OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
The BattleRoyal and DarkGate malware cluster spreads primarily via phishing emails and fake browser update prompts, relying on social engineering to trick users into executing malicious payloads. It does not require authentication but depends on user interaction to initiate infection. Once executed, it can lead to unauthorized access and potential data compromise. No patches or direct exploits exist, but the threat persists due to widespread email and browser usage. European organizations with high email exposure, especially in Germany, France, and the UK, face elevated risk. Mitigation involves advanced email filtering, continuous user awareness training, and vigilant network monitoring. The threat is assessed as medium severity due to the balance between user action requirement and potential impact.
AI Analysis
Technical Summary
The BattleRoyal and DarkGate malware cluster represents a sophisticated threat vector that propagates mainly through social engineering techniques, specifically phishing emails and deceptive browser update prompts. These methods exploit user trust and routine behaviors, such as responding to email requests or updating browsers, to deliver malicious payloads. The malware does not exploit a software vulnerability directly but relies on tricking users into executing the payload, which means no prior authentication is needed but user interaction is essential. Once the malware is executed, it can establish unauthorized access to the infected system, potentially leading to data compromise, lateral movement within networks, and further malicious activities. There are no known patches or direct software exploits associated with this threat, emphasizing the importance of behavioral and procedural defenses. The threat leverages common organizational workflows involving email and browsers, making it particularly effective in environments with high email traffic and frequent browser use. The technical details indicate a moderate threat level, with no known exploits in the wild but a persistent risk due to the social engineering vector. The malware cluster's reliance on user interaction and the absence of technical vulnerabilities to patch shifts the defense focus towards user education, email security, and network monitoring.
Potential Impact
For European organizations, the impact of the BattleRoyal and DarkGate malware cluster can be significant, particularly in sectors with high email dependency and digital workflows. Successful infections can lead to unauthorized access, data breaches, and potential disruption of business operations. The threat is especially concerning for organizations in Germany, France, and the UK, where digital infrastructure is robust but phishing incident rates remain high. Compromise of sensitive data could result in regulatory penalties under GDPR, reputational damage, and financial losses. The malware's ability to establish footholds through user interaction means that even well-secured perimeter defenses can be circumvented if user awareness is insufficient. Additionally, the lack of patches means that traditional vulnerability management strategies are less effective, increasing reliance on detection and response capabilities. The medium severity reflects a moderate but tangible risk that requires proactive defense measures to prevent exploitation and limit damage.
Mitigation Recommendations
To mitigate the BattleRoyal and DarkGate malware threat effectively, European organizations should implement advanced email filtering solutions that use machine learning and threat intelligence to detect and quarantine phishing attempts and malicious attachments. Continuous and targeted user awareness training programs must be conducted to educate employees about the risks of phishing and deceptive browser update prompts, emphasizing verification of update sources and cautious handling of unsolicited emails. Network monitoring should be enhanced to detect anomalous behaviors indicative of malware execution or lateral movement, including unusual outbound connections or privilege escalations. Organizations should enforce strict policies on software updates, preferring automated and centralized update mechanisms over user-initiated prompts. Incident response plans should be updated to include scenarios involving social engineering-based malware infections. Additionally, deploying endpoint detection and response (EDR) tools can help identify and contain infections early. Regular phishing simulation exercises can help maintain user vigilance. Finally, collaboration with national cybersecurity centers and sharing threat intelligence can improve preparedness and response.
