{
	"id": "291554dc-b2c0-4f7f-9640-c24cf4c30e5b",
	"created_at": "2026-04-06T00:16:20.36641Z",
	"updated_at": "2026-04-10T03:22:10.269782Z",
	"deleted_at": null,
	"sha1_hash": "0260e58180f9fcdf390f6acaa6afc9bfe64fbc90",
	"title": "Affiliates vs Hunters: Fighting the DarkSide",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 96965,
	"plain_text": "Affiliates vs Hunters: Fighting the DarkSide\r\nBy Emanuele De Lucia\r\nPublished: 2021-01-25 · Archived: 2026-04-05 22:23:58 UTC\r\nIntroduction\r\nOn August 2020 a new type of malware, belonging to the Ransomware category, appeared in the cyber threat\r\nlandscape. Threat actor responsible for its development called it “DarkSide” and, like others piece of malware of\r\nthis type, is operated in Big Game Hunting (BGH) campaigns. Around more or less the same time, a DLS\r\n(Dedicated Leak Site) was made available on the darkweb (behind the TOR network) in order to report the first\r\nvictims.\r\nOn their DLS DarkSide operators claimed to be experienced in conducting cyber operations, having previously\r\nused other, not better identified, ransomware variants. Indeed, some characteristics of their first operations support\r\nthe hypothesis that the group could be a former affiliate of some other R-a-a-S (Ransomware as a Service)\r\nprogram that chosen to write their own ransomware likely to avoid sharing the profits of criminal activities with\r\nthird parties.\r\nInsights\r\nDarkSide is a well-written malware family not much changed over the time if compared to the first versions\r\nanalyzed on August / September 2020. Usually, the samples belonging to this family present some features aimed\r\nat making the analysis more harder.  For example, in a recent sample (sha256:\r\n17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61), at 0040182A we find a sub aimed\r\nat dynamically resolving DLLs and API through LoadLibrary / GetProcAddress. sub_4016D5, sub_4013DA and\r\nsub_401AC3 are also involved in this process. The following screenshot shows a chunk of code extracted from the\r\nwhole function designed for this purpose:\r\nhttps://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nPage 1 of 10\n\nThis can be a useful place to create a code based Yara rule aimed at potentially hunting further variants of the\r\nsame malware family. After having selected several representative chunks we can obtain something similar to the\r\nfollowing:\r\nrule DarkSide_Ransomware_827333_39928 : CRIMEWARE {\r\nmeta:\r\nauthor = “Emanuele De Lucia”\r\ndescription = “Detects possible variants of DarkSide ransomware”\r\nhash1 = “17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61”\r\n/*\r\ncall 0x4016d5\r\npush esi\r\ncall 0x408195\r\nmov ebx, eax\r\npush dword ptr [esi – 4]push esi\r\ncall 0x4013da\r\nmov eax, dword ptr [esi – 4]lea esi, [esi + eax]mov ecx, 0x23\r\n*/\r\nstrings:\r\n$ = { E8 [4] 56 E8 [4] 8B D8 FF 76 ?? 56 E8 [4] 8B 46 ?? 8D 34 06 B9 ?? ?? ?? ?? }\r\ncondition:\r\nany of them\r\n}\r\nDarkside employs also techniques for privilege escalation and UAC (User Access Control) bypass. The technique\r\nobserved in this case is known as CMSTPLUA UAC Bypass and exploits the ShellExec function by\r\nhttps://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nPage 2 of 10\n\nCMSTPLUA COM interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}. This allow to start a process with\r\nelevated permissions, according to the following graph:\r\nPowershell is used in order to delete shadow copies preventing the recovery of previously backed up files through\r\nthem according to the following syntax:\r\npowershell -ep bypass -c\r\n“(0..61)|%{$s+=[char][byte](‘0x’+’4765742D576D694F626A6563742057696E33325F536861646F77\r\n636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20′\r\n.Substring(2*$_,2))};iex $s”\r\nDecoded:\r\nGet-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\r\nA quick Sigma rule can be employed in order to hunt for similar systems-side behaviors.\r\ntitle: Detects possible DarkSide infection through PowerShell cmdline used to delete Shadow copies\r\nstatus: stable\r\ndescription: Detects possible DarkSide infection through PowerShell cmdline used to delete Shadow copies\r\nauthor: Emanuele De Lucia\r\nreferences:\r\n– internal research\r\ntags:\r\n– attack.t1086\r\n– attack.t1064\r\ndate: 2020/12/01\r\nlogsource:\r\ncategory: process_creation\r\nproduct: windows\r\ndetection:\r\nselection:\r\nImage|endswith:\r\n– ‘\\powershell.exe’\r\nCommandLine|contains|all:\r\n– ‘(0..61)|%%{$s+=[char][byte]’\r\n– ‘4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C\r\nhttps://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nPage 3 of 10\n\n20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20′\r\ncondition: selection\r\nlevel: high\r\nBefore executing the main payload, the sample performs several other activities like information gathering (f.e.