DarkMe

DarkMe is a Visual Basic/VB6 remote-access trojan and spy trojan associated with the financially motivated threat activity tracked as Evilnum and later linked with high confidence to Water Hydra / DarkCasino. Reporting states the malware has been used in campaigns targeting forex traders, stock traders, and financial trading platforms, with related Water Hydra victimology also including banks, cryptocurrency platforms, gambling sites, and casinos. DarkMe has been distributed through trading forums, stock-trading Telegram channels, file-sharing services, and exploit-driven delivery chains.

Documented delivery vectors include exploitation of WinRAR zero-day CVE-2023-38831 using specially crafted archives masquerading as benign files such as .jpg or .txt, and Water Hydra’s use of CVE-2024-21412 Internet Shortcut/SmartScreen bypass chains to deliver DarkMe. In January 2024, Trend Micro reported Water Hydra streamlined DarkMe infection through a malicious .MSI stage. Broader 2026 reporting also describes forex-themed multi-stage loaders using PowerShell and script-based loaders, AMSI bypasses, AES-encrypted payload retrieval from GitHub, and fileless .NET assembly loading in campaigns where DarkMe tooling remained active.

DarkMe samples analyzed across 2023-2026 shared a stable VB6 lineage, including nine samples with imphash 3e847ec4ad926dd89c2f4cb28d036c11. The DarkMe builder was reportedly compiled on 2022-05-01 22:07:11 UTC and was still generating active malware in March 2026. Three 2026 samples shared PE timestamp characteristics, entry point 0x12C4, and .text SHA256 6ca93b13b5db11414c6ab928aa0243b65927fcce20c16f9bdcfdddd9461726ce. Reporting also notes a shared embedded VB6 type library path, C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb, across a 2022 Evilnum-linked DLL and a 2024 WaterHydra payload, supporting linkage between Evilnum, DarkCasino, Water Hydra, and later activity.

Observed DarkMe functionality includes command handling via reversed UTF-16LE strings such as EXELHS for shell execution and OLAPIZ for ZIP archive creation. It uses custom TCP communications over a SOCKET_WINDOW class; sandbox analysis confirmed UDP traffic to 38.57.44.173:4242 in one case. Every analyzed DarkMe sample reportedly used the literal cleartext C2 password string "password." Persistence observed for EXE variants used HKLM...\RunOnce*RD_, while a 2024 WaterHydra MSI/DLL variant persisted via HKCU...\Run\HomeDLL using rundll32 /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}. Related investigations reconstructed active C2 evolution and confirmed infrastructure including 91.124.98.29:2626 live during a 2026 investigation.

Code artifacts in the DarkMe codebase included multiple Italian-language strings such as ciapa, tuttidati, segreto, stocavoloccio, squola, estatolui, and zalone; one report assessed the developer may be bilingual Italian/Spanish based on these artifacts, locale 0x0C0A, and a Spanish WinSock error string. Later reporting states Water Hydra removed some earlier attribution artifacts, including the "DarkMe" mutex string, but retained the embedded type library path noted above.

Operational impact described in the reporting includes unauthorized access to victims’ broker accounts, illicit financial transactions, and fraudulent fund withdrawals. High-confidence indicators directly mentioned in the content include C2 91.124.98.29:2626, UDP traffic to 38.57.44.173:4242, imphash 3e847ec4ad926dd89c2f4cb28d036c11, .text SHA256 6ca93b13b5db11414c6ab928aa0243b65927fcce20c16f9bdcfdddd9461726ce, the cleartext C2 password "password," the VB6 type library path C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb, and persistence artifacts including HKLM...\RunOnce*RD_ and HKCU...\Run\HomeDLL with rundll32 /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}.