Security researchers have uncovered a sinister new threat lurking in the digital shadows. Dubbed OBSCURE#BAT by Securonix, this malware campaign is targeting users primarily in the US, Canada, Germany, and the UK through fake CAPTCHA verification pages.
It’s clever. Too clever. The attack begins when unsuspecting users encounter typosquatted domains featuring Cloudflare CAPTCHA pages that look legitimate but are actually malicious traps.
Once victims interact with these fake CAPTCHAs, they’re unknowingly downloading archives containing heavily obfuscated batch scripts. The initial payload seems innocuous, but it’s just the tip of the iceberg. PowerShell commands execute in the background, dropping additional scripts and modifying the Windows Registry. The whole operation is practically invisible to the average user.
What makes OBSCURE#BAT particularly nasty is its use of the open-source r77 rootkit. This isn’t amateur hour. The malware installs both kernel-level (“puma.ko”) and userland (“lib64/libs.so”) rootkit components that hide malicious files, processes, and registry entries from security tools. The campaign employs social engineering techniques to trick users into executing malicious batch scripts through clipboard manipulation.
It even registers a fake driver called “ACPIx86.sys” to blend in with legitimate system processes. Talk about wearing a disguise.
Persistence is the name of the game. The malware creates scheduled tasks, injects itself into critical system processes like winlogon.exe, and abuses Windows services to guarantee it sticks around after reboots. Good luck finding it without specialized tools.
While hiding in your system, OBSCURE#BAT monitors clipboard activity and command history, collecting valuable data before encrypting and sending it to command and control servers. Similar to other attacks, it utilizes Cloudflare Tunnel connections to establish secure command-and-control infrastructure.
And it does this while actively interfering with security software’s ability to detect it. With keylogging capabilities similar to other infostealer trojans, it can silently capture every keystroke you make, including passwords and sensitive financial information.
Detection is complicated by the malware’s multi-stage infection chain and memory-resident components that avoid disk-based detection. Traditional antivirus? Pretty much useless.
The attackers have thought of everything, including patching the Antimalware Scan Interface to bypass detection. They’re not messing around, and neither should your security team.
