Skip to main content

OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates

Medium
Published: Fri Dec 22 2023 (12/22/2023, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: type
Product: osint

Description

OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates

AI-Powered Analysis

AILast updated: 07/05/2025, 22:55:17 UTC

Technical Analysis

The threat identified as CVE-2023-36025 involves the BattleRoyal and DarkGate malware cluster spreading through social engineering techniques, specifically via email campaigns and fake browser update prompts. These campaigns leverage OSINT (Open Source Intelligence) to target victims, delivering payloads that install malicious software on compromised systems. The infection vector primarily relies on tricking users into executing malicious attachments or clicking on links disguised as legitimate browser updates, which then deploy the malware payload. Once installed, the malware can perform a variety of malicious activities, including data exfiltration, network reconnaissance, and potentially establishing persistent access within the victim's environment. The lack of available patches and absence of known exploits in the wild suggest this is a relatively new or emerging threat, with medium severity as assessed by the source. The threat is categorized under payload installation and network activity, indicating its capability to affect system integrity and network security. The technical details provided are minimal, with no specific affected software versions or detailed exploitation techniques disclosed, but the use of OSINT implies targeted attacks based on publicly available information about potential victims.

Potential Impact

For European organizations, this threat poses a significant risk primarily through social engineering vectors that exploit user trust and awareness. The medium severity rating reflects a moderate potential for disruption, but the actual impact could escalate if the malware gains persistence or spreads laterally within networks. Confidentiality could be compromised through data theft, while integrity and availability might be affected if the malware modifies or disrupts system operations. Given the reliance on email and fake browser updates, organizations with large numbers of end users or those with less mature security awareness programs are particularly vulnerable. Additionally, sectors with high-value data or critical infrastructure could face targeted attacks, leading to operational disruptions or reputational damage. The absence of patches means organizations must rely on detection and prevention controls rather than remediation through software updates.

Mitigation Recommendations

European organizations should implement targeted user awareness training focusing on recognizing phishing emails and suspicious update prompts, emphasizing verification of browser updates through official channels only. Email filtering solutions should be enhanced to detect and quarantine messages containing malicious attachments or links associated with this threat cluster. Network monitoring should be configured to identify unusual outbound connections indicative of malware communication. Endpoint detection and response (EDR) tools should be deployed and tuned to detect behaviors consistent with BattleRoyal and DarkGate malware activity. Organizations should enforce strict application whitelisting and restrict execution of unauthorized software. Multi-factor authentication (MFA) should be applied to limit the impact of credential theft. Since no patches are available, proactive threat hunting and incident response readiness are critical to quickly identify and contain infections. Collaboration with threat intelligence sharing groups can provide early warnings and indicators of compromise related to this threat.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
0
Uuid
f0ef984c-2467-40aa-83c6-7c671a6379cb
Original Timestamp
1703240722

Indicators of Compromise

Vulnerability

ValueDescriptionCopy
vulnerabilityCVE-2023-36025
vulnerabilityCVE-2023-36025

Ip

ValueDescriptionCopy
ip5.181.159.29
ip79.110.62.96

Domain

ValueDescriptionCopy
domainheilee.com
domainkairoscounselingmi.com
domainnathumvida.org
domainsearcherbigdealk.com
domainzxcdota2huysasi.com
domain5.181.159.29
domain5.181.159.29
domain5.181.159.29
domain5.181.159.29
domain79.110.62.96
domain79.110.62.96
domainsearcherbigdealk.com
domainsearcherbigdealk.com
domainsearcherbigdealk.com
domainsearcherbigdealk.com
domainheilee.com
domainheilee.com
domainkairoscounselingmi.com
domainkairoscounselingmi.com

Link

ValueDescriptionCopy
linkhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
linkhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025

Text

ValueDescriptionCopy
textThroughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates. Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for:
textBattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
textBlog
textWindows SmartScreen Security Feature Bypass Vulnerability
textCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
textPublished
text/Downloads/12.url
text5.181.159.29
text/Downloads/evervendor.zip/evervendor.exe
text5.181.159.29
text/Downloads/bye.zip/bye.vbs
text79.110.62.96
textcom
text/msizjbicvmd
textsearcherbigdealk
textcom
text/zjbicvmd
textsearcherbigdealk
textcom
text/qxz3l
textheilee
textcom
text/wp-content/uploads/astra/help/pr-nv28-2023.url
textkairoscounselingmi

Datetime

ValueDescriptionCopy
datetime2023-11-21T01:33:00+00:00
datetime2023-11-14T18:15:00+00:00

Float

ValueDescriptionCopy
float8.8

Cpe

ValueDescriptionCopy
cpecpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
cpecpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
cpecpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
cpecpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpecpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
cpecpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
cpecpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
cpecpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*
cpecpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:*
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:*
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:*
cpecpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:*
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:*
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:*
cpecpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:*
cpecpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:*
cpecpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:*
cpecpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:*
cpecpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:*
cpecpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:*
cpecpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*
cpecpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:*
cpecpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:*
cpecpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*

Hash

ValueDescriptionCopy
hashfce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4
hashea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f
hashe2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243
hash96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77
hash7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f
hash2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084

Url

ValueDescriptionCopy
urlhttp://5.181.159.29:80/Downloads/12.url
urlhttp://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe
urlhttp://79.110.62.96:80/Downloads/bye.zip/bye.vbs
urlhttp://searcherbigdealk.com:2351/msizjbicvmd
urlhttp://searcherbigdealk.com:2351/zjbicvmd
urlhttps://heilee.com/qxz3l
urlhttps://kairoscounselingmi.com/wp-content/uploads/astra/help/pr-nv28-2023.url

Port

ValueDescriptionCopy
port80
port80
port80
port2351
port2351

Threat ID: 682acdbebbaf20d303f0ee50

Added to database: 5/19/2025, 6:20:46 AM

Last enriched: 7/5/2025, 10:55:17 PM

Last updated: 8/11/2025, 9:24:55 PM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats