Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Warns of Cybercrime Group Delivering Royal Ransomware, Other Malware

A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns.

A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns.

DEV-0569 has been relying on malicious ads (malvertising), blog comments, fake forum pages, and phishing links for the distribution of malware.

Over the past few months, however, Microsoft noticed that the threat actor has started using contact forms to deliver phishing links, while choosing to host fake installers on legitimate-looking software download sites and legitimate repositories, such as GitHub and OneDrive.

The adversary continues to rely on malvertising for malware distribution, and even expanded the technique by employing Google Ads in one of the campaigns.

“These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads,” Microsoft says.

The group is also known for signing malicious binaries with legitimate certificates, and for using encrypted malware payloads and defense evasion techniques. In recent attacks, DEV-0569 has used the open-source tool Nsudo for disabling antivirus solutions.

The threat actor is relying on malware downloaders such as Batloader, posing as legitimate installers or updates for software such as AnyDesk, Adobe Flash Player, Microsoft Teams, TeamViewer, and Zoom.

DEV-0569 has also been observed using file formats like Virtual Hard Disk (VHD) for impersonating legitimate software, as well as using PowerShell and batch scripts for downloading information stealers and remote access tools.

In a September campaign, the threat actor was seen using contact forms on public websites for malware distribution. Posing as a national financial authority, DEV-0569 sent messages using the contact forms and, after the targets responded via email, responded with messages containing Batloader.

As part of successful attacks, the threat actor executed commands to elevate privileges to System and deployed various payloads to the compromised machine, including the Gozi banking trojan and the Vidar Stealer information stealer.

In September, Microsoft observed DEV-0569 infection chains leading to Royal ransomware, which is human-operated. The Batloader downloader and a Cobalt Strike Beacon implant were used in these attacks.

In October, the threat group started abusing Google Ads directing users to legitimate traffic distribution system (TDS) Keitaro, which supports tracking ad traffic and users. Microsoft noticed that users were being redirected to legitimate download sites or to malicious Batloader download domains, under certain conditions.

Related: Black Basta Ransomware Linked to FIN7 Cybercrime Group

Related: BlackByte Ransomware Abuses Legitimate Driver to Disable Security Protections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.