icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

OBSCURE#BAT Malware Uses Fake CAPTCHA Pages to Deploy Rootkit r77 and Evade Detection

Summary:
A new malware campaign, OBSCURE#BAT, has been identified using social engineering tactics to deploy the r77 rootkit, an open-source tool that enables persistence and evasion on compromised systems. Discovered by Securonix, the campaign primarily targets English-speaking users in the U.S., Canada, Germany, and the U.K. by disguising itself as legitimate software downloads or fake CAPTCHA verification scams. The threat actors behind the campaign remain unknown. The attack begins with an obfuscated Windows batch script, which executes PowerShell commands to launch a multi-stage infection process. The malware gains initial access through two primary methods: ClickFix, which directs users to a fraudulent Cloudflare CAPTCHA page, and another technique that presents the malware as genuine tools such as Tor Browser, VoIP software, or messaging clients. These methods likely rely on malvertising or SEO poisoning to attract victims.

Once executed, the malware drops additional scripts, modifies Windows Registry settings, and establishes scheduled tasks for persistence. It also creates a fake driver (ACPIx86.sys) to further embed itself in the system. A .NET payload is deployed using control-flow obfuscation, string encryption, and special character function names to evade detection. Additionally, PowerShell loads an executable that patches the Antimalware Scan Interface to bypass antivirus scans.

Security Officer Comments:
The attack culminates with the deployment of the r77 rootkit, which is launched as a service. The rootkit is designed to hide files, processes, and registry keys matching the pattern ($nya-), while also monitoring clipboard activity and command history for possible data exfiltration. The malware persists even after reboots by injecting itself into critical system processes like winlogon.exe, making detection difficult.

Suggested Corrections:

Securonix recommendations:
  • Maintain vigilance against social engineering, malvertising, and fake captcha scams that trick users into executing code.
  • Always verify that software downloads come from legitimate websites.
  • A legitimate captcha will never copy code to your clipboard and prompt execution.
  • Be cautious with batch (.bat) files from unknown sources, as they are a common attack vector in phishing campaigns.
  • Inspect batch files in a text editor before executing them.
  • If infected, note that although the attacker may mask attribution, the original r77 rootkit author provides a remover or uninstaller.
  • We strongly recommend deploying robust endpoint logging (e.g., Sysmon and PowerShell logging) for enhanced detection.
  • Securonix customers can use the following hunting queries to scan endpoints.
Link(s):
https://thehackernews.com/2025/03/obscurebat-malware-uses-fake-captcha.html

https://www.securonix.com/blog/anal...us-batch-scripts-to-deploy-stealthy-rootkits/

Contact Us for Threat Assistance
Back to Current Threats