article featured image


It has been reported that the Royal ransomware group is enhancing its arsenal with new malware. This group is said to have surfaced following the dismantling of the notorious Conti group.

Several other Conti-related groups have been observed using commercial downloaders such as Emotet, QBot, and IcedID. This inspired the Royal ransomware actors to develop their own malware loader.

In early 2022, Royal ransomware emerged along with Black Basta, Alphv/BlackCat, HelloKitty, Roy/Zeon, Quantum, Silent Ransom, and AvosLocker.

Royal Ransomware’s New Malware Loader

As per a recent report, the Royal ransomware group has begun developing its own loader with the goal of infecting endpoint devices and downloading malware.

  • The loader is small (less than 250KB) and serves only to deploy the Cobalt Strike beacon.
  • It immediately connects to a Royal C2 server after infection, which the group claims is a design feature.
  • Notably, the loader lacks a crypter module or function that would allow end-users to specify preferred cryptos.

Tried and Tested Strategies

Several strategies used by the Royal group have been proven successful by other groups, such as Qbot.

  • Like Qbot, it exploits CVE-2022-41073 (an elevation of privilege vulnerability in Windows Print Spooler) for initial access.
  • Due to the Royal group’s access to Anubis, the loader incorporates key Anubis functionality.
  • The analyzed loader is still a test version (a pre-alpha variant) rather than a final product.
  • The group intends to use the final version in spam campaigns, where they have previously demonstrated exceptional effectiveness.

As per Cyware, the Royal group’s collaboration has drawn inspiration from various existing or extinct ransomware groups.

While it refines its loader, organizations are urged to report TTPs of the threat in a timely manner so that other organizations can defend against it by taking appropriate preventive measures.

Check out the following to learn more about: how to protect your systems against malware, how to prevent ransomware, and how command and control servers work.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Madalina Popovici

Digital PR Specialist

linkedin icon

Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.

Leave a Reply

Your email address will not be published. Required fields are marked *