Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks <\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\"><br \/>\n<meta property=\"og:title\" content=\"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-header.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-header.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.932646530867\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"688127200\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"11.788649706458\">\n<div class=\"article-details\" role=\"heading\" readability=\"43.225048923679\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">From September to December, we detected multiple attacks from the Royal ransomware group. In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks.<\/p>\n<p class=\"article-details__author-by\">By: Ivan Nicole Chavez, Byron Gelera, Monte de Jesus, Don Ovid Ladores, Khristian Joseph Morales <time class=\"article-details__date\">December 21, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"32.707865168539\">\n<div readability=\"14.741573033708\">\n<p>Royal <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/definition\/ransomware\" target=\"_blank\" rel=\"noopener\">ransomware<\/a> may have been first observed by researchers around <a href=\"https:\/\/www.securityweek.com\/healthcare-organizations-warned-royal-ransomware-attacks\" target=\"_blank\" rel=\"noopener\">September 2022<\/a>, but it has seasoned cybercriminals behind it: The threat actors running this ransomware \u2014 who used to be a part of Conti Team One, according to a <a href=\"https:\/\/twitter.com\/VK_Intel\/status\/1557003350541242369\" target=\"_blank\" rel=\"noopener\">mind map shared by Vitali Kremez<\/a> \u2014 initially dubbed it Zeon ransomware, until they rebranded it to Royal ransomware. From September to December this year, we have detected multiple attacks from Royal ransomware, with the US and Brazil being the most targeted countries (Figure 1). This blog entry discusses in depth the findings from our investigation of samples of this new piece of ransomware, as well as the tools that Royal ransomware actors used to carry out their attacks.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure01.jpg\" alt=\"Figure 1. Percentage of Royal ransomware attacks by country\"><figcaption>Figure 1. Percentage of Royal ransomware attacks by country<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"31.561307901907\">\n<div readability=\"10.520435967302\">\n<h2><span class=\"body-subhead-title\">Infection Routine<\/span><\/h2>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-royal-ransomware-emerges-in-multi-million-dollar-attacks\/\" target=\"_blank\" rel=\"noopener\">External reports<\/a> mention that the Royal ransomware group uses callback phishing as a means of delivering their ransomware to victims (Figure 2). These phishing attacks contain a number that leads to a service hired by the threat actors. When contacted, they will use social engineering tactics to lure victims into installing remote access software.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure02.jpg\" alt=\"Figure 2. Royal ransomware\u2019s attack flow\"><figcaption>Figure 2. Royal ransomware\u2019s attack flow<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49\">\n<div class=\"responsive-table-wrap\" readability=\"43\">\n<h2><span class=\"body-subhead-title\">Installation<\/span><\/h2>\n<p>Our investigation found that the ransomware actors used a compiled remote desktop malware, which was used to drop the tools they needed to infiltrate the victim\u2019s system: they used QakBot and Cobalt Strike for lateral movement, while NetScan was used to look for any remote systems connected to the network. Once they infiltrated the system, the ransomware actors used tools such as PCHunter, PowerTool, GMER, and Process Hacker to disable any security-related services running in the system. They then exfiltrate the victim\u2019s data via the RClone tool. We also observed an instance in which they used AdFind to look for active directories, then executed RDPEnable on the infected machine.<\/p>\n<h2><span class=\"body-subhead-title\">Payload<\/span><\/h2>\n<p>Once everything has been set up, the ransomware actors used PsEXEC to execute the malware. The PsEXEC commands contain the ID of the victim, along with any argument that the actors applied to the ransomware. There were also instances of the malware actors using PsEXEC to enable the remote desktop protocol (RDP) of a target system before executing the ransomware.<\/p>\n<h2><span class=\"body-subhead-title\">Analysis<\/span><\/h2>\n<p>In part of our analysis, we used a ransomware sample with the detection name <i>Ransom.Win64.YORAL.SMYXCJCT<\/i>. As shown in Table 1, Figure 3, and Figure 4, Royal ransomware requires an argument of \u201c<i>-id {32-byte characters}<\/i>\u201d to execute on a victim\u2019s machine. It also accepts \u201c<i>-path<\/i>\u201d to specify a target file for encryption and \u201c<i>-ep {value}<\/i>\u201d to calculate the partial file encryption of large files.