{ "id": "f2fd3311-9378-477a-9010-103fb4d76c0e", "created_at": "2026-04-06T00:14:28.103738Z", "updated_at": "2026-04-10T03:35:10.790339Z", "deleted_at": null, "sha1_hash": "075be7fac7fa83142076ebb4a4ffa70ecd027d0d", "title": "DCRat (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 178966, "plain_text": "DCRat (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 20:22:20 UTC\r\nDCRat\r\naka: DarkCrystal RAT\r\nDCRat is a typical RAT that has been around since at least June 2019.\r\nReferences\r\n2026-01-14 ⋅ Trellix ⋅\r\nHiding in Plain Sight: Deconstructing the Multi-Actor DLL Sideloading Campaign abusing ahost.exe\r\nDCRat\r\n2026-01-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2025\r\nCoper FluBot Joker Aisuru Mirai AsyncRAT BianLian Cobalt Strike DCRat Havoc Latrodectus PureLogs\r\nStealer Quasar RAT Remcos Rhadamanthys Sliver ValleyRAT Venom RAT Vidar XWorm\r\n2025-12-19 ⋅ cyble ⋅ Cyble\r\nStealth in Layers: Unmasking the Loader used in Targeted Email Campaigns\r\nDCRat Katz Stealer PhantomVAI PureLogs Stealer Remcos XWorm\r\n2025-12-16 ⋅ Zscaler ⋅ Gaetano Pellegrino\r\nBlindEagle Targets Colombian Government Agency with Caminho and DCRAT\r\nDCRat PhantomVAI\r\n2025-08-26 ⋅ Recorded Future ⋅ Insikt Group\r\nTAG-144’s Persistent Grip on South American Organizations\r\nAsyncRAT BitRAT DCRat LimeRAT NjRAT PureCrypter Quasar RAT Remcos\r\n2025-07-14 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2025\r\nCoper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat\r\nHavoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT\r\nWarmCookie XWorm\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat\r\nPage 1 of 6\n\n2025-06-03 ⋅ IBM X-Force ⋅ Melissa Frydrych\r\nIBM X-Force Threat Analysis: DCRat presence growing in Latin America\r\nDCRat PhantomVAI\r\n2025-03-11 ⋅ Kaspersky Labs ⋅ AMR\r\nDCRat backdoor returns\r\nDCRat\r\n2025-02-12 ⋅ Red Canary ⋅ Phil Hagen, Tony Lambert\r\nDefying tunneling: A Wicked approach to detecting malicious network traffic\r\nAsyncRAT DCRat NjRAT XWorm\r\n2025-02-12 ⋅ cyber.wtf blog ⋅ Hendrik Eckardt, Leonard Rapp\r\nUnpacking Pyarmor v8+ scripts\r\nAsyncRAT DCRat XWorm\r\n2025-02-11 ⋅ EclecticIQ ⋅ Arda Büyükkaya\r\nSandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber\r\nEspionage Campaigns\r\nKalambur BACKORDER DCRat\r\n2025-02-11 ⋅ CyberSecurityNews ⋅ Do Son\r\nSandworm APT Exploits Trojanized KMS Tools to Target Ukrainian Users in Cyber Espionage Campaign\r\nDCRat\r\n2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2024\r\nCoper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot\r\nDCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc\r\n2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2024\r\nCoper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT\r\nQakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver\r\n2024-06-04 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nUAC-0200: Targeted cyberattacks using DarkCrystal RAT and Signal as a trusted distribution vehicle (CERT-UA#9918)\r\nDCRat\r\n2024-05-14 ⋅ Check Point Research ⋅ Antonis Terefos, Tera0017\r\nFoxit PDF “Flawed Design” Exploitation\r\nRafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT\r\nXWorm\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat\r\nPage 2 of 6\n\n2024-04-20 ⋅ Axel's IT Security Research ⋅ Axel Mahr\r\nNew Robust Technique for Reliably Identifying AsyncRAT/DcRAT/VenomRAT Servers\r\nAsyncRAT DCRat Venom RAT\r\n2024-04-11 ⋅ Github (jeFF0Falltrades) ⋅ Jeff Archer\r\nRat King Configuration Parser\r\nAsyncRAT DCRat Quasar RAT Venom RAT\r\n2024-03-11 ⋅ SOCRadar ⋅ SOCRadar\r\nAcuity Federal Contractor Breach, Okta Customers Leak, DCRat Exploit and Access Sales\r\nDCRat CyberNiggers\r\n2024-02-01 ⋅ ⋅ Infinitum IT ⋅ Kerime Gencay\r\nDcRat Technical Analysis Report (Paywall)\r\nDCRat\r\n2024-01-25 ⋅ JSAC 2024 ⋅ Masafumi Takeda, Tomoya Furukawa\r\nThreat Intelligence of Abused Public Post-Exploitation Frameworks\r\nAsyncRAT DCRat Empire Downloader GRUNT Havoc Koadic Merlin PoshC2 Quasar RAT Sliver\r\n2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q4 2023\r\nFluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer\r\nMeterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys\r\nSliver\r\n2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2023\r\nFluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot\r\nQuasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar\r\n2023-09-04 ⋅ Github (muha2xmad) ⋅ Muhammad Hasan Ali\r\nA deep dive into DCRAT/DarkCrystalRAT malware\r\nDCRat\r\n2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2023\r\nHydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT\r\nQakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee\r\n2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q1 