Pierluigi Paganini March 21, 2025

Symantec researchers linked a custom backdoor, called Betruger, found in recent ransomware attacks to an affiliate of the RansomHub operation.

Symantec’s Threat Hunter team has identified a custom backdoor, named Betruger, linked to a RansomHub affiliate. Designed for ransomware attacks, Betruger combines multiple functions into a single tool to minimize detection. It enables screenshot capture, credential theft, keystroke logging, network scanning, and privilege escalation, reducing the need for multiple tools and lowering the attack footprint.

“The Symantec Threat Hunter team has observed activity from a custom backdoor that can be tied to a RansomHub affiliate.” reads the analysis published by Symantec. “RansomHub is a Ransomware-as-a-Service offering and the backdoor has been named Betruger. This is a multi-function backdoor which appears to have been developed specifically for carrying out ransomware attacks. Betruger incorporates functionality typically seen across multiple tools leveraged during ransomware attacks.”

Ransomware groups usually rely on legitimate tools and public malware like Mimikatz and Cobalt Strike. Custom tools are rare but used for data theft, like Exmatter and Exbyte.

Betruger backdoor is disguised as “mailer.exe” or “turbomailer.exe,” the researchers noticed that lacks mailing functions, likely to appear legitimate.

Experts believe that Betruger may have been developed to minimize the amount of new tools dropped on a targeted network during a ransomware attack. 

RansomHub affiliates use many other tools, the group also exploits techniques like BYOVD to disable security mechanisms. Attackers use vulnerabilities like CVE-2022-24521 and CVE-2023-27532 to escalate privileges and leak credentials. Additional tools in recent attacks include Impacket, Stowaway Proxy, Rclone, Mimikatz, SystemBC, and several remote access tools like ScreenConnect, Atera, and Splashtop, all aiding in data exfiltration and remote access during ransomware campaigns.

“The Betruger backdoor was deployed in several recent RansomHub attacks, suggesting that it is available to at least one affiliate. RansomHub is a RaaS operation run by a cybercrime group Symantec calls Greenbottle. Active since February 2024, Greenbottle has quickly grown RansomHub, becoming the most prolific ransomware operation by the third quarter of 2024, responsible for the highest number of claimed attacks.” concludes the report. “The group has reportedly won over many affiliates by offering them better terms compared to rival operations, such as a great percentage of ransom payments and a payment model where the affiliate is paid by the victim before passing on the operator’s cut.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RansomHub)