{
	"id": "8b569999-3b4f-421f-a226-61076f41242c",
	"created_at": "2026-04-06T00:22:36.33763Z",
	"updated_at": "2026-04-10T03:26:42.120218Z",
	"deleted_at": null,
	"sha1_hash": "d9bc20e1a54d7602d31a9630b61a00f2ac78514c",
	"title": "DEV-0569 finds new ways to deliver Royal ransomware, various payloads | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 341215,
	"plain_text": "DEV-0569 finds new ways to deliver Royal ransomware, various\r\npayloads | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-11-17 · Archived: 2026-04-05 14:43:07 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. DEV-0569 is now tracked as Storm-0569.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a\r\ncomplete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming\r\ntaxonomy.\r\nRecent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has\r\nled to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed\r\nby multiple threat actors. Observed DEV-0569 attacks show a pattern of continuous innovation, with regular\r\nincorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside\r\nincreasing ransomware facilitation.\r\nDEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software\r\ninstallers or updates embedded in spam emails, fake forum pages, and blog comments. In the past few months,\r\nMicrosoft security researchers observed the following tweaks in the group’s delivery methods:\r\nUse of contact forms on targeted organizations’ websites to deliver phishing links\r\nHosting fake installer files on legitimate-looking software download sites and legitimate repositories to\r\nmake malicious downloads look authentic to targets, and\r\nExpansion of their malvertising technique by using Google Ads in one of their campaigns, effectively\r\nblending in with normal ad traffic\r\nThese methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying\r\nvarious post-compromise payloads. DEV-0569 activity uses signed binaries and delivers encrypted malware\r\npayloads. The group, also known to rely heavily on defense evasion techniques, has continued to use the open-source tool Nsudo to attempt disabling antivirus solutions in recent campaigns.\r\nIn this blog we share details of DEV-0569’s tactics, techniques, and procedures (TTPs) and observed behavior in\r\nrecent campaigns, which show that DEV-0569 will likely continue leveraging malvertising and phishing for initial\r\naccess. We also share preventive measures that organizations can adopt to thwart DEV-0569’s delivery methods\r\ninvolving malicious links and phishing emails using solutions like Microsoft Defender SmartScreen and Microsoft\r\nDefender for Office 365, and to reduce the impact of the group’s follow-on activities. Microsoft Defender for\r\nEndpoint detects the DEV-0569 behavior discussed in this blog, including the code signing certificates in use and\r\nthe attempts to disable Microsoft Defender Antivirus.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/\r\nPage 1 of 6\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing\r\ncluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high\r\nconfidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group\r\nis converted to a named actor.\r\nDEV-0569 attack chain: Delivery tactics tweaked\r\nDEV-0569 has multiple methods for delivery of their initial payload. In some cases, DEV-0569 payloads are\r\ndelivered via phishing campaigns run by other malicious actors that offer delivery of malware payloads as a\r\nservice.\r\nHistorical observation of typical DEV-0569 attack begins with malicious links delivered to targets via malicious\r\nads, fake forum pages, blog comments, or through phishing emails. These links lead to malicious files signed by\r\nthe attacker using a legitimate certificate. The malicious files, which are malware downloaders known as\r\nBATLOADER, pose as installers or updates for legitimate applications like Microsoft Teams or Zoom. When\r\nlaunched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to\r\naid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted\r\nand launched with PowerShell commands.\r\nPosing as legitimate software download sites\r\nFrom August to October 2022, Microsoft observed DEV-0569 activity where BATLOADER, delivered via\r\nmalicious links in phishing emails, posed as legitimate installers for numerous applications like TeamViewer,\r\nAdobe Flash Player, Zoom, and AnyDesk. BATLOADER was hosted on attacker-created domains posing as\r\nlegitimate software download sites (anydeskos[.]com, for example) and on legitimate repositories like GitHub and\r\nOneDrive. Microsoft takes down verified malicious content from these repositories as they are found or reported.