Microsoft Security Threat Intelligence has found that a new actor dubbed DEV-0569 has been developed new tools that deliver the Royal ransomware to victims. Microsoft recently released a post regarding the threat actor, in which it states that the company is unsure about the group’s origin or identity, but know that it has been active since at least August 2022. The group typically relies on malvertising and phishing link vectors, Microsoft says.
The group also uses a malware downloader called BATLOADER. The downloader masquerades as popular software installers such as TeamViewer, Adobe Flash Player, Zoom, and other applications. Additionally, the malware downloader is embedded in spam emails, fake forum pages, and blog comments. The malware spreads the Royal ransomware, which first emerged earlier this fall and is currently being distributed by multiple different threat actors.