RastaFarEye

RastaFarEye is identified in the provided content as the known operator and developer of the DarkGate malware-as-a-service (MaaS) platform. The reporting attributes DarkGate development to RastaFarEye, while assessing the specific October 2025 campaign described as likely operated by an unknown affiliate using campaign ID 4479023 under the DarkGate MaaS model. In the referenced activity, DarkGate v6 was delivered via a five-layer execution chain beginning with an IExpress self-extracting archive and progressing through an obfuscated batch stage, abuse of a legitimate AutoIt3 interpreter, RC4 decryption using campaign key 4479023, LZNT1 decompression, and in-memory execution of the DarkGate core DLL via process hollowing into explorer.exe or TapiUnattend.exe. The malware employed extensive anti-analysis and evasion measures, including hostname, username, AV, VM, and sandbox checks, as well as NTDLL unhooking by restoring a clean ntdll.dll .text section from disk. The sample was also tagged with LummaStealer, indicating dual-payload credential-theft delivery in that campaign. Infrastructure associated with the campaign included Cloudflare-fronted C2 domains investmentsystems[.]top and oneinvestmentstudio[.]top, with backend hosting linked in the report to providers described as bulletproof hosting. No additional aliases or sub-groups beyond the name RastaFarEye are directly supported by the provided content.