DarkMe RAT
DarkMe RAT is a custom Visual Basic 6 remote access trojan and the signature malware associated with the WaterHydra/DarkCasino APT lineage. In the referenced investigation, seven DarkMe samples shared command-and-control infrastructure with a QuasarRAT deployment, including 91.124.98.29:2626, and additional infrastructure mapping associated 38.57.44.173:4242 with a DarkMe RAT C2 that was offline at the time of reporting. The malware was linked with moderate-to-high confidence to WaterHydra/DarkCasino through shared DarkMe tooling, forex-focused targeting, and reuse of the VB6 developer workspace path C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb, a path previously observed in Evilnum and WaterHydra samples from 2022 and 2024. Nine DarkMe samples from 2023 to 2026 shared the identical VB6 import hash 3e847ec4ad926dd89c2f4cb28d036c11, which was assessed to indicate the same builder.
DarkMe RAT uses reversed UTF-16LE command strings and a SOCKET_WINDOW class for asynchronous C2 communication. Reported command capabilities include shell execution via SHLEXE, file operations, directory mapping, ZIP archive creation, and system reconnaissance. The broader operator infrastructure included Windows servers managed through AnyDesk on TCP port 7070, which were assessed to provide GUI access to hosts running DarkMe RAT, Flask bot relays, and other C2 tooling.
The activity described in the content was associated with an actor using the handle evilgrou-tech and attributed to the WaterHydra/DarkCasino lineage. Targeting noted in the report included forex traders in Italy and cryptocurrency users associated with "Pumpfun." Two DarkMe samples were reported as carrying self-signed certificates impersonating Microsoft under the subjects "Microsoft Corporation" and "Microsoft Windows Publisher."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
DarkMe RAT is the signature malware of the WaterHydra/DarkCasino APT group. Seven DarkMe samples were found sharing the same C2 IP as the QuasarRAT deployment. DarkMe is a custom VB6 RAT with reversed UTF-16LE command strings, a SOCKET_WINDOW class for asynchronous C2 communication, and a command set including shell execution (SHLEXE), file operations, directory mapping, ZIP archive creation, and system reconnaissance.
DarkMe RAT is the signature malware of the WaterHydra/DarkCasino APT group. Seven DarkMe samples were found sharing the same C2 IP as the QuasarRAT deployment. DarkMe is a custom VB6 RAT with reversed UTF-16LE command strings, a SOCKET_WINDOW class for asynchronous C2 communication, and a command set including shell execution (SHLEXE), file operations, directory mapping, ZIP archive creation, and system reconnaissance.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
DarkMe RAT is the signature malware of the WaterHydra/DarkCasino APT group. Seven DarkMe samples were found sharing the same C2 IP as the QuasarRAT deployment. DarkMe is a custom VB6 RAT with reversed UTF-16LE command strings, a SOCKET_WINDOW class for asynchronous C2 communication, and a command set including shell execution (SHLEXE), file operations, directory mapping, ZIP archive creation, and system reconnaissance.
DarkMe RAT is the signature malware of the WaterHydra/DarkCasino APT group. Seven DarkMe samples were found sharing the same C2 IP as the QuasarRAT deployment. DarkMe is a custom VB6 RAT with reversed UTF-16LE command strings, a SOCKET_WINDOW class for asynchronous C2 communication, and a command set including shell execution (SHLEXE), file operations, directory mapping, ZIP archive creation, and system reconnaissance.
