DarkVisionRAT

DarkVisionRAT is a commercial remote access trojan (RAT) sold on underground forums and observed as one of multiple payload families distributed in the active Amadey botnet campaign tagged fbf543 in March 2026. Breakglass Intelligence linked the campaign to a pay-per-install operation that delivered more than 50 payloads over four days and more than 100 tracked samples across 24 malware families over roughly March 1-10, 2026. In the reporting, DarkVisionRAT appeared alongside other remote access tools including XWorm, QuasarRAT, AsyncRAT, and RemcosRAT, and was used for real-time remote control. The campaign also deployed stealers, loaders, coin miners, and abused legitimate RMM tools such as ConnectWise, DattoRMM, Atera, GoToResolve, and N-able for persistence, indicating DarkVisionRAT was one component of a broader criminal distribution ecosystem rather than the sole objective. High-confidence delivery context places DarkVisionRAT in the Amadey fbf543 distribution chain, including activity on March 6, 2026, when the campaign deployed XWorm, SantaStealer, NirCmd, a ConnectWise MSI, AsyncRAT, HijackLoader, and DarkVisionRAT. Associated infrastructure for the broader campaign included Amadey C2 sys32[.]cc, backend payload hosting at labinstalls[.]info on 158.94.211.222, and initial delivery from qpgroup[.]top. The operation was assessed with low-to-medium confidence as financially motivated and likely linked to the CIS or Russian-speaking cybercrime ecosystem. No DarkVisionRAT-specific IOCs, persistence mechanisms, or internal technical details beyond its role as a commercial RAT and its deployment for remote control were directly provided in the content.