Battleroyal

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen vulnerability (CVE-2023-36025). The group exploited this vulnerability before its public disclosure by Microsoft, indicating their advanced capabilities. BattleRoyal's operations saw a surge around October, with the group emerging as one of the most frequently observed malware payloads by a small set of threat actors. In a significant evolution, BattleRoyal transitioned from using DarkGate to NetSupport, a well-established remote access tool, in late November to early December. This shift raises questions about the group's motivations and highlights the dynamic nature of cyber threats. Although NetSupport has been around for over half a decade, it recently became a popular choice among cybercriminals, including groups tracked as TA577 and TA571, due to its developer renting out the software on hacking forums. Despite these changes, BattleRoyal has shown no signs of slowing down as the year-end approaches. About a month ago, the group's email campaigns swapped out DarkGate for NetSupport, demonstrating an ongoing commitment to evolving their methods. In addition, BattleRoyal seems to have been exploiting CVE-2023-36025 as a zero-day, prior to its disclosure and subsequent public exploit. The two most common TDSs used by BattleRoyal are 404 TDS and the legitimate Keitaro TDS, tools that enable them to ensure their targeted computers are compromised while redirecting non-targets away from payload delivery.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Vulnerability

Windows

Proofpoint

Malware

Phishing

Bot

Zero Day

Payload

Cybercrime

Exploits

Rat

Trojan

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Darkgate	Unspecified	4	DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos
Netsupport	Unspecified	3	NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
TA577	Unspecified	2	TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicall

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2023-36025	Unspecified	3	CVE-2023-36025 is a significant vulnerability, representing a flaw in the design or implementation of Microsoft's Windows SmartScreen security feature. This vulnerability was discovered as one of three zero-days affecting Microsoft Windows and Server. The exploit begins with the execution of a malic

Source Document References

Information about the Battleroyal Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
InfoSecurity-magazine	6 months ago	Phemedrone Stealer Targets Windows Defender Flaw Despite Patch
CERT-EU	7 months ago	Cyber Security Week In Review: December 22, 2023
CERT-EU	7 months ago	BattleRoyal Cybercrime Group Spreads DarkGate Malware \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	7 months ago	'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	7 months ago	'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick
InfoSecurity-magazine	7 months ago	BattleRoyal Cluster Signals DarkGate Surge