Battleroyal

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen vulnerability (CVE-2023-36025). The group exploited this vulnerability before its public disclosure by Microsoft, indicating their advanced capabilities. BattleRoyal's operations saw a surge around October, with the group emerging as one of the most frequently observed malware payloads by a small set of threat actors. In a significant evolution, BattleRoyal transitioned from using DarkGate to NetSupport, a well-established remote access tool, in late November to early December. This shift raises questions about the group's motivations and highlights the dynamic nature of cyber threats. Although NetSupport has been around for over half a decade, it recently became a popular choice among cybercriminals, including groups tracked as TA577 and TA571, due to its developer renting out the software on hacking forums. Despite these changes, BattleRoyal has shown no signs of slowing down as the year-end approaches. About a month ago, the group's email campaigns swapped out DarkGate for NetSupport, demonstrating an ongoing commitment to evolving their methods. In addition, BattleRoyal seems to have been exploiting CVE-2023-36025 as a zero-day, prior to its disclosure and subsequent public exploit. The two most common TDSs used by BattleRoyal are 404 TDS and the legitimate Keitaro TDS, tools that enable them to ensure their targeted computers are compromised while redirecting non-targets away from payload delivery.
What's your take? (Question 1 of 5)
cddf5c22-bb08-4ee7-991f-dfc08fb79bdb Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Proofpoint
Vulnerability
Windows
Exploit
Malware
Bot
Payload
Zero Day
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DarkgateUnspecified
3
DarkGate is a form of malware that has been causing significant issues in recent times. This malicious software, designed to exploit and damage computer systems, infiltrates devices through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal inf
NetsupportUnspecified
3
NetSupport is a legitimate remote software company whose tool, NetSupport Manager, has been co-opted for malicious purposes and transformed into the NetSupport Remote Access Trojan (RAT). This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA577Unspecified
2
TA577, a recognized threat actor in the cybersecurity industry, has been associated with various malicious activities and malware campaigns. Known for its affiliation with Qbot, TA577 has also been linked to other malware like IcedID and PikaBot. On October 16, 2023, an IcedID (Bokbot) infection was
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-36025Unspecified
3
CVE-2023-36025 is a significant vulnerability, representing a flaw in the design or implementation of Microsoft's Windows SmartScreen security feature. This vulnerability was discovered as one of three zero-days affecting Microsoft Windows and Server. The exploit begins with the execution of a malic
Source Document References
Information about the Battleroyal Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
5 months ago
'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick
CERT-EU
5 months ago
'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
InfoSecurity-magazine
5 months ago
BattleRoyal Cluster Signals DarkGate Surge
CERT-EU
5 months ago
BattleRoyal Cybercrime Group Spreads DarkGate Malware | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
5 months ago
Cyber Security Week In Review: December 22, 2023
InfoSecurity-magazine
4 months ago
Phemedrone Stealer Targets Windows Defender Flaw Despite Patch