Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Betruger

Betruger is a backdoor malware associated with ransomware operations, particularly RansomHub affiliates. Reporting describes it as a custom backdoor that is rarely seen in ransomware attacks and as malware used in support of ransomware campaigns. In a September 2024 intrusion analyzed by The DFIR Report, the threat actor initially deployed SectopRAT and then, six days after initial access, used it to deploy Betruger as a second backdoor while conducting additional reconnaissance. Betruger was described as consolidating multiple pre-ransomware capabilities into a single tool, including screenshot capture, keylogging, privilege escalation, network discovery, and credential theft. The same intrusion involved broader post-compromise activity such as use of SystemBC, AdFind, SharpHound, SoftPerfect NetScan, PsExec, DCSync, Windows Defender tampering, process injection, timestomping, and data exfiltration via FTP, but only Betruger’s direct capabilities can be attributed to the malware itself with high confidence. Content also links Betruger to RansomHub and notes its emergence alongside other novel malware families in 2025 threat reporting. No specific infection vector, platform-specific persistence mechanism, or standalone IOC unique to Betruger is provided in the source content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
sentinelone blogNews
Dec 25, 2025
The Best, the Worst and the Ugliest in Cybersecurity | 2025 Edition

Backdoor malware that supported ransomware campaigns and masqueraded as a legitimate extension.

Read more
the hacker newsNews
Oct 6, 2025
⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

Backdoor malware associated with RansomHub ransomware operations, used for persistent access and control.

Read more
talos intelligence blogNews
Jul 16, 2025
Talos IR ransomware engagements and the significance of timeliness in incident response

Recently discovered backdoor referenced as an example of more bespoke/custom malware that could be used in ransomware intrusions; no additional functional details provided in the content.

Read more
security weekNews
Nov 25, 2025
Threat Actor Connected to Play, RansomHub and DragonForce Ransomware Operations

Betruger is a backdoor consolidating multiple pre-ransomware tool capabilities, including screenshot capture, keylogging, privilege escalation, network discovery, and credential theft, designed to streamline ransomware operations.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.