Keypoints
- SeroXen distributes heavily obfuscated .bat loaders (often disguised as game cheats) that rely on BatCloak-generated FUD batch files to execute the infection chain.
- Infection begins when a user executes a malicious batch file; these archives are commonly hosted on platforms such as the Discord CDN or other cloud storage.
- The obfuscation uses layered techniques: variable-based string manipulation, junk code, suppressed console output, and large concatenated variable sets to evade detection.
- The batch copies PowerShell from System32 to the working directory, renames it, and uses PowerShell to decode (Base64), decrypt (AES or XOR), decompress, and reflectively load a .NET loader into memory.
- The SeroXen builder is a modified Quasar RAT that embeds a Crypt function using Jlaive and BatCloak code to AES-encrypt the .NET payload and then embed an encoded C# loader into an obfuscated batch with a PowerShell stub.
- Builder integrates an API unhooker (SharpUnhooker) to attempt to clear user-land hooks and evade EDR/AV monitoring before reflectively loading the payload.
- The authors provide a YARA rule and an isolated PowerShell deobfuscation script for analysts to extract keys/IVs and reveal the final payload; these must be run in a sandboxed environment.
MITRE Techniques
- [T1204] User Execution – SeroXen relies on enticing users to run malicious batch files: ‘To successfully initiate the infection process, the targeted user is lured into executing a batch file.’
- [T1105] Ingress Tool Transfer – Malicious archives and loaders are retrieved from public hosting (e.g., Discord CDN): ‘these malicious archives are hosted on the Discord CDN (content delivery network)’.
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The primary infection vector is an obfuscated .bat that builds and invokes commands: ‘the batch file’s role is to deobfuscate the PowerShell script and execute it.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell is used to decode/decrypt/unzip and execute the .NET loader: ‘Use the PowerShell command to decrypt and execute the encrypted payload’.
- [T1027] Obfuscated Files or Information – The loader uses multilayered obfuscation, variable concatenation, and junk code to evade detection: ‘layered obfuscation techniques alongside the incorporation of superfluous code fragments or “junk code” were employed’.
- [T1620] Reflective Code Loading – The final .NET payload is loaded into memory via reflection: ‘reflectively load it’.
- [T1036] Masquerading – The batch copies and renames PowerShell to a local executable name to avoid detection: ‘Name this copied PowerShell after the batch filename with an appended .exe’.
- [T1562.001] Impair Defenses: Disable or Modify Tools – The builder includes an API unhooker to clear user-land hooks and attempt evasion of AV/EDR monitoring: ‘Apiunhooker.dll … automatically Unhooks API Hives’.
Indicators of Compromise
- [File name] builder and payload artifacts – client.bin, payload.exe (encrypted Quasar RAT), and Apiunhooker.dll
- [Script/template name] embedded stubs and templates – Quasar.Server.Stub.cs, Qusar.Server.AESStub.ps1, Quasar.Server.XORStub.ps1
- [Batch characteristics] obfuscated .bat loader samples – large obfuscated batch files (~10MB–15MB) used as infection vectors
- [Hosting/service] distribution context – Discord CDN (hosting compromised game-cheat archives) and other cloud storage platforms
- [Detection artifacts] defensive tooling provided in article – YARA rule URL and PowerShell deobfuscation script (used by analysts to extract deobfuscated commands and keys)
The technical infection chain begins with a heavily obfuscated .bat loader (often bundled in fake game-cheat archives) that suppresses output (@echo off), assigns the “set” command and “=” operator to variables, and uses repeated variable concatenation and junk code to hide its true commands. When executed, the batch copies the PowerShell executable from System32 into the working directory, renames it (often matching the batch filename with an .exe extension), and then runs an embedded PowerShell stub that extracts a large Base64 payload embedded in the batch after a marker (e.g., “::”).
The embedded PowerShell sequence decodes the Base64 blob, decrypts it using AES (CBC mode with embedded Key and IV) or XOR (depending on configuration), unzips/gunzips the result, and then reflectively loads the resulting .NET loader into memory. Analysts observed the decryption flow explicitly: Base64 decode → AES/XOR decrypt (AES using Key/IV blob) → unzip → assembly reflection to load the .NET binary, with the final PowerShell commands responsible for both decryption and in-memory execution.
On the builder side, SeroXen’s builder (protected with Agile .NET) reads a precompiled client.bin (Quasar RAT), patches strings/opcodes, encrypts it (AES-CBC) to produce payload.exe, and uses a modified Jlaive/BatCloak flow to produce an encoded, compressed C# loader. The builder embeds SharpUnhooker (Apiunhooker.dll) to unhook API hives, compiles the C# loader (including the encrypted payload and unhooker), compresses and encodes it (AES/XOR + Base64), then writes an obfuscated batch file containing the PowerShell stub and the encoded loader that will perform the in-memory decryption and reflective load when executed. Read more: https://www.trendmicro.com/en_us/research/23/f/seroxen-incorporates-latest-batcloak-engine-iteration.html