{
	"id": "ff89bdb0-a374-4f8e-8d1c-5855ca93056a",
	"created_at": "2026-04-06T00:14:24.252071Z",
	"updated_at": "2026-04-10T13:12:49.8548Z",
	"deleted_at": null,
	"sha1_hash": "05b97f351d93555914e1c13ed8c4f6973893ca7d",
	"title": "Malspam Campaign Delivers Dark Crystal RAT (dcRAT)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 160076,
	"plain_text": "Malspam Campaign Delivers Dark Crystal RAT (dcRAT)\r\nBy Infoblox Threat Intel\r\nPublished: 2021-10-12 · Archived: 2026-04-05 14:57:20 UTC\r\nAuthor: Avinash Shende\r\n1. Overview\r\nFrom 30 September to 4 October, Infoblox observed a malicious email campaign distributing the remote access\r\ntrojan (RAT) Dark Crystal, which is also known as dcRAT. This malware is propagated via a Microsoft Word\r\ndocument that contains a malicious VBA script.\r\nA May 2020 report1 said that dcRAT was being sold on hxxp://dcrat[.]ru. Since then, the site has been taken down,\r\nthe content of the landing page has been replaced with Russian profanities, and distribution of dcRAT has shifted\r\nto hacking forums and P2P platforms.\r\n2. Customer impact\r\nCybercriminals use dcRAT for various purposes, such as to:\r\nBrowse the internet by using victims’ machines\r\nCollect clipboard data\r\nCollect cookies\r\nCompile and execute C# code\r\nExecute remote commands\r\nExfiltrate files\r\nInitialize UDP/TCP flood attacks\r\nLog keystrokes\r\nManage file systems\r\nManage running processes\r\nTurn on webcams and microphones on victims’ machines\r\nThese and other capabilities allow dcRAT to steal information and use a victim’s machine for subsequent attacks.\r\n3. Campaign analysis\r\nThe email’s subject is Don’t Miss Your Luck or Hi Friend, the attachment is called MoneyMake.doc, and the\r\nsender’s alias is James Leclar, Paul Maccartney, Money Center, Money Development, Martin Garix, or ADS\r\ncenter. To lure the victims into confirming their email addresses and opening the attachment, the actors use the\r\nfollowing text in the email:\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/\r\nPage 1 of 3\n\nPlease confirm your email address link below. Online training, the purpose of which is to acquaint students with\r\nthe technology of remote earnings on TUZIR Internet advertising. This system has proven to be highly effective\r\nand is used by many newbies and experienced directors to earn remotely without leaving their main place of work.\r\nThe author of the technology of earning money from advertising and the speaker of the program is Evgeny\r\nAndrianov. All info in Attachment — The Advertising Company.\r\n4. Attack chain\r\nOpening the Word attachment executes the password-protected VBA script, which starts a series of downloads and\r\ndisplays the message Running Document. Please Wait. The script also contacts a URL, from where it executes a\r\nPowerShell script to download a JavaScript file, loader.js, which downloads a malicious JavaScript-encoded file,\r\nKEiZizen[.]jse, and deletes itself. KEiZizen[.]jse then downloads the malicious screensaver file found[.]scr, which\r\ndownloads savesrefruntimeCrtCommonMonitordhcp.exe. This executable attempts to determine whether it is\r\nworking on a virtual machine, creates or modifies registry values, creates processes, connects to the C\u0026C server,\r\nand performs other tasks.\r\nNext, dcRAT opens a URL in Google Chrome to create a remote WMI connection, which the actors use to connect\r\nto the victim’s machine. dcRAT also downloads malicious cookies and tries to use them to authenticate itself with\r\nthe victim’s Google account.\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/\r\nPage 2 of 3\n\n5. Vulnerabilities and mitigation\r\nInfoblox recommends the following measures for reducing the risk of infection by dcRAT:\r\nKeep antivirus signatures and engines up to date.\r\nTurn on automatic updates. This will keep the operating system up to date with the latest security patches.\r\nDo not expose email addresses to the internet.\r\nExercise caution when opening all email attachments, especially those that come from unfamiliar senders.\r\nAvoid opening emails with generic subject lines.\r\nEndnotes\r\n1. https://www.spywareremove.com/removedarkcrystalrat.html\r\nOctober 12, 2021\r\nLabels:\r\nCyberthreat\r\nCyberthreat intelligence report\r\nMalspam\r\nThreat Intelligence\r\nCybersecurity\r\nInfoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of\r\naggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky\r\nto interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us\r\nto track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt\r\ncybercrime where it begins. We also believe in sharing knowledge to support the broader security community by\r\npublishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into\r\nour Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low\r\nfalse positive rates.\r\nView All Posts\r\nSource: https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/"
	],
	"report_names": [
		"malspam-campaign-delivers-dark-crystal-rat-dcrat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434464,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/05b97f351d93555914e1c13ed8c4f6973893ca7d.pdf",
		"text": "https://archive.orkl.eu/05b97f351d93555914e1c13ed8c4f6973893ca7d.txt",
		"img": "https://archive.orkl.eu/05b97f351d93555914e1c13ed8c4f6973893ca7d.jpg"
	}
}