OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
The BattleRoyal and DarkGate malware cluster propagates primarily through phishing emails and fake browser update prompts, aiming to install malicious payloads on victim systems. This threat leverages social engineering to trick users into executing harmful code, leading to potential network compromise and data exfiltration. Although no patches are currently available and no known exploits in the wild have been reported, the medium severity rating reflects the risk posed by user interaction and the stealthy nature of the malware. European organizations, especially those with high email exposure and reliance on browser-based workflows, are at risk. The threat is particularly concerning for sectors with sensitive data and critical infrastructure. Mitigation requires targeted user awareness campaigns, enhanced email filtering, and strict endpoint controls to detect and block suspicious activities. Countries with significant digital economies and strategic infrastructure, such as Germany, France, the UK, and the Netherlands, are likely to be most affected. Given the lack of automated exploitation and the need for user interaction, the suggested severity is medium. Defenders should prioritize detection of phishing attempts and fake update mechanisms to reduce infection likelihood.
AI Analysis
Technical Summary
The BattleRoyal and DarkGate cluster represents a set of malware campaigns that spread through social engineering vectors, specifically phishing emails and fraudulent browser update notifications. These tactics aim to deceive users into downloading and executing malicious payloads, which then establish footholds within target networks. The campaign is characterized by its use of OSINT (Open Source Intelligence) techniques to tailor attacks and increase success rates. The malware payloads focus on network activity manipulation and persistent installation, allowing attackers to maintain long-term access and potentially exfiltrate sensitive information. Despite the absence of a patch or direct CVE-related software vulnerability exploitation, the threat leverages human factors and deception rather than technical software flaws. No known active exploits have been documented in the wild, but the medium threat level indicates a credible risk, especially in environments with less mature security awareness or controls. The lack of a CVSS score necessitates a severity assessment based on impact potential and exploitation complexity, which here is medium due to the requirement for user interaction and the absence of automated exploitation. The threat is relevant to organizations that rely heavily on email communications and browser-based workflows, as these are the primary infection vectors. The campaign's persistence and network activity components suggest that once infected, systems could be used for lateral movement or data theft, posing significant operational risks.
Potential Impact
For European organizations, the BattleRoyal and DarkGate cluster could lead to unauthorized access, data breaches, and disruption of business operations. The reliance on phishing and fake updates means that sectors with high email traffic and extensive browser use, such as finance, healthcare, and government, are particularly vulnerable. Compromise could result in loss of confidentiality due to data exfiltration, integrity issues if malware alters system or network configurations, and availability impacts if systems are disrupted or used as part of larger botnets. The absence of patches means organizations must rely on detection and prevention controls rather than remediation of software flaws. The threat could also undermine trust in digital communications and browser update mechanisms, complicating user behavior and security policies. Given the strategic importance of European digital infrastructure and the high value of data processed, successful infections could have cascading effects on national security and economic stability. The medium severity reflects a balance between the need for user interaction and the potential for significant operational impact if infections occur.
Mitigation Recommendations
To mitigate this threat, European organizations should implement targeted user awareness training focused on recognizing phishing emails and suspicious browser update prompts. Email security solutions should be enhanced with advanced filtering, sandboxing, and URL reputation checks to block malicious messages before reaching users. Endpoint detection and response (EDR) tools should be configured to identify unusual network activity and unauthorized payload installations. Organizations should enforce strict application whitelisting and restrict execution of untrusted software, particularly from email attachments or downloads triggered by browser prompts. Multi-factor authentication (MFA) can reduce the impact of credential theft resulting from phishing. Regular monitoring of network traffic for anomalies and use of threat intelligence feeds to update detection rules for BattleRoyal and DarkGate indicators are recommended. Incident response plans should include procedures for rapid containment and eradication of infections. Since no patches are available, proactive defense and rapid detection are critical. Collaboration with national cybersecurity centers and sharing of threat intelligence within industry sectors can improve collective resilience.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
Indicators of Compromise
- vulnerability: CVE-2023-36025
- ip: 5.181.159.29
- ip: 79.110.62.96
- domain: heilee.com
- domain: kairoscounselingmi.com
- domain: nathumvida.org
- domain: searcherbigdealk.com
- domain: zxcdota2huysasi.com
- link: https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
- text: Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates. Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for:
- text: BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
- text: Blog
- vulnerability: CVE-2023-36025
- text: Windows SmartScreen Security Feature Bypass Vulnerability
