Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

Darkhotel

DarkHotel is malware/tooling referenced as part of historically notable advanced espionage malware sets. In the provided content, DarkHotel is described as using anti-analysis and host reconnaissance techniques. Specifically, it employs just-in-time decryption of strings to evade sandbox detection, and it decrypts strings and imports with RC4 during execution. It also collects the victim machine’s IP address and network adapter information. The content does not provide a specific infection vector, targeted industries, associated threat actor beyond the DarkHotel naming, or concrete indicators of compromise.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Darkhotel

Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.

via mitre attackattack.mitre.org
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

1 technique
T1140Deobfuscate/Decode Files or InformationEvidence2
TacticStealth

"...macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload." / "...involved the use of Base64 obfuscated scripts and commands." / "...deobfuscated Base64-encoded commands..." | "...ability to decrypt AES encrypted payloads." / "...used RC4 algorithm to decrypt configuration data." / "...unpack itself into memory using XOR."

Discovery

1 technique
T1057Process DiscoveryEvidence1
TacticDiscovery

"...used tasklist to enumerate processes..."; "...used the ps command to list processes..."; "...calling CreateToolhelp32Snapshot... to enumerate the running processes..."

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
r136a1 blogNews
May 7, 2026
Where Have All the Complex Windows Malware and Their Analyses Gone?

Mentioned as one of the notable advanced malware/toolsets frequently analyzed in earlier public research.

Read more
mitre attackNews
Jan 24, 2026
Virtualization/Sandbox Evasion, Technique T1497 - Enterprise | MITRE ATT&CK®

Uses just-in-time string decryption to evade sandbox detection.

Read more
mitre attackNews
Jan 25, 2026
System Network Configuration Discovery, Technique T1016 - Enterprise | MITRE ATT&CK®

Malware associated with DarkHotel activity that collects IP and network adapter information from victims.

Read more
mitre attackNews
Mar 18, 2026
Virtualization/Sandbox Evasion, Technique T1497 - Enterprise | MITRE ATT&CK®

Malware associated with Darkhotel activity that uses just-in-time string decryption to evade sandbox detection.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.