\r\nget Disks Info)\r\nand a comparison of system services with a predefined list to stop those ones that could affect the files encryption\r\nprocess\r\nThe following are the services malware looks for in the analyzed sample:\r\nsql\r\noracle\r\nocssd\r\ndbsnmp\r\nsynctime\r\nagntsvc\r\nisqlplussvc\r\nhttps://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nPage 4 of 10\n\nxfssvccon\r\nmydesktopservice\r\nocautoupds\r\nencsvc\r\nfirefox\r\ntbirdconfig\r\nmydesktopqos\r\nocomm\r\ndbeng50\r\nsqbcoreservice\r\nexcel\r\ninfopath\r\nmsaccess\r\nmspub\r\nonenote\r\noutlook\r\npowerpnt\r\nsteam\r\nthebat\r\nthunderbird\r\nvisio\r\nwinword\r\nwordpad\r\nnotepad\r\nThese areas can likewise be considered in order to extract bad-known pieces of code:\r\nrule DarkSide_Ransomware_827333_39929 : CRIMEWARE {\r\nmeta:\r\nauthor = “Emanuele De Lucia”\r\ndescription = “Detects possible variants of DarkSide ransomware”\r\nhash = “17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61”\r\n/*\r\npush 0x10020\r\npush dword ptr [edi]push dword ptr [ebp – 4]call dword ptr [0xcf0e66]mov dword ptr [ebp – 8], eax\r\ncmp dword ptr [ebp – 8], 0\r\nje 0xce4d83\r\npush 0x1c\r\nlea eax, [ebp – 0x30]push eax\r\ncall 0xce13da\r\nlea eax, [ebp – 0x30]push eax\r\npush 1\r\npush dword ptr [ebp – 8]call dword ptr [0xcf0e6a]push dword ptr [ebp – 8]call dword ptr [0xcf0e6e]*/\r\nhttps://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nPage 5 of 10\n\nstrings:\r\n$ = {68 [4] FF 37 FF 75 ?? FF 15 [4] 89 45 ?? 83 7D [2] 74 ?? 6A ?? 8D 45 ?? 50 E8 [4] 8D 45 ?? 50 6A ??\r\nFF 75 ?? FF 15 [4] FF 75 ?? FF 15 ?? ?? ?? ??}\r\ncondition:\r\nany of them\r\n}\r\nAfter the encryption phase, Darkside is designed to communicate to its command and control server in order to\r\nshare details relating to the victim (victimID) as well as further parameters useful for recovering encrypted files\r\nand identifying the affiliate.\r\nMost probably these network capabilities have been added in order to support the R-a-a-S model. In the analyzed\r\nsample, the CnC (Command and Control) is attested over the domain name securebestapp20.com. Detecting\r\nnetwork activities potentially related to this threat could therefore involve writing SNORT rules similar to the\r\nfollowing:\r\nalert udp $HOME_NET any -\u003e any 53 (msg:”DNS request for blacklisted domain ‘securebestapp20.com'”;\r\ncontent:”|0f|securebestapp20|03|com|00|”;nocase; reference:url,https://www.emanueledelucia.net/; sid:[SID\r\nHERE]; rev:1;)\r\nThis domain name has been created on 16/09/2020 and, according to my visibility, at the time of writing it has a\r\nhistory of two (2) A record associated. The interesting one is linked to the IP 185.105.109.19. Could be interested\r\nto note that the pDNS count value for this domain name from 21/09/2020 (day of first observed resolution to\r\n185.105.109.19) to 05/01/2021 (day of last observed resolution to 185.105.109.19) is less than 180 and that most\r\nof them occurred from early November until today. This suggests a growth of the spread and obviously of the R-a-a-S business as well. In general, moreover, this number is also consistent with the low overall volume of\r\nDarkSide campaigns observed at least until mid-November 2020. This is further confirmed by the payload-side\r\nglobal visibility I can dispose of for this malware family.\r\nFollowing are shown detection hits for DarkSide malfamily until the end of the year where it’s possible to observe\r\na general increase in the detection rates towards December 2020.\r\nWelcome to Darkside\r\nOn 11/10/2020 a user posted an announcement titled “[Affiliate Program] Darkside Ransomware” on a Russian-speaking darkweb forum. The text contained in that post officially started the project’s affiliate program. Press\r\nhttps://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nPage 6 of 10\n\narticles has been used in order to advertise the program itself as well as the skills of the group that are “aimed only\r\nat large corporations” as originally posted by threat actor itself:\r\nIn the affiliate program are not welcome, among others, English speaking personalities, employees of the secret\r\nservice, security researchers, the greedy (at least so I seem to understand) etc.etc.\r\nThere are, moreover, some rules to be respected, like avoiding to target entities within countries belonging to the\r\nCIS (Содружество Независимых Государств), including Georgia and Ukraine, or those operating in\r\neducation, medicine, public and non-profit sector.\r\nAs you might imagine for any other job, there is a selection to go through in order to be included in the program.