A new threat actor referred to as DEC-0569 has been discovered expanding its toolkit to include the Royal ransomware. The group’s activities were detailed in a recent Threat Intelligence report released by Microsoft earlier this month. The group has been active since at least August 2022, and its origins and identity is still unknown. The group uses a malware downloader called BATLOADER, which poses as legitimate software installers known to targets such as Adobe Flash Player and Zoom, as well as updates embedded in spam emails, fake forum pages, and blog comments.
The Royal ransomware first emerged in September 2022 and is currently being leveraged by multiple different threat actors. BATLOADER deploys MSI Custom Actions to launch malicious PowerShell activity and run batch scripts. Microsoft found that DEC-0569 started using contracts to deliver its payloads. The group was also found to send messages to targets using contact information pulled from personal websites. The emails pretend to be coming from a national financial authority.