{
	"id": "d691bd6d-744a-4ff5-bf88-0084d6681a0f",
	"created_at": "2026-04-06T00:12:02.312438Z",
	"updated_at": "2026-04-10T03:30:33.934456Z",
	"deleted_at": null,
	"sha1_hash": "0825c023ddbc93c1a00d1fa0cc4525da247d0640",
	"title": "You dirty RAT! Part 1: DarkComet | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2497825,
	"plain_text": "You dirty RAT! Part 1: DarkComet | Malwarebytes Labs\r\nBy Adam Kujawa\r\nPublished: 2012-06-08 · Archived: 2026-04-05 15:40:59 UTC\r\nLast week, I talked a little about the Flame Trojan and how much the average user would need to worry about\r\nbeing infected with it, which is none.  State-sponsored RAT malware, like Flame, would likely not infect average\r\nusers and even in the off chance that it did, the operators behind the malware would probably remove the Trojan\r\nbefore being discovered.  Its purpose is for very specifically targeted cyber-espionage, not stealing your Facebook\r\npassword.\r\nSo are you completely safe from malware like Flame? Well not exactly.  Take out the state-sponsored aspect of\r\nFlame and you’ve got a RAT or Remote Administration Trojan, of which there are many out there that are used\r\nevery single day to spy on the average people. Before you get too freaked out, Malwarebytes Anti-Malware\r\ndetects and removes these threats all the time, so don’t worry too much about being a victim as long as you\r\nproperly protect your system.\r\nThis blog post is one of many which I am going to use to:\r\nDiscuss some of the RAT malware currently seen in the wild\r\nWhat they can do\r\nHow they work\r\nHow to protect yourself from them\r\nThis first blog is about DarkComet, a freely available Remote Administration “Tool” which was developed by\r\nDarkCoderSC, an independent programmer and computer security specialist from France.  He advertises\r\nDarkComet as a tool and not a Trojan because of its many useful functions which could be used to administer a\r\nnetwork at a very close level.  However, he also mentions that his tool is often used by hackers and hence it is\r\noften detected by antivirus engines as being malicious. While the tool is free to download and use, he offers the\r\n“VIP” service, which gives the user access to direct support, updates about the product and the ability to post new\r\nideas or software bugs, all for 20 Euros or $25.\r\nFeatures\r\nThe Flame malware could do a lot of stuff, although not completely analyzed we know that it can take\r\nscreenshots, modify/create/delete files and execute a keylogger.  However, the capability of most RATs takes that\r\nfunctionality and multiplies it significantly. DarkComet is no different; it can execute over 60 different server side\r\nfunctions, meaning the type of things it can execute/monitor/control on the infected system.\r\nNote: For the sake of talking about RATs, you need to turn the usual definition of “client-server” around. In this case the “server”\r\nis the RAT implant running on the infected system while the “client” is the controller application used by the attacker.\r\nHere is a list of some of the pretty nasty things which this RAT can do:\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 1 of 14\n\nThose are only some of what this baby can do; I left out a few of the big ones because I wanted to go into more\r\ndetail about them. Also, they are my favorite!\r\n \r\nFun Functions:\r\nA lot of RATs include “Fun Functions” to mess with the system (and minds) of the victim.  In many cases these\r\nare built in functions to play tricks on friends or just have fun at the expense of the unfortunately infected user. \r\nDarkComet has multiple “Fun Functions” that I thought would be interesting to discuss and show you screenshots\r\nof.\r\nFun Manager\r\nThe Fun Manager is a set of different types of fun functions which an attacker can use against the user:\r\nIt includes:\r\nHiding the Desktop – Hiding all the icons and making it impossible to right click on the desktop.\r\nHide the Clock – Self Explanatory\r\nHide Task Icons – In the little box on the right side of your start bar\r\nHide Sys Tray Icons – Hide icons and open application buttons on the taskbar\r\nHide Taskbar – Self Explanatory\r\nHide the Start Button – Only works in Win XP\r\nDisable the Start Button (XP Only) – Gray out the start button, disabling it.