Since Q4 2022, Batloader malware has been actively used in several malicious campaigns across the globe. Experts have recently revealed that in that duration, it has used several attack tactics, including abuse of legitimate tools and malvertising techniques to deliver several malware.

It began with Water Minyades

Trend Micro Researchers have been tracking the entire cluster of activities as Water Minyades that started as early as H2 2020.
  • During Q4 2022, the threat actors were observed using Batloader malware to deliver further malware, including Qakbot, Raccoon Stealer, and Bumbleloader through social engineering techniques.
  • Batloader spreads via malicious websites impersonating genuine applications such as Adobe, AnyDesk, Audacity, Blender, and CCleaner. 
  • Victims were redirected to these sites via malvertising and fake comments on forums with links leading to distribution sites.
  • These Batloader attacks were primarily deployed in the U.S., Germany, Canada, Japan, and the U.K.

The intrusion set 

Water Minyades heavily relies on defense evasion methods, one of which is payloads being deployed with very big file sizes to avoid the sandbox analysis and file size limits of antivirus engines.
  • Hackers used obfuscated JavaScript files as a first-stage payload and used the PyArmor tool to obfuscate Batloader Python scripts.
  • They abused genuine tools such as NSudo and Gpg4win to elevate privileges and decrypt malicious payloads.
  • Further, the intrusion set used MSI files’ genuine digital signatures and exploited flaws related to Windows PE Authenticode signatures to run malicious scripts appended to signed DLLs.
  • Cybercriminals used easily modifiable scripts to avoid detection on scanning engines relying on structural signatures.
  • They further abused custom action scripts from WiX Toolset and Advanced Installer software.


Batloader is a highly evasive malware family with the capability of deploying different types of malware. Moreover, it is expected to continue its attack spree in near future as well. Therefore, to stay protected from such threats, organizations are suggested to implement robust and multilayered security approaches to stay protected. These security layers should cover email, servers, cloud workloads, and networks across the organization for ensuring a secure environment.
Cyware Publisher