OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
AI Analysis
Technical Summary
The threat identified as CVE-2023-36025 involves the BattleRoyal and DarkGate malware cluster spreading through social engineering techniques, specifically via email campaigns and fake browser update prompts. These campaigns leverage OSINT (Open Source Intelligence) to target victims, delivering payloads that install malicious software on compromised systems. The infection vector primarily relies on tricking users into executing malicious attachments or clicking on links disguised as legitimate browser updates, which then deploy the malware payload. Once installed, the malware can perform a variety of malicious activities, including data exfiltration, network reconnaissance, and potentially establishing persistent access within the victim's environment. The lack of available patches and absence of known exploits in the wild suggest this is a relatively new or emerging threat, with medium severity as assessed by the source. The threat is categorized under payload installation and network activity, indicating its capability to affect system integrity and network security. The technical details provided are minimal, with no specific affected software versions or detailed exploitation techniques disclosed, but the use of OSINT implies targeted attacks based on publicly available information about potential victims.
Potential Impact
For European organizations, this threat poses a significant risk primarily through social engineering vectors that exploit user trust and awareness. The medium severity rating reflects a moderate potential for disruption, but the actual impact could escalate if the malware gains persistence or spreads laterally within networks. Confidentiality could be compromised through data theft, while integrity and availability might be affected if the malware modifies or disrupts system operations. Given the reliance on email and fake browser updates, organizations with large numbers of end users or those with less mature security awareness programs are particularly vulnerable. Additionally, sectors with high-value data or critical infrastructure could face targeted attacks, leading to operational disruptions or reputational damage. The absence of patches means organizations must rely on detection and prevention controls rather than remediation through software updates.
Mitigation Recommendations
European organizations should implement targeted user awareness training focusing on recognizing phishing emails and suspicious update prompts, emphasizing verification of browser updates through official channels only. Email filtering solutions should be enhanced to detect and quarantine messages containing malicious attachments or links associated with this threat cluster. Network monitoring should be configured to identify unusual outbound connections indicative of malware communication. Endpoint detection and response (EDR) tools should be deployed and tuned to detect behaviors consistent with BattleRoyal and DarkGate malware activity. Organizations should enforce strict application whitelisting and restrict execution of unauthorized software. Multi-factor authentication (MFA) should be applied to limit the impact of credential theft. Since no patches are available, proactive threat hunting and incident response readiness are critical to quickly identify and contain infections. Collaboration with threat intelligence sharing groups can provide early warnings and indicators of compromise related to this threat.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland
Indicators of Compromise
- vulnerability: CVE-2023-36025
- ip: 5.181.159.29
- ip: 79.110.62.96
- domain: heilee.com
- domain: kairoscounselingmi.com
- domain: nathumvida.org
- domain: searcherbigdealk.com
- domain: zxcdota2huysasi.com
- link: https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
- text: Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates. Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for:
- text: BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
- text: Blog
- vulnerability: CVE-2023-36025
- text: Windows SmartScreen Security Feature Bypass Vulnerability
- datetime: 2023-11-21T01:33:00+00:00
- float: 8.8
- text: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- datetime: 2023-11-14T18:15:00+00:00
- text: Published
- cpe: cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
- cpe: cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*
- cpe: cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:*
- cpe: cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:*
- cpe: cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*
- link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025
- hash: fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4
- hash: ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f
- hash: e2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243
- hash: 96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77
- hash: 7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f
- hash: 2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084
- url: http://5.181.159.29:80/Downloads/12.url
- text: /Downloads/12.url
- port: 80
- domain: 5.181.159.29
- text: 5.181.159.29
- domain: 5.181.159.29
- url: http://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe
- text: /Downloads/evervendor.zip/evervendor.exe
- port: 80
- domain: 5.181.159.29
- text: 5.181.159.29
- domain: 5.181.159.29
- url: http://79.110.62.96:80/Downloads/bye.zip/bye.vbs
- text: /Downloads/bye.zip/bye.vbs
- port: 80
- domain: 79.110.62.96
- text: 79.110.62.96
- domain: 79.110.62.96
- url: http://searcherbigdealk.com:2351/msizjbicvmd
- text: com
- text: /msizjbicvmd
- port: 2351
- domain: searcherbigdealk.com
- text: searcherbigdealk
- domain: searcherbigdealk.com
- url: http://searcherbigdealk.com:2351/zjbicvmd
- text: com
- text: /zjbicvmd
- port: 2351
- domain: searcherbigdealk.com
- text: searcherbigdealk
- domain: searcherbigdealk.com
- url: https://heilee.com/qxz3l
- text: com
- text: /qxz3l
- domain: heilee.com
- text: heilee
- domain: heilee.com
- url: https://kairoscounselingmi.com/wp-content/uploads/astra/help/pr-nv28-2023.url
- text: com
- text: /wp-content/uploads/astra/help/pr-nv28-2023.url
- domain: kairoscounselingmi.com
- text: kairoscounselingmi
- domain: kairoscounselingmi.com
OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
Description
OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
AI-Powered Analysis
Technical Analysis
The threat identified as CVE-2023-36025 involves the BattleRoyal and DarkGate malware cluster spreading through social engineering techniques, specifically via email campaigns and fake browser update prompts. These campaigns leverage OSINT (Open Source Intelligence) to target victims, delivering payloads that install malicious software on compromised systems. The infection vector primarily relies on tricking users into executing malicious attachments or clicking on links disguised as legitimate browser updates, which then deploy the malware payload. Once installed, the malware can perform a variety of malicious activities, including data exfiltration, network reconnaissance, and potentially establishing persistent access within the victim's environment. The lack of available patches and absence of known exploits in the wild suggest this is a relatively new or emerging threat, with medium severity as assessed by the source. The threat is categorized under payload installation and network activity, indicating its capability to affect system integrity and network security. The technical details provided are minimal, with no specific affected software versions or detailed exploitation techniques disclosed, but the use of OSINT implies targeted attacks based on publicly available information about potential victims.