2023\r\nFluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT\r\nQakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat\r\nPage 3 of 6\n\n2023-04-08 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien\r\n[QuickNote] Uncovering Suspected Malware Distributed By Individuals from Vietnam\r\nAsyncRAT DCRat WorldWind\r\n2023-04-08 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nDcrat - Manual De-obfuscation of .NET Malware\r\nDCRat\r\n2023-02-24 ⋅ Zscaler ⋅ Avinash Kumar, Niraj Shivtarkar\r\nSnip3 Crypter Reveals New TTPs Over Time\r\nDCRat Quasar RAT\r\n2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2022\r\nFluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars\r\nTofsee Vjw0rm\r\n2022-09-19 ⋅ Recorded Future ⋅ Insikt Group®\r\nRussia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine\r\nAve Maria Colibri Loader DCRat\r\n2022-09-15 ⋅ Sekoia ⋅ Threat \u0026 Detection Research Team\r\nPrivateLoader: the loader of the prevalent ruzki PPI service\r\nAgent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT\r\nNymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP\r\nVidar YTStealer\r\n2022-08-30 ⋅ Cisco ⋅ Vanja Svajcer\r\nModernLoader delivers multiple stealers, cryptominers and RATs\r\nCoinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC\r\n2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk\r\nOverview of the Cyber Weapons Used in the Ukraine - Russia War\r\nAcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper\r\nINDUSTROYER2 InvisiMole IsaacWiper PartyTicket\r\n2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk\r\nOverview of the Cyber Weapons Used in the Ukraine - Russia War\r\nAcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper\r\nINDUSTROYER2 InvisiMole IsaacWiper PartyTicket\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat\r\nPage 4 of 6\n\n2022-06-24 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nCyberattack against Ukrainian telecommunications operators using DarkCrystal RAT malware (CERT-UA #\r\n4874)\r\nDCRat Sandworm\r\n2022-06-10 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nMassive cyberattack on Media Organizations of Ukraine using crescentImp malware (CERT-UA#4797)\r\nDCRat\r\n2022-05-09 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nDirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains\r\nDCRat NjRAT\r\n2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nOperation Gambling Puppet\r\nreptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka\r\n2022-04-16 ⋅ forensicitguy ⋅ Tony Lambert\r\nSnip3 Crypter used with DCRat via VBScript\r\nDCRat\r\n2022-03-02 ⋅ RiskIQ ⋅ Jennifer Grob\r\nRiskIQ: Malware Linked to Upwork Post Seeking Content Writer for a \"Newly Developed Application\"\r\nDeploys DCRat\r\nDCRat\r\n2022-02-17 ⋅ Zscaler ⋅ Aditya Sharma, Stuti Chaturvedi\r\nFreeCryptoScam - A New Cryptocurrency Scam That Leads to Installation of Backdoors and Stealers\r\nDCRat\r\n2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nKraken the Code on Prometheus\r\nPrometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk\r\n2021-10-19 ⋅ Cisco Talos ⋅ Asheer Malhotra\r\nMalicious campaign uses a barrage of commodity RATs to target Afghanistan and India\r\nDCRat Quasar RAT\r\n2021-10-12 ⋅ Infoblox ⋅ Avinash Shende\r\nMalspam Campaign Delivers Dark Crystal RAT (dcRAT)\r\nDCRat\r\n2021-09-22 ⋅ YouTube (John Hammond) ⋅ John Hammond\r\nSnip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS\r\nDCRat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat\r\nPage 5 of 6\n\n2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel\r\nThe State of SSL/TLS Certificate Usage in Malware C\u0026C Communications\r\nAdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex\r\nFindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT\r\nRockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader\r\n2020-05-12 ⋅ FireEye ⋅ Jacob Thompson\r\nAnalyzing Dark Crystal RAT, a C# backdoor\r\nDCRat\r\n2019-10-02 ⋅ tcontre\r\nDCRAT malware Evades SandBox that use Fake Internet by using the Google public DNS IP address\r\nDCRat\r\nYara Rules\r\n[TLP:WHITE] win_dcrat_w0 (20200227 | DCRat payload)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat" ], "report_names": [ "win.dcrat" ], "threat_actors": [ { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d6519c33-32d0-4a3c-b5cd-930ce047c240", "created_at": "2024-04-19T02:00:03.615928Z", "updated_at": "2026-04-10T02:00:03.612469Z", "deleted_at": null, "main_name": "CyberNiggers", "aliases": [], "source_name": "MISPGALAXY:CyberNiggers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434468, "ts_updated_at": 1775792110, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/075be7fac7fa83142076ebb4a4ffa70ecd027d0d.pdf", "text": "https://archive.orkl.eu/075be7fac7fa83142076ebb4a4ffa70ecd027d0d.txt", "img": "https://archive.orkl.eu/075be7fac7fa83142076ebb4a4ffa70ecd027d0d.jpg" } }