\r\nDisable TaskMgr – Disables the Windows Task Manager (When you hit Ctrl+Alt+Del)\r\nOpen/Close CD Tray – Self Explanatory\r\nPiano\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 2 of 14\n\nThe piano function is exactly what it sounds like, the ability to play a type of piano which can be configured to\r\nplay at different octaves.  Another functionality of this feature is the ability to play a custom sound at a specific\r\nfrequency (in Hz) and for a custom duration (Ms).  The purpose of this feature (as far as I can tell) is just to annoy\r\npeople.\r\nSend Message Box\r\nThis is a pretty simple function which can mess with the user on a LOT of levels; it basically allows the attacker\r\n(or Administrator) to create a custom message box to the user, like an error or informative notice that one would\r\nnormally see.  The interesting thing about this feature is that not only are you able to create a message box\r\nbelonging to the system but also to any active Windows on the system, for example notepad or Windows Media\r\nPlayer.  The messages then appear to be coming from the application and that might make the user believe the\r\napplication is malicious rather than the actual malware running behind the scenes.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 3 of 14\n\nMicrosoft Reader\r\nThis feature isn’t anything new and is more fun than anything.  If you’ve ever used a Mac, you know that one of\r\nthe features of the text editor is to read the text you wrote out loud.  The Microsoft Reader function is no different\r\nand will read whatever the attacker types, to the unsuspecting user.  I could only imagine the kind of shock and\r\npanic that the user would experience upon hearing the electronic voice of evil saying to them “I OWN YOU”\r\nthrough the speakers.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 4 of 14\n\nRemote Chat\r\nI think this feature is really fun, it gives the operator the ability to create a chat window on both ends (server and\r\nclient) in order to have a conversation with the infected user.  This has a lot of legitimate network administration\r\npurposes but none the less, it can really confuse a victim.\r\nSo that sums up all of the Fun Features, I thought it would be a good idea to discuss them because quite frankly,\r\nRATs are the only malware I have found that have a sense of humor and it’s good to point out that not all malware\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 5 of 14\n\nis used to steal information or crash systems, some of it still likes to just mess with people, the same way hackers\r\nof yesterday did it for fun.\r\nUninstall Applications:\r\nUnfortunately, we need to stray from the lighthearted side of this blog post and talk about some of the more scary\r\nfunctionality that DarkComet has.  A very powerful and dangerous function of this RAT is the ability to uninstall\r\napplications at a whim.  The attacker will receive a listing of all installed applications and be given the option to\r\nuninstall them.  This could be used for multiple reasons; however one of the big ones is to disable security\r\nproducts.  Here is an example of the worst possible situation:\r\nYou have an antivirus engine running on your system; you paid a lot for it so you feel secure. It came with an e-mail scanner so you don’t mind opening on any e-mails or links you don’t trust.\r\nYou get an e-mail from an unfamiliar source, telling you to click on a link to see a funny video of a LoLCat. You do\r\nso and are directed to a fake YouTube page; you shrug it off as nothing and go on your business.\r\nUnbeknownst to you, the fake page exploited a zero-day browser exploit and infected your system with a\r\nDarkComet implant, this is a new variant of the malware and therefore, your AV has yet to write signatures to\r\ndetect it.  The first thing the controller of the RAT does is uninstall your antivirus engine, allowing it to do\r\nwhatever it wants without being detected.\r\nAnother aspect of the Uninstall functionality is to remove security patches put into place to secure security holes\r\nin the operating system.  This could lead to the DarkComet removing security measures put in place and being\r\nable to exploit older vulnerabilities in your operating system, allowing for even more malware to be downloaded\r\nto your system and executed.  Now you are completely infected and your options are limited.\r\nRemote Desktop:\r\nThis is a pretty neat functionality that you don’t often see used by other RATs.  