\r\nFigure 1. DEV-0569 activity seen in September 2022, where the landing site hosted BATLOADER posing as a\r\nTeamViewer installer\r\nUse of VHD file formats\r\nhttps://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/\r\nPage 2 of 6\n\nAside from using installer files, Microsoft has also observed the use of file formats like Virtual Hard Disk (VHD)\r\nimpersonating legitimate software for first-stage payloads. These VHDs also contain malicious scripts that lead to\r\nthe download of DEV-0569’s malware payloads.\r\nPowerShell and batch scripts for downloading\r\nDEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download\r\nof malware payloads like information stealers or a legitimate remote management tool used for persistence on the\r\nnetwork. The management tool can also be an access point for the staging and spread of ransomware.\r\nNSudo to disable antivirus solutions\r\nDEV-0569 also continues to tamper with antivirus products. In September and October 2022, Microsoft saw\r\nactivity where DEV-0569 used the open-source NSudo tool to attempt disabling antivirus solutions.  \r\n Figure 2. High-level view of observed DEV-0569 infection chains between August to October 2022\r\nSeptember 2022: Adopting contact forms to gain access to targets and deliver information stealers\r\nIn September 2022, Microsoft observed a campaign using contact forms to deliver DEV-0569 payloads. Using\r\ncontact forms on public websites to distribute malware has been seen in other campaigns, including IcedID\r\nmalware. Attackers use this technique as a defense evasion method since contact forms can bypass email\r\nprotections and appear trustworthy to the recipient.\r\nIn this campaign, DEV-0569 sent a message to targets using the contact form on these targets’ websites, posing as\r\na national financial authority. When a contacted target responds via email, DEV-0569 replied with a message that\r\ncontained a link to BATLOADER. Microsoft Defender for Office 365 detects the spoofing behavior as well as the\r\nmalicious links in these emails.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/\r\nPage 3 of 6\n\nThe malicious links in the contact forms led to BATLOADER malware hosted on abused web services like\r\nGitHub and OneDrive. The installers launched a PowerShell script that issued multiple commands, including\r\ndownloading a NirCmd command-line utility provided by freeware developer NirSoft:\r\nnircmd elevatecmd exec hide \"requestadmin.bat\"\r\nIf successful, the command allows the attacker to elevate from local admin to SYSTEM rights, similar to\r\nexecuting a scheduled task as SYSTEM.\r\nThe PowerShell script also delivered additional executables from a remote website (e.g., updateea1[.]com),\r\nincluding an AES-encrypted Gozi banking trojan and the information stealer known as Vidar Stealer, which used\r\nTelegram to receive command and control (C2) information. DEV-0569 frequently diversifies their payloads and\r\nhas shifted from delivering ZLoader at the beginning of 2022, possibly in response to disruption efforts against\r\nZloader in April 2022.\r\nSeptember 2022: Deploying Royal ransomware\r\nMicrosoft identified instances involving DEV-0569 infection chains that ultimately facilitated human-operated\r\nransomware attacks distributing Royal ransomware. Based on tactics observed by Microsoft, ransomware\r\nattackers likely gained access to compromised networks via a BATLOADER-delivered Cobalt Strike Beacon\r\nimplant.\r\nDEV-0569’s widespread infection base and diverse payloads likely make the group an attractive access broker for\r\nransomware operators.\r\nOctober 2022: Leveraging Google Ads to deliver BATLOADER selectively\r\nIn late October 2022, Microsoft researchers identified a DEV-0569 malvertising campaign leveraging Google Ads\r\nthat point to the legitimate traffic distribution system (TDS) Keitaro, which provides capabilities to customize\r\nadvertising campaigns via tracking ad traffic and user- or device-based filtering. Microsoft observed that the TDS\r\nredirects the user to a legitimate download site, or under certain conditions, to the malicious BATLOADER\r\ndownload site. Microsoft reported this abuse to Google for awareness and consideration for action.