{
	"id": "8fa932b7-d3a0-4606-aee0-c7fb48a490ed",
	"created_at": "2026-04-06T00:08:33.886204Z",
	"updated_at": "2026-04-10T03:20:02.634725Z",
	"deleted_at": null,
	"sha1_hash": "027ba4e1a8349b16f73cf9093f9e667ffd2ba468",
	"title": "BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates  | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 509977,
	"plain_text": "BattleRoyal, DarkGate Cluster Spreads via Email and Fake\r\nBrowser Updates  | Proofpoint US\r\nBy December 21, 2023 Axel F, Dusty Miller, Tommy Madjar and Selena Larson\r\nPublished: 2023-12-20 · Archived: 2026-04-05 16:37:21 UTC\r\nOverview \r\nThroughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote\r\naccess trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via\r\nmany methods such as email, Microsoft Teams, Skype, malvertising and fake updates. \r\nProofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of\r\npublication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily\r\ncalling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate\r\nmalware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a\r\nconfiguration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable\r\nfor: \r\nDelivery: via email and RogueRaticate fake browser updates \r\nVolumes and geography: email campaigns include tens of thousands of emails targeting dozens of\r\nindustries primarily in USA and Canada \r\nAttack chain: includes a variety of notable tools such as 404 TDS, Keitaro TDS, and .URL files exploiting\r\nCVE-2023-36025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates\r\nPage 1 of 9\n\nVolume of DarkGate campaigns based on four GroupIDs discussed in this report. \r\nTDS all the things! (an email campaign example) \r\nOn October 2, 2023, Proofpoint identified one of the first campaigns in this cluster. It was notable due to the use\r\nof more than one traffic delivery system (TDS), specifically 404 TDS and Keitaro TDS. Additionally, the .URL\r\nfiles involved exploited CVE-2023-36025, a vulnerability in Windows SmartScreen. While other parts of the\r\nattack chain from this actor changed or varied, .URL files were involved in every campaign.  \r\nThe emails in this campaign contained: \r\n404 TDS URLs that, if clicked by the user, redirected to Keitaro TDS \r\nKeitaro TDS was observed serving an internet shortcut (.URL) file \r\nThe internet shortcut, if double clicked, downloaded a zipped VBS script \r\nThe VBS in turn downloaded and executed several shell commands (cmd.exe) \r\nThe shell commands (a) created a directory on C: drive, (b) copied curl.exe from system folder to this new\r\ndirectory, (c) used the curl to download Autoit3.exe, (d) used curl to download and save an AutoIT script,\r\nand (e) ran the downloaded AutoIT script with the downloaded AutoIT interpreter \r\nThe AutoIT script ran an embedded DarkGate \r\nhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates\r\nPage 2 of 9\n\nAttack chain summary that follows the flow of: Email \u003e 404 TDS \u003e Keitaro TDS \u003e .URL \u003e .VBS \u003e Shell\r\ncommands \u003e AutoIT / AutoIT script \u003e DarkGate. \r\nScreenshot of an example email from October 2 campaign. \r\nScreenshot of the .URL file involved in the October 2 campaign. \r\nProofpoint has identified multiple cybercriminal campaigns exploiting CVE-2023-36025; however, the\r\nBattleRoyal cluster exploited this vulnerability more than any other actor observed in Proofpoint threat data.\r\nNotably, this activity cluster exploited CVE-2023-36025 before it was published by Microsoft. SmartScreen is a\r\nsecurity feature that is designed to prevent people from visiting malicious websites. The vulnerability could allow\r\nan actor to bypass the SmartScreen defenses if a user clicked on a specially crafted .URL file or a hyperlink\r\npointing to a .URL file. More specifically, a SmartScreen alert would not be triggered when a .URL points to a\r\nSMB or WebDav share as file:// and the malicious payload is inside a ZIP file which is specified in the URL\r\ntarget.   \r\nRogueRaticate (fake browser update campaign example) \r\nOn October 19, 2023, an external researcher identified and publicly shared details of the RogueRaticate fake\r\nupdate activity cluster using an interesting obfuscation technique first identified in 2020. Proofpoint subsequently\r\nhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates\r\nPage 3 of 9\n\nidentified the activity in Proofpoint data. This campaign delivered fake browser update requests to end users on\r\ntheir web browsers that dropped a DarkGate payload with the “ADS5” GroupID. The threat actor injected a\r\nrequest to a domain they controlled that used .css steganography to conceal the malicious code. The stenography\r\nwould then make a request to an actor controlled Keitaro domain that would filter out unwanted traffic. Users who\r\npassed the traffic inspection would be redirected to a fake browser update. If an end user clicked on the fake\r\nbrowser update button, it would download a similar .URL file as the email campaign described above and follow\r\nthe attack chain from that point to deliver DarkGate.\r\nFake browser update request screenshot. \r\nSwitch to NetSupport (an email campaign example) \r\nIn late November to early December, Proofpoint analysts observed the activity cluster replace DarkGate with\r\nNetSupport, a legitimate remote access tool, in observed campaigns. Compared to DarkGate, NetSupport is a\r\nmore established tool in the toolbelt of various crime actors. It has steadily been observed in the landscape in the\r\npast four years. Meanwhile, the use of DarkGate before summer 2023 has been very rare. It remains to be seen if\r\nthe reason for payload switch is due to the spike in DarkGate’s popularity and the subsequent attention paid to the\r\nmalware by threat researchers and security community (which can lead to reduction of efficacy), or simply a\r\ntemporary change to a different payload. Besides the payload switch, another notable change in this campaign that\r\nrepresents a gradual evolution of the cluster includes the use of two .URL files instead of one. \r\nIn an example campaign on November 28, 2023, the emails contained: \r\nDoubleclick.net URLs that, if clicked by the user, redirected to Keitaro TDS \r\nKeitaro TDS was observed serving an Internet shortcut (.URL) file  \r\nThe Internet shortcut, if double clicked, downloaded another Internet shortcut (.URL) file  \r\nThe second Internet shortcut linked to a NetSupport executable \r\nhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates\r\nPage 4 of 9\n\nAttack chain summary that follows the flow of: Email \u003e URL (doubleclick.net) \u003e Keitaro TDS (Cookie: 6e41c) \u003e\r\n.URL \u003e .URL \u003e NetSupport. \r\nScreenshot of an example email from November 28 campaign. \r\nScreenshot of the .URL file involved in the November 28 campaign. \r\nConclusion \r\nThe newly identified cluster of activity Proofpoint calls BattleRoyal is notable for its use of multiple attack chains\r\nto deliver malware. DarkGate can be used to steal information and download additional malware payloads, and\r\nNetSupport can enable threat actors to gain control of an infected host, install additional malware, and enable\r\nlateral movement throughout a compromised environment. The actor’s use of both email and compromised\r\nwebsites with fake update lures to deliver DarkGate and NetSupport is unique but aligns with the overall trend\r\nProofpoint has observed of cybercriminal threat actors adopting new, varied, and increasingly creative attack\r\nhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates\r\nPage 5 of 9\n\nchains – including the use of various TDS tools – to enable malware delivery. Additionally, the use of both email\r\nand fake update lures shows the actor using multiple types of social engineering techniques in an attempt to get\r\nusers to install the final payload. \r\nEmerging Threats signatures \r\n2049321 - ET MALWARE WebDAV Retrieving .exe from .url M2 (CVE-2023-36025) \r\n2049320 - ET MALWARE WebDAV Retrieving .zip from .url M2 (CVE-2023-36025) \r\n2049317 - ET MALWARE WebDAV Retrieving .zip from .url M1 (CVE-2023-36025) \r\n2049316 - ET MALWARE WebDAV Retrieving .exe from .url M1 (CVE-2023-36025) \r\n2048098 - ET MALWARE DarkGate AutoIt Downloader \r\n2048089 - ET MALWARE Darkgate Stealer CnC Checkin \r\n2035895 - ET INFO NetSupport Remote Admin Response \r\n2034559 - ET POLICY NetSupport GeoLocation Lookup Request \r\n2035892 - ET INFO NetSupport Remote Admin Checkin \r\n2827745 - ETPRO MALWARE NetSupport RAT CnC Activity \r\nIndicators of compromise \r\nIndicator   Description \r\nFirst\r\nObserved \r\nhxxps[:]//heilee[.]com/qxz3l \r\nExample 404\r\nTDS URL\r\n(DarkGate\r\ncampaign) \r\n2 October\r\n2023 \r\nHxxps[:]//nathumvida[.]org/ \r\nKeitaro TDS\r\n(DarkGate\r\ncampaign) \r\n2 October\r\n2023 \r\n96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77  SHA256 of “IN-SEPT-8415-\r\n8794132.pdf.url”\r\n2 October\r\n2023 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates\r\nPage 6 of 9\n\nserved by\r\nKeirato\r\n(DarkGate\r\ncampaign) \r\nfile[:]//79.110.62[.]96@80/Downloads/bye.zip/bye.vbs \r\nTarget of the\r\n.URL file “IN-SEPT-8415-\r\n8794132.pdf.url”\r\n(DarkGate\r\ncampaign) \r\n2 October\r\n2023 \r\ne2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243 \r\nSHA256 of file\r\n“bye.vbs”\r\ndownloaded by\r\n.URL (DarkGate\r\ncampaign) \r\n2 October\r\n2023 \r\nhxxp[:]//searcherbigdealk[.]com:2351/zjbicvmd \r\n“bye.vbs”\r\ndownloads shell\r\ncommands from\r\nthis URL\r\n(DarkGate\r\ncampaign) \r\n2 October\r\n2023 \r\nhxxp[:]//searcherbigdealk[.]com:2351 \r\nShell command\r\ndownloads\r\n“Autoit3.exe”\r\nfrom this URL\r\n(DarkGate\r\ncampaign) \r\n2 October\r\n2023 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates\r\nPage 7 of 9\n\nhxxp[:]//searcherbigdealk[.]com:2351/msizjbicvmd \r\nShell command\r\ndownloads\r\n“iabyhu.au3”\r\nfrom this URL\r\n(DarkGate\r\ncampaign) \r\n2 October\r\n2023 \r\n237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d \r\nSHA256 of\r\n“Autoit3.exe”\r\n(DarkGate\r\ncampaign) \r\n2 October\r\n2023 \r\n2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084 \r\nSHA256 of\r\n“ggvjzi.au3”\r\n(DarkGate\r\ncampaign) \r\n2 October\r\n2023 \r\n161.35.113[.]58:443 \r\nDarkGate C2\r\n(DarkGate\r\ncampaign) \r\n2 October\r\n2023 \r\nzxcdota2huysasi[.]com \r\nRogueRaticate\r\nPayload Host \r\n19\r\nOctober\r\n2023 \r\nhxxps[:]//adclick.g.doubleclick[.]net/pcs/click?fjWWEJMP5797-\r\nNovemberQFRSQG65799kd\u0026\u0026adurl=hxxps[:]//kairoscounselingmi[.]com/ \r\nExample\r\ndoubleclick[.]net\r\nURL\r\n(NetSupport\r\ncampaign) \r\n28\r\nNovember\r\n2023 \r\nhxxps[:]//kairoscounselingmi[.]com/ \r\nKeitaro TDS\r\n(NetSupport\r\ncampaign) \r\n28\r\nNovember\r\n2023 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates\r\nPage 8 of 9\n\nhxxps[:]//kairoscounselingmi[.]com/wp-content/uploads/astra/help/pr-nv28-\r\n2023.url \r\nKeitaro TDS\r\ndownloading\r\n.URL file\r\n(NetSupport\r\ncampaign) \r\n28\r\nNovember\r\n2023 \r\nfce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4 \r\nSHA256 of file\r\n“pr-nv28-\r\n2023.url”\r\n(NetSupport\r\ncampaign) \r\n28\r\nNovember\r\n2023 \r\nfile[:]//5.181.159[.]29@80/Downloads/12.url \r\nTarget of the\r\n.URL file “pr-nv28-2023.url”\r\n(NetSupport\r\ncampaign) \r\n28\r\nNovember\r\n2023 \r\nea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f \r\nSHA256 of file\r\n“12.url”\r\n(NetSupport\r\ncampaign) \r\n28\r\nNovember\r\n2023 \r\nfile[:]//5.181.159[.]29@80/Downloads/evervendor.zip/evervendor.exe \r\nTargetof the\r\n.URL file\r\n“12.url”\r\n(NetSupport\r\ncampaign) \r\n28\r\nNovember\r\n2023 \r\n7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f \r\nSHA256 of file\r\n“evervendor.exe”\r\n(NetSupport\r\ncampaign) \r\n28\r\nNovember\r\n2023 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates\r\nhttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates"
	],
	"report_names": [
		"battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates"
	],
	"threat_actors": [],
	"ts_created_at": 1775434113,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/027ba4e1a8349b16f73cf9093f9e667ffd2ba468.pdf",
		"text": "https://archive.orkl.eu/027ba4e1a8349b16f73cf9093f9e667ffd2ba468.txt",
		"img": "https://archive.orkl.eu/027ba4e1a8349b16f73cf9093f9e667ffd2ba468.jpg"
	}
}