It allows the attacker to not only\r\nsee the active screen of the infected user but also be able to take control of the mouse and keyboard, using it as\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 6 of 14\n\nthough they were sitting in front of the system itself.\r\nThis functionality is probably the most dangerous to the infected user because it can go beyond what the Uninstall\r\nfunction can do and instead of just uninstalling an AV engine, it can set the DarkComet executable to “Allowed”. \r\nThis means that even though the users system is completely infected with DarkComet, the AV engine will not\r\nbother to try and stop it.  This is something that many users might never know is even happening.\r\nThe drawbacks to this functionality is how loud it is, imagine playing an online game, you will receive data from\r\nthe remote server in order to see what is going on in the game and the actions of other players, however you will\r\nalso be sending a large amount of data as you interact with the game itself.  This is along the same lines as if the\r\nremote desktop was being run, in which case it is possible to experience some serious network lag and for\r\nexperienced computer users who might be running network monitoring software, a suspicious clue to something\r\nbeing very wrong.\r\nDDOS\r\nAs I mentioned earlier, DarkComet is advertised as a network administration tool that helps to control systems in a\r\nnetwork.  Most of the functionality we have seen here so far (except for the Fun Functions) can be used to that end\r\nand you couldn’t really dispute the use and purpose of the RAT.  However, there is one question I have:\r\nConsidering that this is a Remote Administration Tool, to be used for good and what not….WHY DOES IT\r\nHAVE DDOS FUNCTIONALITY!?\r\nAs you probably know, DDOS means Distributed Denial of Service and is an attack where multiple systems,\r\nusually infected with botnet malware, will send multiple packets of network data to one location in an attempt to\r\noverload the receiving web server and disable its ability to respond to legitimate requests.  This is a very well-known and used hacker attack, and yet, it’s one of the miscellaneous functions that DarkComet comes with.\r\nThe above screen shows the “Users” tab, which lists all of the currently controlled systems, if you right click on\r\none of these User entries and scroll down to the “Extra Broadcast Commands” you will see a menu for DDOS\r\nFunctions.  It includes an HTTP, Syn and UDP attack.  When clicked it will request the kind of data to be sent\r\nand/or the IP/URL and port of the target:\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 7 of 14\n\nI can’t think of an occasion where a network admin would need to try and bring down a web server using the\r\nnetwork he/she is controlling as a weapon but I don’t work Network Administration, so what do I know?\r\nWebcam Control\r\nWhile it isn’t a new or unique functionality, webcam control is still a very dangerous and effective way to spy on\r\npeople.\r\nThe possible use of these webcam videos/images, which can be obtained from the webcam control function, range\r\nfrom cyber espionage, victim blackmailing, the normal perversion of spying on people while they don’t know it\r\nand the worst one of all child pornography.  Although not the intention of every attacker using this tool, it can be\r\nused to spread or sell child pornography and therefore make this function, in my opinion, the worst one out of the\r\nbunch.\r\nHow does DarkComet Work?\r\nGood question! Most RATs usually have very intricate programming included in the implant themselves,\r\nincluding a large network of command checking algorithms which take the input from the controller and executes\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 8 of 14\n\nspecific functionality based upon that input.  The functionality is usually condensed as much as possible to make\r\nthe implant binary smaller, however they are still usually larger than other types of malware which have less\r\nfunctionality. For example, a general range of size for normal malware is between 5KB and 15KB with the\r\noccasional outlier to 20KB.  The sample implant binary I created for DarkComet, even after being packed, is\r\n352KB.  If you recall, the Flame RAT was 20MB; so in comparison, DarkComet is tiny.\r\nHere is a breakdown of what happens with DarkComet when taking commands from the C2 or controller:\r\nImplant beacons every 20 seconds back to the C2 to check in and wait for any more commands\r\nWhen desired by the operator, the C2 will send back a command using some custom traffic encryption\r\nscheme.