Potential Impact
For European organizations, this threat poses a significant risk primarily through social engineering vectors that exploit user trust and awareness. The medium severity rating reflects a moderate potential for disruption, but the actual impact could escalate if the malware gains persistence or spreads laterally within networks. Confidentiality could be compromised through data theft, while integrity and availability might be affected if the malware modifies or disrupts system operations. Given the reliance on email and fake browser updates, organizations with large numbers of end users or those with less mature security awareness programs are particularly vulnerable. Additionally, sectors with high-value data or critical infrastructure could face targeted attacks, leading to operational disruptions or reputational damage. The absence of patches means organizations must rely on detection and prevention controls rather than remediation through software updates.
Mitigation Recommendations
European organizations should implement targeted user awareness training focusing on recognizing phishing emails and suspicious update prompts, emphasizing verification of browser updates through official channels only. Email filtering solutions should be enhanced to detect and quarantine messages containing malicious attachments or links associated with this threat cluster. Network monitoring should be configured to identify unusual outbound connections indicative of malware communication. Endpoint detection and response (EDR) tools should be deployed and tuned to detect behaviors consistent with BattleRoyal and DarkGate malware activity. Organizations should enforce strict application whitelisting and restrict execution of unauthorized software. Multi-factor authentication (MFA) should be applied to limit the impact of credential theft. Since no patches are available, proactive threat hunting and incident response readiness are critical to quickly identify and contain infections. Collaboration with threat intelligence sharing groups can provide early warnings and indicators of compromise related to this threat.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 0
- Uuid
- f0ef984c-2467-40aa-83c6-7c671a6379cb
- Original Timestamp
- 1703240722
Indicators of Compromise
Vulnerability
| Value | Description | Copy |
|---|---|---|
vulnerabilityCVE-2023-36025 | — | |
vulnerabilityCVE-2023-36025 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip5.181.159.29 | — | |
ip79.110.62.96 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainheilee.com | — | |
domainkairoscounselingmi.com | — | |
domainnathumvida.org | — | |
domainsearcherbigdealk.com | — | |
domainzxcdota2huysasi.com | — | |
domain5.181.159.29 | — | |
domain5.181.159.29 | — | |
domain5.181.159.29 | — | |
domain5.181.159.29 | — | |
domain79.110.62.96 | — | |
domain79.110.62.96 | — | |
domainsearcherbigdealk.com | — | |
domainsearcherbigdealk.com | — | |
domainsearcherbigdealk.com | — | |
domainsearcherbigdealk.com | — | |
domainheilee.com | — | |
domainheilee.com | — | |
domainkairoscounselingmi.com | — | |
domainkairoscounselingmi.com | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates | — | |
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025 | — |
Text
| Value | Description | Copy |
|---|---|---|
textThroughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates.
Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for: | — | |
textBattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates | — | |
textBlog | — | |
textWindows SmartScreen Security Feature Bypass Vulnerability | — | |
textCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | — | |
textPublished | — | |
text/Downloads/12.url | — | |
text5.181.159.29 | — | |
text/Downloads/evervendor.zip/evervendor.exe | — | |
text5.181.159.29 | — | |
text/Downloads/bye.zip/bye.vbs | — | |
text79.110.62.96 | — | |
textcom | — | |
text/msizjbicvmd | — | |
textsearcherbigdealk | — | |
textcom | — | |
text/zjbicvmd | — | |
textsearcherbigdealk | — | |
textcom | — | |
text/qxz3l | — | |
textheilee | — | |
textcom | — | |
text/wp-content/uploads/astra/help/pr-nv28-2023.url | — | |
textkairoscounselingmi | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2023-11-21T01:33:00+00:00 | — | |
datetime2023-11-14T18:15:00+00:00 | — |
Float
| Value | Description | Copy |
|---|---|---|
float8.8 | — |
Cpe
| Value | Description | Copy |
|---|---|---|
cpecpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:* | — | |
cpecpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:* | — | |
cpecpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:* | — | |
cpecpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:* | — | |
cpecpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:* | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashfce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4 | — | |
hashea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f | — | |
hashe2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243 | — | |
hash96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77 | — | |
hash7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f | — | |
hash2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://5.181.159.29:80/Downloads/12.url | — | |
urlhttp://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe | — | |
urlhttp://79.110.62.96:80/Downloads/bye.zip/bye.vbs | — | |
urlhttp://searcherbigdealk.com:2351/msizjbicvmd | — | |
urlhttp://searcherbigdealk.com:2351/zjbicvmd | — | |
urlhttps://heilee.com/qxz3l | — | |
urlhttps://kairoscounselingmi.com/wp-content/uploads/astra/help/pr-nv28-2023.url | — |
Port
| Value | Description | Copy |
|---|---|---|
port80 | — | |
port80 | — | |
port80 | — | |
port2351 | — | |
port2351 | — |
Threat ID: 682acdbebbaf20d303f0ee50
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 7/5/2025, 10:55:17 PM
Last updated: 8/11/2025, 9:24:55 PM
Views: 12
Related Threats
ThreatFox IOCs for 2025-08-18
MediumCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-9119: Cross Site Scripting in Netis WF2419
MediumCVE-2025-55590: n/a
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.