<\/p>\n<p>In some earlier samples of the ransomware, the binary wouldn\u2019t parse all the arguments due to a bug in the code. For example, \u201c<i>-path<\/i>\u201d won’t be processed if provided after the “<i>-id<\/i>” argument; if provided before, there will be no “<i>-id<\/i>” argument, so it will not proceed.<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"4.5\">\n<tr>\n<td width=\"312\" valign=\"top\"><b>Argument<\/b><\/td>\n<td width=\"312\" valign=\"top\"><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"312\" valign=\"top\">–<i>path {target path}<\/i><\/td>\n<td width=\"312\" valign=\"top\">If provided, will only encrypt the contents of the target path<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"312\" valign=\"top\">–<i>id {32-byte characters}<\/i><\/td>\n<td width=\"312\" valign=\"top\">Will be used as the victim\u2019s ID, which will be appended on the TOR link found in the dropped ransom note. The process exists if not provided or if provided characters is not 32 bytes long<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"312\" valign=\"top\">–<i>ep<\/i><\/td>\n<td width=\"312\" valign=\"top\">This argument is for the full or partial encryption of file routine<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center><\/p>\n<p><span class=\"rte-icon-component-text\">Table 1. Arguments accepted by the Royal ransomware binary<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure03.png\" alt=\"Figure 3. Arguments accepted by the ransomware binary\"><figcaption>Figure 3. Arguments accepted by the ransomware binary<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure04.png\" alt=\"Figure 4. Checking if length of provided \u201c-id\u201d is 32 bytes\"><figcaption>Figure 4. Checking if length of provided \u201c-id\u201d is 32 bytes<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>It enumerates files and directories for encryption using FindFirstFileW, FindNextFileW, and FindClose APIs (Figure 5).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure05.png\" alt=\"Figure 5. File enumeration\"><figcaption>Figure 5. File enumeration<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The ransomware looks for available network shares for network encryption by listing accessible local IPs, then uses NetShareEnum and attempts to connect on ADMIN$ and IPC$ shares (Figure 6).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure06.png\" alt=\"Figure 6. Looking for accessible local IPs then trying to connect to ADMIN$ and IPC$\"><figcaption>Figure 6. Looking for accessible local IPs then trying to connect to ADMIN$ and IPC$<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>It checks for the number of processors in the infected system and uses it as a base for the concurrent running threads for file encryption, as shown in Figure 7. By doing so, Royal ransomware significantly increases the speed of its file encryption process. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure07.png\" alt=\"Figure 7. Checking the number of processors\"><figcaption>Figure 7. Checking the number of processors<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Royal ransomware inhibits system recovery by deleting shadow copies (Figure 8) through the following command:<\/p>\n<p><i><span class=\"blockquote\">C:\\\\Windows\\\\System32\\\\vssadmin.exe delete shadows \/all \/quiet<\/span><\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure08.png\" alt=\"Figure 8. Using vssadmin.exe to delete shadow copies\"><figcaption>Figure 8. Using vssadmin.exe to delete shadow copies<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The ransomware encrypts files using OpenSSL\u2019s Advanced Encryption Standard (AES). It will encrypt the AES key and IV with RSA encryption using the embedded RSA public key (Figure 9). The RSA-encrypted AES key and IV will be appended on each encrypted file (Figure 10).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure09.png\" alt=\"Figure 9. An RSA public key\"><figcaption>Figure 9. An RSA public key<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure10.png\" alt=\"Figure 10. Generation of AES Key and IV\"><figcaption>Figure 10. Generation of AES Key and IV<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.61170212766\">\n<div readability=\"15.148936170213\">\n<p>The malicious actors behind Royal ransomware use a form of <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-gangs-switching-to-new-intermittent-encryption-tactic\/\" target=\"_blank\" rel=\"noopener\">intermittent encryption tactic<\/a> to speed their encryption process: the ransomware first checks if the file size is divisible by 16, which is a requirement for AES (Figure 11). If not, it rounds up the total size until it is divisible by 16. For example, if the size is 18, it will append zero bytes to the file until it has a size of 32, which is now divisible by 16. Aside from appending the needed zero bytes, it also appends an extra 0x210 Zero bytes as a placeholder for the appended RSA encrypted key.