Darkme

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
DarkMe is a threat actor group, also known as DarkCasino or Water Hydra, that has been actively executing large-scale cyberattacks since 2022. The group primarily uses a Visual Basic spy Trojan, also named DarkMe, in its operations. This Trojan was developed by the group in 2021 and has been continually refined to improve its functionality, countermeasures, and delivery methods, thereby increasing the stability and efficiency of attacks. The DarkMe Trojan's functions and use have remained consistent across different attack rounds, as observed in the NSFOCUS Research Labs' report on Operation DarkCasino. The group has exploited several vulnerabilities to distribute their malware, most notably CVE-2023-38831. Despite Microsoft's efforts to address this vulnerability with a patch in February 2024, DarkCasino weaponized it to specifically target financial institutions. The group has used this vulnerability for remote code execution, installing various malware families, including DarkMe, GuLoader, and Remcos RAT. Since April 2023, DarkCasino has also been exploiting a WinRAR zero-day vulnerability to execute multiple malware families onto cryptocurrency traders. Researchers at Group-IB discovered this campaign and found that the hackers used malware families like DarkMe, GuLoader, and Remcos RAT for financial gain. Real-world attacks involving CVE-2023-38831 delivering the DarkMe payload were reported as early as April this year, further emphasizing the persistent and evolving threat posed by this group.
What's your take? (Question 1 of 5)
cc34a6de-6e54-4f49-aac6-ff76b1ea4993 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Water Hydra
4
The Advanced Persistent Threat (APT) group known as Water Hydra, also referred to as DarkCasino, has been identified as a significant threat actor in the cybersecurity landscape. The group is notorious for its exploitation of CVE-2024-21412, a vulnerability that allows them to bypass Microsoft Defen
Darkcasino
3
DarkCasino, a threat actor group also known as Water Hydra, has emerged as a significant cybersecurity concern. This entity, which could be an individual, private company, or government-affiliated group, is responsible for executing malicious actions with the intent to compromise digital security an
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Vulnerability
Malware
WinRAR
Apt
Remcos
Microsoft
Zero Day
Payload
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GuLoaderUnspecified
3
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2024-21412Unspecified
3
CVE-2024-21412 is a security feature bypass vulnerability in the Microsoft Windows Internet Shortcut SmartScreen. The flaw, which was exploited as a zero-day, allows attackers to bypass the SmartScreen feature that typically warns users about running unrecognized apps and files from the internet. Th
Source Document References
Information about the Darkme Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Trend Micro
3 months ago
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
CERT-EU
7 months ago
The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
CERT-EU
9 months ago
Threat Actor Exploits Zero-Day in WinRAR to Target Crypto Accounts
CERT-EU
8 months ago
Analysis of CVE-2023-38831 Zero-Day vulnerability in WinRAR
CERT-EU
9 months ago
WinRAR zero-day exploited since April to hack trading accounts
CERT-EU
9 months ago
Traders Targeted by Cybercriminals in Attack Exploiting WinRAR Zero-Day 
InfoSecurity-magazine
3 months ago
Water Hydra’s Zero-Day Attack Chain Targets Financial Traders
InfoSecurity-magazine
9 months ago
WinRAR Vulnerability Affects Traders Worldwide
CERT-EU
9 months ago
WinRAR flaw lets hackers steal funds from broker accounts
CERT-EU
9 months ago
Cyber Security Week in Review: August 25, 2023
BankInfoSecurity
7 months ago
Nation-State Hackers Exploiting WinRAR, Google Warns
DARKReading
3 months ago
Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs
CERT-EU
9 months ago
The Week in Security: WinRAR exploit targets traders, malicious npm packages go after game devs
CERT-EU
6 months ago
Previously unknown APT DarkCasino hits jackpot in WinRAR attack
CERT-EU
3 months ago
CVE-2024-21412 Used in DarkGate Malware Campaigns
CERT-EU
7 months ago
Google links WinRAR exploitation to Russian, Chinese state hackers
Securityaffairs
6 months ago
DarkCasino joins the list of APT groups exploiting WinRAR 0day