Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Warns of Cybercrime Group Delivering Royal Ransomware, Other Malware

A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns.

A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns.

DEV-0569 has been relying on malicious ads (malvertising), blog comments, fake forum pages, and phishing links for the distribution of malware.

Over the past few months, however, Microsoft noticed that the threat actor has started using contact forms to deliver phishing links, while choosing to host fake installers on legitimate-looking software download sites and legitimate repositories, such as GitHub and OneDrive.

The adversary continues to rely on malvertising for malware distribution, and even expanded the technique by employing Google Ads in one of the campaigns.

“These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads,” Microsoft says.

The group is also known for signing malicious binaries with legitimate certificates, and for using encrypted malware payloads and defense evasion techniques. In recent attacks, DEV-0569 has used the open-source tool Nsudo for disabling antivirus solutions.

The threat actor is relying on malware downloaders such as Batloader, posing as legitimate installers or updates for software such as AnyDesk, Adobe Flash Player, Microsoft Teams, TeamViewer, and Zoom.

DEV-0569 has also been observed using file formats like Virtual Hard Disk (VHD) for impersonating legitimate software, as well as using PowerShell and batch scripts for downloading information stealers and remote access tools.

In a September campaign, the threat actor was seen using contact forms on public websites for malware distribution. Posing as a national financial authority, DEV-0569 sent messages using the contact forms and, after the targets responded via email, responded with messages containing Batloader.

As part of successful attacks, the threat actor executed commands to elevate privileges to System and deployed various payloads to the compromised machine, including the Gozi banking trojan and the Vidar Stealer information stealer.

In September, Microsoft observed DEV-0569 infection chains leading to Royal ransomware, which is human-operated. The Batloader downloader and a Cobalt Strike Beacon implant were used in these attacks.

In October, the threat group started abusing Google Ads directing users to legitimate traffic distribution system (TDS) Keitaro, which supports tracking ad traffic and users. Microsoft noticed that users were being redirected to legitimate download sites or to malicious Batloader download domains, under certain conditions.

Related: Black Basta Ransomware Linked to FIN7 Cybercrime Group

Related: BlackByte Ransomware Abuses Legitimate Driver to Disable Security Protections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.