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure11.png\" alt=\"Figure 11. Royal ransomware checking if file size is divisible by 16\"><figcaption>Figure 11. Royal ransomware checking if file size is divisible by 16<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.5\">\n<div readability=\"22\">\n<p>For a file size that has been rounded-up, Royal ransomware will check if the size is less than or equal to 5,245,000 bytes or if the value is set to 100 (0x64), as shown in Figure 12. If the file size is within these limits, it will encrypt the entire file. For files greater than 5,245,000 bytes, file encryption will take place per certain calculated blocks: for example, it will encrypt first N bytes, then skip the next N bytes, then encrypt the next N bytes, and so on.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure12.png\" alt=\"Figure 12. Encryption process and calculation\"><figcaption>Figure 12. Encryption process and calculation<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p>Its calculation of N bytes is as follows:<\/p>\n<p><span class=\"blockquote\">X \/ 10* (Original file size) & 0xFFFFFFF0<\/span><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">where X is the value set before encryption<\/span><\/li>\n<li><span class=\"rte-red-bullet\">X is either 0x32 (50) or 0x64 (100)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">This value will also be used as indicator if full encryption or partial encryption will be performed on the file<\/span><\/li>\n<\/ul>\n<p>For example, with a file with a file size equal to 5,245,000:<\/p>\n<p><span class=\"blockquote\">N = 50\/10 * (5245000 \/ 100) & 0xFFFFFFF0 = 0x40060 (262240)<\/span><\/p>\n<p>If the calculated N is greater than 1,024,000, it will simply encrypt per 1,024,000 block instead (Figure 13).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure13.png\" alt=\"Figure 13. Condition if N is greater than 1,024,000\"><figcaption>Figure 13. Condition if N is greater than 1,024,000<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div class=\"responsive-table-wrap\" readability=\"7\">\n<p>The encrypted file\u2019s structure would then be as follows (Table 2):<\/p>\n<p><center readability=\"3\"><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"4\">\n<tr>\n<td width=\"312\" valign=\"top\"><b>Description<\/b>\n<\/td>\n<td width=\"312\" valign=\"top\"><b>Size<\/b>\n<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"312\" valign=\"top\">Encrypted File Contents\n<\/td>\n<td width=\"312\" valign=\"top\">Rounded-up file size divisible by 16\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">RSA Encrypted Key\n<\/td>\n<td width=\"312\" valign=\"top\">0x200 bytes\n<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"312\" valign=\"top\">Size of encrypted file \/ offset address of RSA Encrypted Key\n<\/td>\n<td width=\"312\" valign=\"top\">8 bytes\n<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"312\" valign=\"top\">X value, 0x64 or provided value (usually 0x32), indicator if full or partial encryption\n<\/td>\n<td width=\"312\" valign=\"top\">8 bytes\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><center readability=\"6\"><\/p>\n<p><span class=\"rte-icon-component-text\">Table 2. An encrypted file\u2019s structure<\/span><\/p>\n<p>The ransomware then renames the encrypted files by appending them with the \u201c.royal\u201d extension, as demonstrated in Figures 14 and 15.<\/p>\n<p><\/center><br \/>\n<\/center> <\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure14.png\" alt=\"Figure 14. Royal ransomware appending \u201c.royal\u201d to encrypted files\"><figcaption>Figure 14. Royal ransomware appending \u201c.royal\u201d to encrypted files<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure15.png\" alt=\"Figure 15. Encrypted files appended with the \u201c.royal\u201d extension\"><figcaption>Figure 15. Encrypted files appended with the \u201c.royal\u201d extension<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>For each directory it traverses, Royal ransomware drops a text file named \u201cREADME.TXT\u201d that contains the ransom note (Figure 16), as well as an advertisement for its \u201cpentesting services\u201d that the ransomware actors will allegedly provide once the ransom has been paid (Figure 17).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure16.png\" alt=\"Figure 16. Creation of the \u201cREADME.TXT\u201d file\"><figcaption>Figure 16. Creation of the \u201cREADME.TXT\u201d file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-Figure17.png\" alt=\"Figure 17. Contents of "README.TXT" with the sample ID we used appended on the TOR link.\"><figcaption>Figure 17. Contents of “README.TXT” with the sample ID we used appended on the TOR link.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.145028759244\">\n<div readability=\"29.662695152013\">\n<h2><span class=\"body-subhead-title\">Security Recommendations<\/span><\/h2>\n<p>Our investigation into Royal ransomware attacks shows how the group employs a mixture of both old and new techniques, which indicates that it is no newcomer to the ransomware scene. Their use of callback phishing to lure victims into installing remote desktop malware allows them to infiltrate the victim\u2019s machine with relative ease. Their intermittent encryption tactics also hasten their encryption of a victim\u2019s files, with the added benefit of evading detection measures that focus on looking for heavy file IO operations. Despite their \u201clate\u201d entry to the scene in September, the group already has ransomed multiple companies, and we expect them to be more active in the upcoming months. More details on Royal ransomware\u2019s other capabilities can be found in Trend Micro\u2019s <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/threat-encyclopedia\/malware\/Ransom.Win64.ROYALRAN.THIBIBB\/\" target=\"_blank\" rel=\"noopener\">Threat Encyclopedia<\/a>.<\/p>\n<p>We highly advise users and organizations to update their systems with the latest patches and apply multi-layered defense mechanisms. The emergence and success of the Royal ransomware gang underscore how ransomware actors are finding more innovative ways to repurposing existing tools and tactics as a means of augmenting their attacks. End users and enterprises alike can mitigate the risk of infection from new threats like Royal ransomware by following these security best practices: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Enable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Adhere to <a href=\"https:\/\/www.trendmicro.com\/vinfotmr\/?\/us\/security\/news\/virtualization-and-cloud\/best-practices-backing-up-data\" target=\"_blank\" rel=\"noopener\">the 3-2-1 rule<\/a> when backing up important files. This involves creating three backup copies on two different file formats, with one of the copies stored in a separate location. <\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/vulnerabilities-and-exploits\/virtual-patching-patch-those-vulnerabilities-before-they-can-be-exploited\" target=\"_blank\" rel=\"noopener\">Patch and update systems<\/a> regularly. It\u2019s important to keep operating systems and applications up to date and maintain patch management protocols that can deter malicious actors from exploiting any software vulnerabilities.<\/span><\/li>\n<\/ul>\n<p>Companies can also benefit from the use of multilayered detection and response solutions such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Vision One\u2122<\/a>, which provides powerful XDR capabilities that collect and automatically correlate data across multiple security layers \u2014 email, endpoints, servers, cloud workloads, and networks \u2014 to prevent attacks via automated protection, while also ensuring that no significant incidents go unnoticed. <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Apex One\u2122<\/a> also provides next-level automated threat detection and response to protect endpoints against advanced issues, like human-operated ransomware. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h2><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/h2>\n<table border=\"1\" cellspacing=\"0\" width=\"624\">\n<tbody readability=\"27\">\n<tr>\n<td width=\"208\" valign=\"top\"><b>SHA-256<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Detection<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">c0063d24f3de4e7b89abf9b690a3d264efc6ab7a626f73ad9f42d6bffe52bce7<\/td>\n<td width=\"208\" valign=\"top\">Trojan.Win64.COBALT.BE<\/td>\n<td width=\"208\" valign=\"top\">CobaltStrike<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">fef79160f0ce9aa9dec15c914f2c2b40b2ae1ec2b0e65e414545dbc994afd73d<\/td>\n<td width=\"208\" valign=\"top\">Trojan.Win64.COBALT.BE<\/td>\n<td width=\"208\" valign=\"top\">CobaltStrike<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">3434271f2038afaddad4caad8000e390b3573b2b53e02841653a4ee0dfd73674<\/td>\n<td width=\"208\" valign=\"top\">Trojan.Win64.COBALT.BE<\/td>\n<td width=\"208\" valign=\"top\">CobaltStrike<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">0ac0b3758359855e96367b6c83b0aabdc6cfb59b4caa1cec48632defd21cdf3c<\/td>\n<td width=\"208\" valign=\"top\">Trojan.Win64.COBALT.BE<\/td>\n<td width=\"208\" valign=\"top\">CobaltStrike<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">451cef0085dc5b474cc5c68af079d0367d7d2ec73ae2210788beb5297e1fbd6d<\/td>\n<td width=\"208\" valign=\"top\">Trojan.Win64.COBALT.BE<\/td>\n<td width=\"208\" valign=\"top\">CobaltStrike<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">e710e902507ad63e1d2ce1220212b1a751b70504259457234103bb22845a9424<\/td>\n<td width=\"208\" valign=\"top\">Trojan.Win32.QAKBOT.DRSV<\/td>\n<td width=\"208\" valign=\"top\">QakBot<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">2718dcbb503b6334078daf4af61e17a547fb80c9b811c26cfc9d32f5ce63a826<\/td>\n<td width=\"208\" valign=\"top\">Trojan.Win32.QAKBOT.DRTE<\/td>\n<td width=\"208\" valign=\"top\">QakBot<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"208\" valign=\"top\">abf937fb2f162d1dbbe76c7386c9892db5191e17de586f0a5c49819cd68b5e0f<\/td>\n<td width=\"208\" valign=\"top\">Trojan.Win32.DEYMA.AM<\/td>\n<td width=\"208\" valign=\"top\">Compiled Remote Desktop Malware<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4<\/td>\n<td width=\"208\" valign=\"top\">PUA.Win64.ProcHack.AC<\/td>\n<td width=\"208\" valign=\"top\">Process Hacker<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"208\" valign=\"top\">572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b<\/td>\n<td width=\"208\" valign=\"top\">HackTool.Win32.NetScan.AG<\/td>\n<td width=\"208\" valign=\"top\">NetScan<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"208\" valign=\"top\">094d1476331d6f693f1d546b53f1c1a42863e6cde014e2ed655f3cbe63e5ecde<\/td>\n<td width=\"208\" valign=\"top\">HackTool.Win32.ToolPow.SM<\/td>\n<td width=\"208\" valign=\"top\">PowerTool<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173<\/td>\n<td width=\"208\" valign=\"top\">PUA.Win32.GMER.YABBI<\/td>\n<td width=\"208\" valign=\"top\">GMER<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">d1aa0ceb01cca76a88f9ee0c5817d24e7a15ad40768430373ae3009a619e2691<\/td>\n<td width=\"208\" valign=\"top\">PUA.Win64.PCHunter.B<\/td>\n<td width=\"208\" valign=\"top\">PCHunter<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"208\" valign=\"top\">bb48f5c915ab7bbbbbf092a20169aaf3ced46b492ed69550854a55254ce10572<\/td>\n<td width=\"208\" valign=\"top\">Backdoor.Win32.SWRORT.YXCJ5Z<\/td>\n<td width=\"208\" valign=\"top\">Malware Component<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"208\" valign=\"top\">e263b9d5467bf724000966da2acfe06520a464c566e4b3d9833213f850f3f1f2<\/td>\n<td width=\"208\" valign=\"top\">HackTool.Win32.Adfind.THLOFBB<\/td>\n<td width=\"208\" valign=\"top\">AdFind<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">ac49c114ef137cc198786ad8daefa9cfcc01f0c0a827b0e2b927a7edd0fca8b0<\/td>\n<td width=\"208\" valign=\"top\">HackTool.BAT.RDPEnable.A<\/td>\n<td width=\"208\" valign=\"top\">RDPEnable<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"208\" valign=\"top\">2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f<\/td>\n<td width=\"208\" valign=\"top\">Ransom.Win64.YORAL.SMYXCJCT<\/td>\n<td width=\"208\" valign=\"top\">Royal Ransomware Binary<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">cdd7814074872fc35d18740cdd4e8a5fefcfd6b457fde2920383fd5b11903fc5<\/td>\n<td width=\"208\" valign=\"top\">Ransom_Royal.R06CC0DK222<\/td>\n<td width=\"208\" valign=\"top\">Royal Ransomware Binary<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">a61b71ee73ea8c0f332591e361adeda04705c65b5f4d549066677ec4e71212f7<\/td>\n<td width=\"208\" valign=\"top\">Ransom.Win32.YORAL.YXCKB<\/td>\n<td width=\"208\" valign=\"top\">Royal Ransomware Binary<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"208\" valign=\"top\">56e8bd8b0c5bfb87956f7915bc47a9ecf5d338b804cee1dccacf53400d602be3<\/td>\n<td width=\"208\" valign=\"top\">Ransom.Win32.YORAL.YECJYT<\/td>\n<td width=\"208\" valign=\"top\">Royal Ransomware Binary<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>From September to December, we detected multiple attacks from the Royal ransomware group. In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":49838,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9534,9539,9535],"class_list":["post-49837","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-latest-news","tag-trend-micro-research-ransomware","tag-trend-micro-research-web"],"yoast_head":"\n<title>Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-21T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-header.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks\",\"datePublished\":\"2022-12-21T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/\"},\"wordCount\":2076,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Latest News\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Web\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/\",\"name\":\"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks.jpg\",\"datePublished\":\"2022-12-21T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks.jpg\",\"width\":1835,\"height\":876},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-12-21T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks-\/RoyalRansomware-header.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks","datePublished":"2022-12-21T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/"},"wordCount":2076,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Latest News","Trend Micro Research : Ransomware","Trend Micro Research : Web"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/","url":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/","name":"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks.jpg","datePublished":"2022-12-21T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks.jpg","width":1835,"height":876},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49837","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49837"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49837\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/49838"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":49837,"date":"2022-12-21T00:00:00","date_gmt":"2022-12-21T00:00:00","guid":{"rendered":"urn:uuid:55408c39-a3a7-1da8-f2a3-283f8aa14320"},"modified":"2022-12-21T00:00:00","modified_gmt":"2022-12-21T00:00:00","slug":"conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-with-callback-phishing-attacks\/","title":{"rendered":"Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks"},"content":{"rendered":"