Affected Countries
Germany, France, United Kingdom
Indicators of Compromise
- vulnerability: CVE-2023-36025
- ip: 5.181.159.29
- ip: 79.110.62.96
- domain: heilee.com
- domain: kairoscounselingmi.com
- domain: nathumvida.org
- domain: searcherbigdealk.com
- domain: zxcdota2huysasi.com
- link: https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
- text: Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates. Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for:
- text: BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
- text: Blog
- vulnerability: CVE-2023-36025
- text: Windows SmartScreen Security Feature Bypass Vulnerability
- datetime: 2023-11-21T01:33:00+00:00
- float: 8.8
- text: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- datetime: 2023-11-14T18:15:00+00:00
- text: Published
- cpe: cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025
- hash: fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4
- hash: ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f
- hash: e2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243
- hash: 96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77
- hash: 7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f
- hash: 2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084
- url: http://5.181.159.29:80/Downloads/12.url
- text: /Downloads/12.url
- port: 80
- domain: 5.181.159.29
- text: 5.181.159.29
- domain: 5.181.159.29
- url: http://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe
- text: /Downloads/evervendor.zip/evervendor.exe
- port: 80
- domain: 5.181.159.29
- text: 5.181.159.29
- domain: 5.181.159.29
- url: http://79.110.62.96:80/Downloads/bye.zip/bye.vbs
- text: /Downloads/bye.zip/bye.vbs
- port: 80
- domain: 79.110.62.96
- text: 79.110.62.96
- domain: 79.110.62.96
- url: http://searcherbigdealk.com:2351/msizjbicvmd
- text: com
- text: /msizjbicvmd
- port: 2351
- domain: searcherbigdealk.com
- text: searcherbigdealk
- domain: searcherbigdealk.com
- url: http://searcherbigdealk.com:2351/zjbicvmd
- text: com
- text: /zjbicvmd
- port: 2351
- domain: searcherbigdealk.com
- text: searcherbigdealk
- domain: searcherbigdealk.com
- url: https://heilee.com/qxz3l
- text: com
- text: /qxz3l
- domain: heilee.com
- text: heilee
- domain: heilee.com
- url: https://kairoscounselingmi.com/wp-content/uploads/astra/help/pr-nv28-2023.url
- text: com
- text: /wp-content/uploads/astra/help/pr-nv28-2023.url
- domain: kairoscounselingmi.com
- text: kairoscounselingmi
- domain: kairoscounselingmi.com
OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
Description
The BattleRoyal and DarkGate malware cluster spreads primarily via phishing emails and fake browser update prompts, relying on social engineering to trick users into executing malicious payloads. It does not require authentication but depends on user interaction to initiate infection. Once executed, it can lead to unauthorized access and potential data compromise. No patches or direct exploits exist, but the threat persists due to widespread email and browser usage. European organizations with high email exposure, especially in Germany, France, and the UK, face elevated risk. Mitigation involves advanced email filtering, continuous user awareness training, and vigilant network monitoring. The threat is assessed as medium severity due to the balance between user action requirement and potential impact.
AI-Powered Analysis
Technical Analysis
The BattleRoyal and DarkGate malware cluster represents a sophisticated threat vector that propagates mainly through social engineering techniques, specifically phishing emails and deceptive browser update prompts. These methods exploit user trust and routine behaviors, such as responding to email requests or updating browsers, to deliver malicious payloads. The malware does not exploit a software vulnerability directly but relies on tricking users into executing the payload, which means no prior authentication is needed but user interaction is essential. Once the malware is executed, it can establish unauthorized access to the infected system, potentially leading to data compromise, lateral movement within networks, and further malicious activities. There are no known patches or direct software exploits associated with this threat, emphasizing the importance of behavioral and procedural defenses. The threat leverages common organizational workflows involving email and browsers, making it particularly effective in environments with high email traffic and frequent browser use. The technical details indicate a moderate threat level, with no known exploits in the wild but a persistent risk due to the social engineering vector. The malware cluster's reliance on user interaction and the absence of technical vulnerabilities to patch shifts the defense focus towards user education, email security, and network monitoring.
Potential Impact
For European organizations, the impact of the BattleRoyal and DarkGate malware cluster can be significant, particularly in sectors with high email dependency and digital workflows. Successful infections can lead to unauthorized access, data breaches, and potential disruption of business operations. The threat is especially concerning for organizations in Germany, France, and the UK, where digital infrastructure is robust but phishing incident rates remain high. Compromise of sensitive data could result in regulatory penalties under GDPR, reputational damage, and financial losses. The malware's ability to establish footholds through user interaction means that even well-secured perimeter defenses can be circumvented if user awareness is insufficient. Additionally, the lack of patches means that traditional vulnerability management strategies are less effective, increasing reliance on detection and response capabilities. The medium severity reflects a moderate but tangible risk that requires proactive defense measures to prevent exploitation and limit damage.