\r\nThe command is taken in by the implant, decrypted and then analyzed for:\r\nAuthenticity – Meaning an ID or some other value which confirms that the implant is receiving a\r\ncommand from the correct source\r\nCommand – The exact function requested, I.E. List Active Processes or Disable Task Bar, etc.\r\nParameters – What extra options should the implant take into consideration when executing the\r\nrequested functionality\r\nThe implant will take this parsed information and execute the functionality\r\nThe output from execution of the functionality will be sent back to the C2 in the same encrypted form\r\nThe C2 will decrypt the data and present it to the operator\r\nOne of the key elements in network detection is the Beacon or the Beacon Response.  Since DarkComet it is a\r\nrepetitive string and the encryption only distorts the values in a set way (such as an XOR), the exact data sent to\r\nthe C2 or back from the C2 will remain constant while the implant is inactive.  These values can be used to\r\ndevelop network detection signatures which would flag a possible infection.  The next step from a network\r\nsecurity standpoint would be to track down the exact system which is infected by the malware and clean it\r\naccordingly.  Although this kind of detection is usually only done on the networks of large organizations or\r\ngovernments, not really single users.\r\nYou might be thinking at this point: “Well hey, if that network detection stuff works well, why was it not used for\r\nFlame?”\r\nAnswer: I assume that after the detection of the infection (that rhymes) and a preliminary analysis of the Flame\r\nmalware, it was put into place to keep track of which systems were infected and what kind of data was being sent. \r\nHowever, before the detection of Flame, the malware would of most likely kept its beacons as far apart as possible\r\nand maybe even send the data through a series of other infected systems before it went out to its C2.  This would\r\nkeep the traffic down and not throw any suspicious flags.\r\nMoving on, we know how DarkComet talks to its C2 and how it processes the data and executes its functionality,\r\nthat’s great and all but does DarkComet use the same implant for every controller that is downloaded? The answer\r\nis no and that answer fits for most RATs.  See certain things need to be configured in an implant, for example the\r\nbeacon address, target specifications and the level of infection required.  DarkComet is no different and comes\r\nwith its own implant building tools.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 9 of 14\n\nThere are two types of implant creation (or as it calls them, server module) tools, a Minimalistic one which is\r\nquick to develop or a Full Editor which requires expert knowledge of the RAT.\r\nMinimalist:\r\nThe minimalist version of the implant creator includes configuration for:\r\nThe Implant ID\r\nThe beacon back address\r\nThe port to use – The default is 1604, it was used in the past for Citrix related operations, it was probably\r\nchosen because of the high amount of traffic it used to receive.\r\nThe installation destination path and “KeyName”\r\nAn area to Drag-And-Drop an Icon to be used.\r\nIt is useful for on-the-fly creation of an implant but I think most users will probably use the Full Editor instead.\r\nFull Editor:\r\nThe Full editor gives the user a lot more options when creating the implant, here is a list of those options:\r\nA security Password to further authenticate the implant to the controller\r\nThe Process Mutex to use\r\nThe Server ID\r\nA profile name to save the settings as\r\nThe ability to hijack processes to get around Firewall restrictions\r\nThe Address/Port to beacon to\r\nInstallation location and filename\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 10 of 14\n\nKeyname\r\nOptions to:\r\nDestroy the installation binary after first execution\r\nChange the file creation date\r\nCreate persistence on the system\r\nDropped File and Folder attributes (Hidden/System)\r\nAbility to display a message box with text upon installation\r\nVarious stealth and persistence functions or Rootkit functions\r\nAbility to disable various system functions upon installation\r\nOptions to use an offline keylogger or send keylogger data to a remote FTP server (with FTP configuration\r\noptions)\r\nInstallation modifications to the Hosts File – to redirect traffic\r\nAbility to load “Plug-ins”\r\nAddition files to drop and execute upon installation (Piggybacking)\r\nWhich Icon to use for the Binary\r\nCompression or Packer to use:\r\nUPX\r\nMPRESS\r\nThe file extension to use:\r\n.exe\r\n.com\r\n.bat\r\n.pif\r\n.scr\r\nThat is a lot of options! It is clearly the best method of creating the implant binary. The scary part about the\r\nfunctionality of the implant installation binary is that even without being blocked to its C2, this one file can\r\nexecute enough functionality to completely infect your system.