- datetime: 2023-11-21T01:33:00+00:00
- float: 8.8
- text: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- datetime: 2023-11-14T18:15:00+00:00
- text: Published
- cpe: cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025
- hash: fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4
- hash: ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f
- hash: e2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243
- hash: 96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77
- hash: 7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f
- hash: 2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084
- url: http://5.181.159.29:80/Downloads/12.url
- text: /Downloads/12.url
- port: 80
- domain: 5.181.159.29
- text: 5.181.159.29
- domain: 5.181.159.29
- url: http://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe
- text: /Downloads/evervendor.zip/evervendor.exe
- port: 80
- domain: 5.181.159.29
- text: 5.181.159.29
- domain: 5.181.159.29
- url: http://79.110.62.96:80/Downloads/bye.zip/bye.vbs
- text: /Downloads/bye.zip/bye.vbs
- port: 80
- domain: 79.110.62.96
- text: 79.110.62.96
- domain: 79.110.62.96
- url: http://searcherbigdealk.com:2351/msizjbicvmd
- text: com
- text: /msizjbicvmd
- port: 2351
- domain: searcherbigdealk.com
- text: searcherbigdealk
- domain: searcherbigdealk.com
- url: http://searcherbigdealk.com:2351/zjbicvmd
- text: com
- text: /zjbicvmd
- port: 2351
- domain: searcherbigdealk.com
- text: searcherbigdealk
- domain: searcherbigdealk.com
- url: https://heilee.com/qxz3l
- text: com
- text: /qxz3l
- domain: heilee.com
- text: heilee
- domain: heilee.com
- url: https://kairoscounselingmi.com/wp-content/uploads/astra/help/pr-nv28-2023.url
- text: com
- text: /wp-content/uploads/astra/help/pr-nv28-2023.url
- domain: kairoscounselingmi.com
- text: kairoscounselingmi
- domain: kairoscounselingmi.com
OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
Description
The BattleRoyal and DarkGate malware cluster propagates primarily through phishing emails and fake browser update prompts, aiming to install malicious payloads on victim systems. This threat leverages social engineering to trick users into executing harmful code, leading to potential network compromise and data exfiltration. Although no patches are currently available and no known exploits in the wild have been reported, the medium severity rating reflects the risk posed by user interaction and the stealthy nature of the malware. European organizations, especially those with high email exposure and reliance on browser-based workflows, are at risk. The threat is particularly concerning for sectors with sensitive data and critical infrastructure. Mitigation requires targeted user awareness campaigns, enhanced email filtering, and strict endpoint controls to detect and block suspicious activities. Countries with significant digital economies and strategic infrastructure, such as Germany, France, the UK, and the Netherlands, are likely to be most affected. Given the lack of automated exploitation and the need for user interaction, the suggested severity is medium. Defenders should prioritize detection of phishing attempts and fake update mechanisms to reduce infection likelihood.
AI-Powered Analysis
Technical Analysis
The BattleRoyal and DarkGate cluster represents a set of malware campaigns that spread through social engineering vectors, specifically phishing emails and fraudulent browser update notifications. These tactics aim to deceive users into downloading and executing malicious payloads, which then establish footholds within target networks. The campaign is characterized by its use of OSINT (Open Source Intelligence) techniques to tailor attacks and increase success rates. The malware payloads focus on network activity manipulation and persistent installation, allowing attackers to maintain long-term access and potentially exfiltrate sensitive information. Despite the absence of a patch or direct CVE-related software vulnerability exploitation, the threat leverages human factors and deception rather than technical software flaws. No known active exploits have been documented in the wild, but the medium threat level indicates a credible risk, especially in environments with less mature security awareness or controls. The lack of a CVSS score necessitates a severity assessment based on impact potential and exploitation complexity, which here is medium due to the requirement for user interaction and the absence of automated exploitation. The threat is relevant to organizations that rely heavily on email communications and browser-based workflows, as these are the primary infection vectors. The campaign's persistence and network activity components suggest that once infected, systems could be used for lateral movement or data theft, posing significant operational risks.
Potential Impact
For European organizations, the BattleRoyal and DarkGate cluster could lead to unauthorized access, data breaches, and disruption of business operations. The reliance on phishing and fake updates means that sectors with high email traffic and extensive browser use, such as finance, healthcare, and government, are particularly vulnerable. Compromise could result in loss of confidentiality due to data exfiltration, integrity issues if malware alters system or network configurations, and availability impacts if systems are disrupted or used as part of larger botnets. The absence of patches means organizations must rely on detection and prevention controls rather than remediation of software flaws. The threat could also undermine trust in digital communications and browser update mechanisms, complicating user behavior and security policies. Given the strategic importance of European digital infrastructure and the high value of data processed, successful infections could have cascading effects on national security and economic stability. The medium severity reflects a balance between the need for user interaction and the potential for significant operational impact if infections occur.
