DarkComet

Malware updated 5 months ago (2024-07-09T14:17:45.810Z)

Download STIX

Preview STIX

DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other established tools such as PlugX, Remcos, and QuasarRAT, saw a significant increase in use in 2022. The malware's capabilities are not limited to any single category but span across post-exploitation frameworks, backdoors, and botnets. Throughout 2023, DarkComet was deployed through various means, including a downloader committed to GitHub at the beginning of the year. This downloader was used to deliver multiple threats, including DarkComet itself, DcRat, njRAT, and AgentTesla. DarkComet-related variants, such as Win.Dropper.DarkComet-10011490-1 and BlackHole (a variant of a Windows Trojan), further demonstrate the malware's versatility and persistent threat. The report from Recorded Future provides additional insight into the prevalence of DarkComet among RATs. It ranks DarkComet among the top five most-used RATs, alongside two open-source tools, AsyncRAT and Quasar RAT, and two other well-established tools, PlugX and ShadowPad. Furthermore, the report reveals C2 infrastructure associated with the DarkComet RAT, demonstrating its continued relevance in the cybersecurity landscape. Despite these insights, questions remain about whether DarkComet uses the same implant for every controller that is downloaded, which could have implications for future mitigation strategies.

Description last updated: 2024-07-09T13:20:38.929Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Dcrat is a possible alias for DarkComet. DcRAT is a malicious software (malware) known as a Remote Access Trojan (RAT), which has been utilized in a widespread campaign to exploit computer systems. The malware infiltrates systems through deceptive methods, including downloads from fake Google Meet and OnlyFans sites. When a user interacts	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Rat

Trojan

Malware

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The njRAT Malware is associated with DarkComet. NjRAT is a remote-access Trojan (RAT) that has been in use since 2013, often deployed in both criminal and targeted attacks. This malware can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, NjRAT can steal personal information, d	Unspecified	2
The Agenttesla Malware is associated with DarkComet. AgentTesla is a well-known Remote Access Trojan (RAT) and infostealer malware that has been used in numerous cyber-attacks. It is often delivered through malicious emails or downloads, and once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for rans	Unspecified	2
The AsyncRAT Malware is associated with DarkComet. AsyncRAT is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. It has recently risen to prominence, ra	Unspecified	2

Source Document References

Information about the DarkComet Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Recorded Future	5 months ago	2023 Adversary Infrastructure Report \| Recorded Future
InfoSecurity-magazine	6 months ago	Russian Actors Weaponize Legitimate Services in Multi-Malware Attack
CERT-EU	10 months ago	Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over
InfoSecurity-magazine	10 months ago	Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over
Recorded Future	10 months ago	2023 Adversary Infrastructure Report \| Recorded Future
CERT-EU	a year ago	Threat Roundup for October 13 to October 20
Securityaffairs	a year ago	Talos wars of customizations of the open-source info stealer SapphireStealer
CERT-EU	a year ago	SapphireStealer: Open-source information stealer enables credential and data theft
CERT-EU	a year ago	All the Mac malware we know about
MITRE	2 years ago	Cyber-espionage group uses Chrome extension to infect victims
MITRE	2 years ago	Two Birds, One STONE PANDA
MITRE	2 years ago	ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
MITRE	2 years ago	Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
MITRE	2 years ago	DARKCOMET - Threat Encyclopedia
MITRE	2 years ago	You dirty RAT! Part 1: DarkComet \| Malwarebytes Labs
Recorded Future	2 years ago	2022 Adversary Infrastructure Report
CERT-EU	2 years ago	Threat Round up for February 10 to February 17
CERT-EU	2 years ago	Threat Roundup for April 14 to April 21