BattleRoyal Hackers Deliver DarkGate RAT Using Every Trick

The shadowy threat actor uses some nifty tricks to drop popular malware with targets that meet its specifications.

This fall, an unidentified threat actor executed dozens of varied social engineering campaigns against American and Canadian organizations across a variety of industries, with the goal of infecting them with
the multifaceted DarkGate malware
.
In
a blog post this week
, researchers from Proofpoint were unable to definitively say whether the perpetrator its calling BattleRoyal is a totally new actor or related to any existing one. Perhaps part of the trouble has to do with its sheer variety of tactics, techniques, and procedures (TTPs) it uses.
To deliver DarkGate, and more recently the NetSupport remote control software, BattleRoyal uses phishing emails en masse, as well as fake browser updates, taking advantage of traffic distribution systems (TDSs), malicious VBScript, steganography, and a Windows Defender vulnerability along the way. To date, though, none of these tactics have led to any known successful exploitations.
Sometimes, BattleRoyal does its social engineering via fake browser updates. Researchers
first observed this activity
, tracked as RogueRaticate, in mid-October. In these cases, the attacker injects requests into domains it secretly controls, using content style sheets (CSS)
steganography
to conceal its malicious code. The code filters traffic and then redirects targeted browser users to the fake update.
However, BattleRoyal is most fond of traditional email phishing. Between September and November, it was responsible for at least 20 such campaigns representing tens of thousands of emails in all.
They typically begin with a rather garden-variety message.
The links contained in the body might make use of multiple TDSs — a common tool for todays cybercriminals.
Proofpoint regularly sees TDSs used by threat actors in attack chains, specifically cybercrime campaigns, says Selena Larson, senior threat intelligence analyst at Proofpoint. Threat actors use them to ensure the computers they want to be compromised are, and anything that doesn’t meet their standards such as a bot, possible researcher, etc., will be redirected away from payload delivery. The two most common TDSs these days, she adds, are the same ones used by BattleRoyal: 404 TDS, and the legitimate Keitaro TDS.
The TDSs redirect users to a URL file that takes advantage of
CVE-2023-36025
, an 8.8 critical
bypass vulnerability that undermines Microsoft Defender SmartScreen
; ironically, SmartScreen is a security feature of Windows designed to prevent users from ending up on phishing sites.
BattleRoyal appears to have been exploiting CVE-2023-36025 as a zero-day, prior to its disclosure last month (and subsequent public exploit).
When double clicked, the malicious URL files bypass Windows defenses and download malicious VBScript that executes a series of shell commands. And its at the end of this chain where DarkGate lies.
DarkGate is a combination loader-cryptominer-remote access Trojan (RAT). Although its been around for over half a decade, Larson explains, it recently emerged around October as one of the most frequently observed malware payloads by a small set of threat actors. The recent spike in activity is likely due to the developer renting out the malware to a small number of affiliates, which they advertised on cybercriminal hacking forums. Besides BattleRoyal, Proofpoint has observed groups it tracks as TA577 and TA571 using it, as well.
About a month ago, BattleRoyals email campaigns swapped out DarkGate for NetSupport, a legitimate remote access tool thats made the cybercriminal rounds
for some years now
.
It remains to be seen if the reason for the payload switch is due to the spike in DarkGate’s popularity and the subsequent attention paid to the malware by threat researchers and the security community (which can lead to reduction of efficacy), Larson says, or simply a temporary change to a different payload.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
BattleRoyal Hackers Deliver DarkGate RAT Using Every Trick