Mitigation Recommendations
To mitigate this threat, European organizations should implement targeted user awareness training focused on recognizing phishing emails and suspicious browser update prompts. Email security solutions should be enhanced with advanced filtering, sandboxing, and URL reputation checks to block malicious messages before reaching users. Endpoint detection and response (EDR) tools should be configured to identify unusual network activity and unauthorized payload installations. Organizations should enforce strict application whitelisting and restrict execution of untrusted software, particularly from email attachments or downloads triggered by browser prompts. Multi-factor authentication (MFA) can reduce the impact of credential theft resulting from phishing. Regular monitoring of network traffic for anomalies and use of threat intelligence feeds to update detection rules for BattleRoyal and DarkGate indicators are recommended. Incident response plans should include procedures for rapid containment and eradication of infections. Since no patches are available, proactive defense and rapid detection are critical. Collaboration with national cybersecurity centers and sharing of threat intelligence within industry sectors can improve collective resilience.
Affected Countries
Technical Details
- Threat Level
- 2
- Analysis
- 0
- Uuid
- f0ef984c-2467-40aa-83c6-7c671a6379cb
- Original Timestamp
- 1703240722
Indicators of Compromise
Vulnerability
| Value | Description | Copy |
|---|---|---|
vulnerabilityCVE-2023-36025 | — | |
vulnerabilityCVE-2023-36025 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip5.181.159.29 | — | |
ip79.110.62.96 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainheilee.com | — | |
domainkairoscounselingmi.com | — | |
domainnathumvida.org | — | |
domainsearcherbigdealk.com | — | |
domainzxcdota2huysasi.com | — | |
domain5.181.159.29 | — | |
domain5.181.159.29 | — | |
domain5.181.159.29 | — | |
domain5.181.159.29 | — | |
domain79.110.62.96 | — | |
domain79.110.62.96 | — | |
domainsearcherbigdealk.com | — | |
domainsearcherbigdealk.com | — | |
domainsearcherbigdealk.com | — | |
domainsearcherbigdealk.com | — | |
domainheilee.com | — | |
domainheilee.com | — | |
domainkairoscounselingmi.com | — | |
domainkairoscounselingmi.com | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 | — |
Text
| Value | Description | Copy |
|---|---|---|
textThroughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates.
Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for: | — | |
textBattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates | — | |
textBlog | — | |
textWindows SmartScreen Security Feature Bypass Vulnerability | — | |
textCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | — | |
textPublished | — | |
text/Downloads/12.url | — | |
text5.181.159.29 | — | |
text/Downloads/evervendor.zip/evervendor.exe | — | |
text5.181.159.29 | — | |
text/Downloads/bye.zip/bye.vbs | — | |
text79.110.62.96 | — | |
textcom | — | |
text/msizjbicvmd | — | |
textsearcherbigdealk | — | |
textcom | — | |
text/zjbicvmd | — | |
textsearcherbigdealk | — | |
textcom | — | |
text/qxz3l | — | |
textheilee | — | |
textcom | — | |
text/wp-content/uploads/astra/help/pr-nv28-2023.url | — | |
textkairoscounselingmi | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2023-11-21T01:33:00+00:00 | — | |
datetime2023-11-14T18:15:00+00:00 | — |
Float
| Value | Description | Copy |
|---|---|---|
float8.8 | — |
Cpe
| Value | Description | Copy |
|---|---|---|
cpecpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:* | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashfce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4 | — | |
hashea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f | — | |
hashe2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243 | — | |
hash96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77 | — | |
hash7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f | — | |
hash2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://5.181.159.29:80/Downloads/12.url | — | |
urlhttp://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe | — | |
urlhttp://79.110.62.96:80/Downloads/bye.zip/bye.vbs | — | |
urlhttp://searcherbigdealk.com:2351/msizjbicvmd | — | |
urlhttp://searcherbigdealk.com:2351/zjbicvmd | — | |
urlhttps://heilee.com/qxz3l | — | |
urlhttps://kairoscounselingmi.com/wp-content/uploads/astra/help/pr-nv28-2023.url | — |
Port
| Value | Description | Copy |
|---|---|---|
port80 | — | |
port80 | — | |
port80 | — | |
port2351 | — | |
port2351 | — |
Threat ID: 682acdbebbaf20d303f0ee50
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 12/24/2025, 6:14:56 AM
Last updated: 1/18/2026, 2:37:21 AM
Views: 145
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1107: Unrestricted Upload in EyouCMS
MediumCVE-2026-1106: Improper Authorization in Chamilo LMS
MediumThreatFox IOCs for 2026-01-17
MediumCVE-2026-1105: SQL Injection in EasyCMS
MediumCVE-2026-1066: Command Injection in kalcaddle kodbox
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.