\r\nThis includes an interview to check the candidate’s skills and experiences, such having been affiliated with some\r\nother program previously. The group offers a Windows and Linux version of DarkSide ransomware plus an\r\nadmin panel, a leak site, and a CDN system for data storage.\r\nhttps://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nPage 7 of 10\n\nSo, do you have ESXi?\r\nAt the end of November 2020, a Linux variant of DarkSide ransomware was uploaded to a well-known online\r\nmalware repository. It had a detection rate, at the time of upload, practically non-existent. Even at time of writing\r\n(Jan 2021) the detection rate is very low (2/63). It seems to have a quite different purpose respect to the Windows\r\ncounterpart. While the latter is born to encrypt all user files on a workstation (documents, images, PDFs and so\r\non…), the Linux version has been created to damage virtual machines on servers. Indeed, the samples looks for\r\nextensions related to VMWare files like .vmdk, .vmem, .vswp and generic logs formats.\r\nThe ransom note is similar to the Windows one\r\nand the output of the executable, once launched, confirms the focus on ESXi environments\r\nhttps://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nPage 8 of 10\n\nas /vmfs/volumes/ is the default location of ESXi virtual machines. A strict Yara rule similar to the following can\r\nhelp in identifying Linux variants of DarkSide:\r\nrule DarkSide_Ransomware_827333_39930 : CRIMEWARE {\r\nmeta:\r\nauthor = “Emanuele De Lucia”\r\ndescription = “Detects possible variants of Linux DarkSide ransomware variants”\r\nhash1 = “da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5”\r\nstrings:\r\n$ = “vmdk,vmem,vswp,log” fullword ascii\r\n$ = “XChaCha20” fullword ascii\r\n$ = “Partial File Encryption Tool” fullword ascii\r\n$ = “main.log” fullword ascii\r\ncondition:\r\n(uint16(0) == 0x457f and all of them)\r\n}\r\nAlso for the Linux version, communications to the outside world take place through the same domain name\r\npreviously reported and a specially crafted URL for each victim. Through Sigma it’s possible to write rules aimed\r\nat detecting DNS resolution requests to domain name where actually the command and control is attested:\r\ntitle: Detects resolution requests to DarkSide Command and Control domain name\r\nstatus: stable\r\ndescription: Detects resolution requests to DarkSide Command and Control domain name\r\nreferences:\r\n– https://www.emanueledelucia.net/fighting-the-darkside-ransomware/\r\nauthor: Emanuele De Lucia\r\ndate: 2020/12/01\r\ntags:\r\n– attack.t1071.001\r\nlogsource:\r\ncategory: dns\r\ndetection:\r\nselection:\r\nquery:\r\n– ‘securebestapp20.com’\r\nhttps://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nPage 9 of 10\n\ncondition: selection\r\nfalsepositives:\r\n– internal research\r\nlevel: high\r\nAdversary Profile\r\nFrom mid-November 2020, following the affiliation program, it’s currently more difficult to associate the\r\nexclusive use of DarkSide ransomware to a specific threat actor.\r\nHowever, some similarities with Revil suggest that its developer may be familiar with this solution until\r\nspeculating that it may be from a former Revil affiliate who, to have more control over the operations and not to\r\ndivide the profits, launched his own project, further enhanced by an independent affiliate program. Regardless the\r\nspecific actor behind the operations, DarkSide can be delivered via several vectors usually after gathering\r\ninformation about the target.\r\nAccording to my visibility, at least one threat actor who used DarkSide adopted the phishing technique (T1566) in\r\norder to deliver a first-stage payload whose exploitation finally allowed the distribution of DarkSide variants\r\nwithin the victim environment. Other intrusion techniques involve exploiting vulnerabilities in exposed\r\napplications (T1190) in order to get a first foothold from which to perform lateral movements.\r\nIndicators of Compromise\r\n \r\nObservable Description Value\r\nsha256\r\npayload-delivery\r\nda3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5\r\nsha256\r\npayload-delivery\r\n17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61\r\ndomain\r\nnetwork-activity\r\nsecurebestapp20.com\r\nSource: https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nhttps://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/"
	],
	"report_names": [
		"affiliates-vs-hunters-fighting-the-darkside"
	],
	"threat_actors": [],
	"ts_created_at": 1775434580,
	"ts_updated_at": 1775791330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0260e58180f9fcdf390f6acaa6afc9bfe64fbc90.pdf",
		"text": "https://archive.orkl.eu/0260e58180f9fcdf390f6acaa6afc9bfe64fbc90.txt",
		"img": "https://archive.orkl.eu/0260e58180f9fcdf390f6acaa6afc9bfe64fbc90.jpg"
	}
}