March 20, 2025 By Sergiu Gatlan
A newly identified custom backdoor deployed in several recent ransomware attacks has been linked to at least one RansomHub ransomware-as-a-service (RaaS) operation affiliate.
Symantec researchers who named this malware Betruger describe it as a "rare example of a multi-function backdoor" that was likely engineered for use in ransomware attacks.
The malware's capabilities include a wide range of capabilities that overlap with features commonly found in malicious tools dropped before deploying ransomware payloads, including keylogging, network scanning, privilege escalation, credential dumping, screenshotting, and uploading files to a command and control (C2) server.
"The functionality of Betruger indicates that it may have been developed in order to minimize the number of new tools dropped on a targeted network while a ransomware attack is being prepared," Symantec's Threat Hunter Team said.