Security researchers have discovered a custom backdoor called “Betruger” that has been linked to several recent RansomHub ransomware attacks. The Betruger malware is highly sophisticated, offering various built-in capabilities to minimize the number of malicious tools required during ransomware attacks. Unlike typical ransomware that relies on public malware tools like Mimikatz and Cobalt Strike, Betruger is designed to perform multiple functions, streamlining the attack process.
What’s Notable and Unique
- Analysis of the Betruger backdoor revealed that it incorporates functionality typically found in several pre-ransomware tools, such as screenshotting, keylogging, uploading files to a command and control (C2) server, network scanning, privilege escalation, and credential dumping.
- The functionality of Betruger suggests that it may have been developed to reduce the number of new tools deployed on a targeted network while preparing for a ransomware attack.
- Betruger is commonly disguised with filenames such as ‘mailer.exe’ and ‘turbomailer.exe’ to make it appear as legitimate software. However, the backdoor has no actual mailing functionality, and it is likely that threat actors chose these names to mimic a legitimate application and avoid detection.
- Betruger is one of several tools used by RansomHub affiliates in recent months as they leverage techniques like Bring Your Own Vulnerable Driver (BYVOD) to disable security solutions. Additionally, RansomHub exploits vulnerabilities such as CVE-2022-24521 (Windows Privilege Escalation) and CVE-2023-27532 (Veeam Backup credential leak). Other tools commonly used include Impacket, Rclone, Mimikatz, ScreenConnect, and SystemBC to facilitate credential dumping, remote access, and data exfiltration.
Analyst Comments
RansomHub was one of the top RaaS groups to emerge in the second half of 2024, as reported in Arete’s recently published 2024 Annual Crimeware Report. RansomHub rapidly expanded its operations and displayed a willingness to work with individual affiliates as well as existing threat groups. The development of highly sophisticated malware like Betruger demonstrates the group’s ability to continuously improve its capabilities and further positions RansomHub as a major player in 2025’s ransomware threat landscape.ransomware threat landscape.
Sources
Related Resources
![]()
AI Deep Dive Part 3: Understanding Biases & How Threat Actors Use AI
Protect your data from AI risks. Learn how to safeguard sensitive information, manage AI inputs, and store data securely.
Read more![]()
AI Deep Dive Part 2: Data Privacy Concerns
Protect your data from AI risks. Learn how to safeguard sensitive information, manage AI inputs, and store data securely.
Read more![]()
BianLian
BianLian extorts victims with aggressive tactics. Learn about its ransom trends, evolving threats, and the FBI’s findings on recent scam letters.
Read more
