Darkgate

Malware updated a month ago (2024-10-24T14:40:50.460Z)
Download STIX
Preview STIX
DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicious downloads, emails, or websites, often without user awareness. Once inside a system, it can exploit the system's vulnerabilities, steal personal information, disrupt operations, or even hold data hostage for ransom. The malware is known for its versatility in execution, including the use of MSI files to execute payloads—a technique also employed by other adversaries like Latrodectus. Recently, a major campaign by DarkGate was reported where it exploited a zero-day vulnerability in Microsoft Windows. This allowed the malware to gain unauthorized access and perform its malicious activities. The campaign was widespread, with the malware being planted far and wide through Internet Advertising Bureaus (IABs) like RedLine, Qakbot, and Raccoon. These platforms then sell the access they provide to other malicious actors, enabling a specialized exchange of services within the cybercriminal ecosystem. The DarkGate malware campaign has been linked to Vietnamese threat actors who operate a malware-as-a-service (MaaS) operation. These actors have been delivering payloads like the DarkGate remote access Trojan (RAT) against companies in the digital marketing sector. In addition, the campaign has reportedly abused popular messaging platforms like Skype and Teams, further expanding its reach and potential impact. The ongoing activities of these threat actors and the evolving nature of DarkGate underscore the critical need for robust cybersecurity measures.
Description last updated: 2024-10-22T17:43:34.425Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Darkcasino is a possible alias for Darkgate. DarkCasino is a threat actor that has recently emerged in the cybersecurity landscape. As a malicious entity, it's responsible for executing actions with potentially harmful intent. The nature of such entities can range from individual hackers to more organized groups affiliated with private compani
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Loader
Phishing
Exploit
Ransomware
Windows
Cybercrime
Payload
Infostealer
Microsoft
Spam
Zero Day
Maas
Skype
Loader Malware
PowerShell
Malvertising
Backdoor
Dropper
Zero Day
Trojan
Rat
Evasive
Infiltration
Vulnerability
Malware Loader
Botnet
Malware Payl...
Remcos
Sharepoint
Remote Code ...
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The QakBot Malware is associated with Darkgate. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by dUnspecified
6
The Ducktail Malware is associated with Darkgate. "Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates sysUnspecified
5
The Pikabot Malware is associated with Darkgate. Pikabot is a type of malware that serves as a trojan, providing initial access to infected computers. This enables the execution of ransomware deployments, remote takeovers, and data theft. It is part of a wider array of malicious software, including IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoaUnspecified
5
The Netsupport Malware is associated with Darkgate. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate systemUnspecified
3
The Lobshot Malware is associated with Darkgate. Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded inUnspecified
3
The Redline Malware is associated with Darkgate. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actorUnspecified
3
The IcedID Malware is associated with Darkgate. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
3
The Lokibot Malware is associated with Darkgate. LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal informationUnspecified
2
The Black Basta Malware is associated with Darkgate. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
2
The Qbot Malware is associated with Darkgate. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fiUnspecified
2
The Redline Stealer Malware is associated with Darkgate. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects sUnspecified
2
The Emotet Malware is associated with Darkgate. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
2
The Autoit Malware is associated with Darkgate. AutoIt is a type of malware that exploits and damages computer systems by infiltrating them through suspicious downloads, emails, or websites. It utilizes a complex attack chain involving an SFX archive that unpacks an AutoIt script and executes "MicrosoftStores.exe". This action subsequently launchUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Battleroyal Threat Actor is associated with Darkgate. BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen Unspecified
4
The Water Hydra Threat Actor is associated with Darkgate. Water Hydra, also known as DarkCasino, is a threat actor group that has been exploiting the Windows SmartScreen vulnerability CVE-2024-21412 since mid-January 2024. This group has demonstrated a sophisticated attack chain, using this zero-day exploit to bypass Microsoft Defender SmartScreen and infeUnspecified
3
The UNC3944 Threat Actor is associated with Darkgate. UNC3944, also known as Scattered Spider or 0ktapus, is a notable threat actor in the cybersecurity landscape. This group primarily targets telecommunication firms and tech companies, but has expanded its operations to hospitality, retail, media, and financial services sectors. The group's modus operUnspecified
2
The Sangria Tempest Threat Actor is associated with Darkgate. Sangria Tempest, also known as Carbon Spider, Elbrus, and FIN7, is a threat actor that has been active since 2013. In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations. The group frequently targets the restauraUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2024-21412 Vulnerability is associated with Darkgate. CVE-2024-21412 is a security feature bypass vulnerability in the Microsoft Windows Internet Shortcut SmartScreen. The flaw, which was exploited as a zero-day, allows attackers to bypass the SmartScreen feature that typically warns users about running unrecognized apps and files from the internet. ThUnspecified
4
The CVE-2023-36025 Vulnerability is associated with Darkgate. CVE-2023-36025 is a significant vulnerability identified in the Windows SmartScreen security feature. It was one of three zero-day vulnerabilities discovered, with the others being CVE-2023-36033, a privilege escalation vulnerability in the Windows DWM Core Library, and CVE-2023-36036, another priviUnspecified
2
Source Document References
Information about the Darkgate Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
a month ago
DARKReading
2 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Unit42
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
DARKReading
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Fortinet
6 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago