Darkcomp
Darkcomp is a backdoor malware family linked in public reporting to the Iranian threat actor Seedworm, also known as MuddyWater. Multiple sources in the provided content state that Google, Microsoft, and Kaspersky linked Darkcomp to Seedworm, and that the malware was signed in some cases with the code-signing certificate issued to “Donald Gay.” Darkcomp is also described as being delivered by the Stagecomp downloader, with several reports explicitly stating that Stagecomp is designed to deploy or download the Darkcomp backdoor.
In the intrusion activity described by Rapid7, attackers assessed with medium/moderate confidence to be MuddyWater used valid credentials obtained through Microsoft Teams-based social engineering and phishing, then used RDP and curl to deploy payloads that included Darkcomp, a malicious Microsoft WebView2 loader intended to disguise traffic, and an encrypted configuration file that sent instructions to Darkcomp. The broader campaign involved credential harvesting, MFA manipulation, remote access via tools such as AnyDesk and DWAgent, lateral movement using compromised accounts, and theft of sensitive data. Rapid7 assessed that the operation was disguised as a Chaos ransomware incident to conceal espionage activity or preposition for possible future destructive attacks.
The content also places Darkcomp within a broader MuddyWater malware ecosystem that includes Stagecomp, Dindoor, and Fakeset, and notes reporting tying these malware families to targeting of U.S. entities. High-confidence details directly supported by the content are that Darkcomp is a backdoor, that Stagecomp delivers/downloads it, that the “Donald Gay” certificate was previously used to sign Darkcomp-related malware, and that the malware has been associated with Seedworm/MuddyWater in reporting by Google, Microsoft, Kaspersky, Broadcom/Symantec, PolySwarm, and Rapid7.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
По данным Broadcom, сертификат «Donald Gay» ранее использовался для подписи малвари, предположительно связываемой с Seedworm [названия Stagecomp/Darkcomp требуют верификации по первоисточнику Broadcom].
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Defense Impairment
1 technique
Defense Impairment
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named malware reportedly tied to Seedworm in public reporting, but the content explicitly notes the name requires verification from the original Broadcom source.
Malware attributed to MuddyWater and referenced as being signed with a code-signing certificate linked to the group.
Backdoor malware deployed after credential theft and RDP access; it received instructions from an encrypted configuration file and was used as part of the intrusion to support espionage activity.
Malware previously signed with the Donald Gay certificate and independently linked to Seedworm.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.