Battleroyal

Threat Actor updated 4 months ago (2024-05-04T20:19:46.049Z)

Download STIX

Preview STIX

BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen vulnerability (CVE-2023-36025). The group exploited this vulnerability before its public disclosure by Microsoft, indicating their advanced capabilities. BattleRoyal's operations saw a surge around October, with the group emerging as one of the most frequently observed malware payloads by a small set of threat actors. In a significant evolution, BattleRoyal transitioned from using DarkGate to NetSupport, a well-established remote access tool, in late November to early December. This shift raises questions about the group's motivations and highlights the dynamic nature of cyber threats. Although NetSupport has been around for over half a decade, it recently became a popular choice among cybercriminals, including groups tracked as TA577 and TA571, due to its developer renting out the software on hacking forums. Despite these changes, BattleRoyal has shown no signs of slowing down as the year-end approaches. About a month ago, the group's email campaigns swapped out DarkGate for NetSupport, demonstrating an ongoing commitment to evolving their methods. In addition, BattleRoyal seems to have been exploiting CVE-2023-36025 as a zero-day, prior to its disclosure and subsequent public exploit. The two most common TDSs used by BattleRoyal are 404 TDS and the legitimate Keitaro TDS, tools that enable them to ensure their targeted computers are compromised while redirecting non-targets away from payload delivery.

Description last updated: 2024-05-04T20:13:09.797Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Windows

Exploit

Proofpoint

Malware

Bot

Payload

Zero Day

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Darkgate	Unspecified	4	DarkGate is a malicious software (malware) designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once embedded in a system, DarkGate can steal personal information, disrupt operations, or hold data for ransom. Recently, the malware was
Netsupport	Unspecified	3	NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
TA577	Unspecified	2	TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicall

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2023-36025	Unspecified	3	CVE-2023-36025 is a significant vulnerability identified in the Windows SmartScreen security feature. It was one of three zero-day vulnerabilities discovered, with the others being CVE-2023-36033, a privilege escalation vulnerability in the Windows DWM Core Library, and CVE-2023-36036, another privi

Source Document References

Information about the Battleroyal Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	8 months ago	Phemedrone Stealer Targets Windows Defender Flaw Despite Patch
CERT-EU	9 months ago	Cyber Security Week In Review: December 22, 2023
CERT-EU	8 months ago	BattleRoyal Cybercrime Group Spreads DarkGate Malware \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	9 months ago	'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	9 months ago	'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick
InfoSecurity-magazine	9 months ago	BattleRoyal Cluster Signals DarkGate Surge