Mitigation Recommendations
To mitigate the BattleRoyal and DarkGate malware threat effectively, European organizations should implement advanced email filtering solutions that use machine learning and threat intelligence to detect and quarantine phishing attempts and malicious attachments. Continuous and targeted user awareness training programs must be conducted to educate employees about the risks of phishing and deceptive browser update prompts, emphasizing verification of update sources and cautious handling of unsolicited emails. Network monitoring should be enhanced to detect anomalous behaviors indicative of malware execution or lateral movement, including unusual outbound connections or privilege escalations. Organizations should enforce strict policies on software updates, preferring automated and centralized update mechanisms over user-initiated prompts. Incident response plans should be updated to include scenarios involving social engineering-based malware infections. Additionally, deploying endpoint detection and response (EDR) tools can help identify and contain infections early. Regular phishing simulation exercises can help maintain user vigilance. Finally, collaboration with national cybersecurity centers and sharing threat intelligence can improve preparedness and response.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 0
- Uuid
- f0ef984c-2467-40aa-83c6-7c671a6379cb
- Original Timestamp
- 1703240722
Indicators of Compromise
Vulnerability
| Value | Description | Copy |
|---|---|---|
vulnerabilityCVE-2023-36025 | — | |
vulnerabilityCVE-2023-36025 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip5.181.159.29 | — | |
ip79.110.62.96 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainheilee.com | — | |
domainkairoscounselingmi.com | — | |
domainnathumvida.org | — | |
domainsearcherbigdealk.com | — | |
domainzxcdota2huysasi.com | — | |
domain5.181.159.29 | — | |
domain5.181.159.29 | — | |
domain5.181.159.29 | — | |
domain5.181.159.29 | — | |
domain79.110.62.96 | — | |
domain79.110.62.96 | — | |
domainsearcherbigdealk.com | — | |
domainsearcherbigdealk.com | — | |
domainsearcherbigdealk.com | — | |
domainsearcherbigdealk.com | — | |
domainheilee.com | — | |
domainheilee.com | — | |
domainkairoscounselingmi.com | — | |
domainkairoscounselingmi.com | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 | — |
Text
| Value | Description | Copy |
|---|---|---|
textThroughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates.
Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for: | — | |
textBattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates | — | |
textBlog | — | |
textWindows SmartScreen Security Feature Bypass Vulnerability | — | |
textCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | — | |
textPublished | — | |
text/Downloads/12.url | — | |
text5.181.159.29 | — | |
text/Downloads/evervendor.zip/evervendor.exe | — | |
text5.181.159.29 | — | |
text/Downloads/bye.zip/bye.vbs | — | |
text79.110.62.96 | — | |
textcom | — | |
text/msizjbicvmd | — | |
textsearcherbigdealk | — | |
textcom | — | |
text/zjbicvmd | — | |
textsearcherbigdealk | — | |
textcom | — | |
text/qxz3l | — | |
textheilee | — | |
textcom | — | |
text/wp-content/uploads/astra/help/pr-nv28-2023.url | — | |
textkairoscounselingmi | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2023-11-21T01:33:00+00:00 | — | |
datetime2023-11-14T18:15:00+00:00 | — |
Float
| Value | Description | Copy |
|---|---|---|
float8.8 | — |
Cpe
| Value | Description | Copy |
|---|---|---|
cpecpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:* | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashfce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4 | — | |
hashea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f | — | |
hashe2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243 | — | |
hash96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77 | — | |
hash7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f | — | |
hash2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://5.181.159.29:80/Downloads/12.url | — | |
urlhttp://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe | — | |
urlhttp://79.110.62.96:80/Downloads/bye.zip/bye.vbs | — | |
urlhttp://searcherbigdealk.com:2351/msizjbicvmd | — | |
urlhttp://searcherbigdealk.com:2351/zjbicvmd | — | |
urlhttps://heilee.com/qxz3l | — | |
urlhttps://kairoscounselingmi.com/wp-content/uploads/astra/help/pr-nv28-2023.url | — |
Port
| Value | Description | Copy |
|---|---|---|
port80 | — | |
port80 | — | |
port80 | — | |
port2351 | — | |
port2351 | — |
Threat ID: 682acdbebbaf20d303f0ee50
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 10/28/2025, 7:20:01 PM
Last updated: 11/27/2025, 9:26:10 PM
Views: 132
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Bloody Wolf Expands Java-based NetSupport RAT Attacks in Kyrgyzstan and Uzbekistan
MediumHow your dashcam can be hacked, and how to protect yourself from the attack | Kaspersky official blog
MediumAsahi Data Breach Impacts 2 Million Individuals
MediumMicrosoft to Block Unauthorized Scripts in Entra ID Logins with 2026 CSP Update
MediumCVE-2025-12971: CWE-863 Incorrect Authorization in galdub Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.