DarkMe RAT is the signature malware of the WaterHydra/DarkCasino APT group. Seven DarkMe samples were found sharing the same C2 IP as the QuasarRAT deployment. DarkMe is a custom VB6 RAT with reversed UTF-16LE command strings, a SOCKET_WINDOW class for asynchronous C2 communication, and a command set including shell execution (SHLEXE), file operations, directory mapping, ZIP archive creation, and system reconnaissance.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueMITRE ATT&CK Mapping Technique ID Usage Spearphishing Link T1566.002 Forex forum posts, Telegram trading channels
Execution
4 techniquesMITRE ATT&CK Mapping Technique ID Technique Usage T1059.001 PowerShell Multi-stage PS1 loaders with AMSI bypass
MITRE ATT&CK Mapping Technique ID Technique Usage T1059.005 Visual Basic DarkMe VB6 RAT, forex.sct COM scriptlet
MITRE ATT&CK Mapping Technique ID Usage Exploitation for Client Execution T1203 CVE-2024-21412, CVE-2023-38831
MITRE ATT&CK Mapping Technique ID Usage User Execution: Malicious File T1204.002 Disguised trading lures
Persistence
3 techniquesDarkMe EXE variants write to HKLM\...\RunOnce\*RD_ via WScript.Shell.RegWrite ... MITRE ATT&CK Mapping Technique ID Usage Modify Registry T1112 COM object persistence, Run keys
MITRE ATT&CK Mapping Technique ID Usage Boot/Logon Autostart Execution T1547 Registry Run keys, Startup shortcuts
Privilege Escalation
2 techniquesMITRE ATT&CK Mapping Technique ID Usage Boot/Logon Autostart Execution T1547 Registry Run keys, Startup shortcuts
Stealth
6 techniquesMITRE ATT&CK Mapping Technique ID Usage Obfuscated Files T1027 AES encryption, reversed strings, steganography
6. MITRE ATT&CK Mapping Technique ID Usage Masquerading T1036 AnyDesk disguised as legitimate remote support
MITRE ATT&CK Mapping Technique ID Technique Usage T1036.001 Invalid Code Signature Fake "Microsoft Corporation" and "Microsoft Windows Publisher" certs
[8] Process Masquerading Drops as: RuntimeBroker.exe, ctfmon.exe, dwm.exe, TextInputHost.exe, chrome_update.exe, edge_update.exe, windows_update.exe
[2] Execution Variants forex.sct -> COM scriptlet via regsvr32 (LOLBin, CLSID FEEDACDC)
The DLL variant (2022 Evilnum) uses COM CLSID registration executed via rundll32 /sta {CLSID} . The 2024 WaterHydra MSI variant persists through HKCU\...\Run\HomeDLL pointing to rundll32 /sta {AAE802DB-FB67-4407-A175-61223EFF30D4} .
Defense Impairment
2 techniquesDarkMe EXE variants write to HKLM\...\RunOnce\*RD_ via WScript.Shell.RegWrite ... MITRE ATT&CK Mapping Technique ID Usage Modify Registry T1112 COM object persistence, Run keys
MITRE ATT&CK Mapping Technique ID Technique Usage T1553.005 Mark-of-the-Web Bypass WaterHydra CVE-2024-21412 (historical)
Credential Access
1 techniqueCollection
3 techniquesMITRE ATT&CK Mapping Technique ID Technique Usage T1056.001 Keylogging Gma.System.MouseKeyHook (QuasarRAT), DarkMe FRIKAT
MITRE ATT&CK Mapping Technique ID Usage Screen Capture T1113 DarkMe FRIKAT command
MITRE ATT&CK Mapping Technique ID Technique Usage T1560 Archive Collected Data DarkMe ZIPALO command
Command and Control
5 techniquesMITRE ATT&CK Mapping Technique ID Technique Usage T1071.001 Web Protocols GitHub raw content for payload staging
MITRE ATT&CK Mapping Technique ID Usage Ingress Tool Transfer T1105 GitHub-staged AES-encrypted payloads
6. MITRE ATT&CK Mapping Technique ID Usage Remote Access Software T1219 AnyDesk for persistent operator access to C2 infrastructure
6. MITRE ATT&CK Mapping Technique ID Usage Non-Standard Port T1571 AnyDesk on 7070, DarkMe on 4242
6. MITRE ATT&CK Mapping Technique ID Usage Encrypted Channel T1573.002 TLS 1.2 on AnyDesk connections
IOCs tracked for this family
19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan with C2 infrastructure observed on port 4242; the report describes AnyDesk being used by the operator to manage Windows servers hosting DarkMe RAT C2 components.
A custom VB6 remote access trojan associated with WaterHydra/DarkCasino. It provides shell execution, file operations, directory mapping, ZIP archive creation, reconnaissance, screenshot capability, and keylogging.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.