrendMicro. Detailed analysis report available here

Leave a Reply

%d bloggers like this: