DarkWatchman

Volt Typhoon has obtained the victim's system current location.

With control of an accountant’s machine, attackers could log into corporate online banking portals and initiate transactions directly from the compromised system, making the activity appear legitimate.

In late April, a previously unknown and financially motivated hacking group (Hive0117) dropped a copy of DarkWatchman malware in a phishing campaign impersonating a Russian agency and targeting Eastern European countries.

В феврале и марте текущего года злоумышленники разослали вредоносные письма более чем в 3000 российских компаний... К письмам прилагались защищенные паролем RAR-архивы, внутри которых скрывался вредоносный файл, замаскированный под финансовые документы.

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

DarkWatchman gives attackers the ability to run commands remotely...

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

With control of an accountant’s machine, attackers could log into corporate online banking portals and initiate transactions directly from the compromised system, making the activity appear legitimate.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

With control of an accountant’s machine, attackers could log into corporate online banking portals and initiate transactions directly from the compromised system, making the activity appear legitimate.

The emails were sent from what appeared to be legitimate but likely compromised accounts... Attached files were packaged in password-protected archives disguised as routine business documents...

APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs.

DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

CSPY Downloader has the ability to remove values it writes to the Registry.

With control of an accountant’s machine, attackers could log into corporate online banking portals and initiate transactions directly from the compromised system, making the activity appear legitimate.

DarkGate queries system locale information during execution. Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.

После запуска такого файла в систему жертвы устанавливается вредонос DarkWatchman, который загружает на зараженную машину модуль кейлоггера. Тот, в свою очередь, перехватывает нажатия клавиш...

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

...и даже отслеживает подключение криптографического токена. Дело в том, что такие токены часто используются для входа в системы ДБО юридических лиц.

APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.

DarkGate queries system locale information during execution. Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.

После запуска такого файла в систему жертвы устанавливается вредонос DarkWatchman, который загружает на зараженную машину модуль кейлоггера. Тот, в свою очередь, перехватывает нажатия клавиш...

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

Тот, в свою очередь, перехватывает нажатия клавиш, следит за содержимым буфера обмена...

Examples in the content include malware extracting or unpacking ZIP, RAR, CAB, tar.gz, and other archived content, such as 'Emotet has used a self-extracting RAR file to deliver modules to victims' and 'Rocke has extracted tar.gz files after downloading them from a C2 server.'

При этом пароль от архива указывался прямо в теле письма, что помогает обходить почтовые фильтры и антивирусные проверки.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

DarkWatchman gives attackers the ability to... download additional malicious tools...

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

DarkWatchman, a remote access trojan that allows attackers to maintain covert control over compromised systems.

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.