\r\nUsing Keitaro, DEV-0569 can use traffic filtering provided by Keitaro to deliver their payloads to specified IP\r\nranges and targets. This traffic filtering can also aid DEV-0569 in avoiding IP ranges of known security\r\nsandboxing solutions.\r\nDefending against DEV-0569\r\nDEV-0569 will likely continue to rely on malvertising and phishing to deliver malware payloads. Solutions such\r\nas network protection and Microsoft Defender SmartScreen can help thwart malicious link access. Microsoft\r\nDefender for Office 365 helps guard against phishing by inspecting the email body and URL for known patterns.\r\nSince DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to\r\ncapture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level\r\nallow lists. Enabling Safe Links for emails, Microsoft Teams, and Office Apps can also help address this threat.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/\r\nPage 4 of 6\n\nDefenders can also apply the following mitigations to reduce the impact of this threat:\r\nEncourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies\r\nand blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host\r\nmalware. Turn on network protection to block connections to malicious domains and IP addresses.\r\nBuild organizational resilience against email threats by educating users about identifying social\r\nengineering attacks and preventing malware infection. Use Attack simulation training in Microsoft\r\nDefender for Office 365 to run attack scenarios, increase user awareness, and empower employees to\r\nrecognize and report these attacks.\r\nPractice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide,\r\nadmin-level service accounts. Restricting local administrative privileges can help limit installation of RATs\r\nand other unwanted applications.\r\nTurn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus.\r\nThese capabilities use artificial intelligence and machine learning to quickly identify and stop new and\r\nunknown threats.\r\nTurn on tamper protection features to prevent attackers from stopping security services.\r\nMicrosoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques\r\nused in ransomware attacks:\r\nBlock process creations originating from PsExec and WMI commands\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nUse advanced protection against ransomware\r\nDetection details\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nTrojan:Win32/Gozi\r\nTrojan:Win64/Gozi\r\nVirTool:Win32/CobaltStrike\r\nVirTool:Win64/CobaltStrike\r\nBehavior:Win64/CobaltStrike\r\nTrojan:Win32/VidarStealer\r\nNSudo activity is detected by the tamper protection capability as:\r\nNsudo file drop\r\nNsudo runtime\r\nNsudo AV tampering commandline\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/\r\nPage 5 of 6\n\nRansomware-linked DEV-0569 activity group\r\nWhile the following alerts might indicate activity associated with this threat, they could also be triggered by\r\nunrelated threat activity:\r\nRansomware-linked DEV-0858 activity group\r\nCobalt Strike activity detected\r\nCobalt Strike activity observed\r\nCobalt Strike artifact observed\r\nCobalt Strike attack tool\r\nCobalt strike named pipes\r\n‘Vidar’ credential theft malware was detected\r\n‘VidarStealer’ malware was detected\r\n‘Gozi’ malware was detected\r\nAn active ‘Nsudo’ hacktool in a command line was detected while executing\r\nAn active ‘NSudo’ hacktool process was detected while executing\r\nSource: https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/"
	],
	"report_names": [
		"dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cf4d333d-ef79-40aa-b233-886e6de875a3",
			"created_at": "2023-12-08T02:00:05.754609Z",
			"updated_at": "2026-04-10T02:00:03.494821Z",
			"deleted_at": null,
			"main_name": "DEV-0569",
			"aliases": [
				"Storm-0569"
			],
			"source_name": "MISPGALAXY:DEV-0569",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434956,
	"ts_updated_at": 1775791602,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d9bc20e1a54d7602d31a9630b61a00f2ac78514c.pdf",
		"text": "https://archive.orkl.eu/d9bc20e1a54d7602d31a9630b61a00f2ac78514c.txt",
		"img": "https://archive.orkl.eu/d9bc20e1a54d7602d31a9630b61a00f2ac78514c.jpg"
	}
}