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 11 of 14\n\nServer Downloader:\r\nThe final option that an operator has in creating an infection binary would be the Server Downloader. I think this\r\nis a neat little tool that automatically creates a lightweight (2KB) application that automatically downloads and\r\nexecutes the real implant installation binary from a given remote URL.  It makes it easy to hide it as being non-malicious when going through the motions of tricking a user into downloading and executing it.  The options\r\ngiven to the operator are:\r\nThe URL of the file to download\r\nThe extension to use (The same as the Full Editor)\r\nHow to protect yourself:\r\nThere are multiple methods used in the spread of RATs, as for DarkComet, some of the biggest methods are:\r\nDrive-By Attacks\r\nWarez Downloads\r\nSocial Networking Sites\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 12 of 14\n\nDrive-By attacks mean that when visiting a web page, a malicious script embedded in the page will execute and\r\nusually exploit some kind of vulnerability on your system, dropping malware and executing it without you ever\r\nknowing.  Drive-by attacks are usually used by cyber-criminals for the purpose of spreading malware.  The use of\r\ndrive-by attacks to spread DarkComet doesn’t seem to make a lot of sense since it is easily detected and removed. \r\nHowever, as noted on the DarkCoderSC web site for DarkComet, purchasing a VIP account will provide the\r\nattacker with version updates of DarkComet before it is released to the public.  Therefore the new version or\r\nvariant hasn’t been seen and has a greater chance of getting past AV scanners, so it makes sense to try and infect as\r\nmany systems as possible with it before it’s too late.\r\nWarez Downloads, or the downloading of illegal/cracked software can sometimes lead to downloading something\r\nyou wish you hadn’t, like DarkComet malware. Often used as a method by the less experienced hackers or “script-kiddies”, advertising a cracked piece of software and actually providing malware is common practice and since\r\nDarkComet is so easy to obtain, set up and run, it’s no wonder why it’s being spread this way.  I can imagine that a\r\nmajority of people who participate in such actives (I don’t judge) do not employ the use of AV scanners for\r\nnumerous reasons (paranoia?) and therefore are great targets for not only DarkComet but any malware!\r\nSocial networking sites are a great way to spread malware, send a link out to a group of people all at once and\r\nhope some of them click it.  Maybe hack someones account and post the link, disguised as another user. Either\r\nway, it’s a great way to spread malware and RAT malware especially.\r\nLuckily, not all is lost.  If you have Malwarebytes Anti-Malware Pro installed, a few things can happen to protect\r\nyou.\r\nThe web site you were sent to with the exploit would have never loaded thanks to Malwarebytes Web\r\nProtection Module\r\nMalwarebytes Anti-Malware definitions scan for unique features at a deeper level than other AV vendors\r\nand are more likely to detect new variants of the same malware.\r\nMalwarebytes Anti-Malwares Active Protection module would have detected the malware being executed\r\non your system and prevented it from going any further based upon its functionality.\r\nYou can download Malwarebytes Anti-Malware and install it, even after being infected to detect and\r\nremove the threat.\r\nOn top of that, RAT infections can be the product of targeted attacks, though not always the case as mentioned\r\nabove.  They do make a lot of noise and more often than not antivirus/Anti-Malware software will detect and\r\nremove any infection.  However, this is just one of many other types of RATs that are out there and while this one\r\nhas the capability to do malicious things, it is a really good option for network administration.\r\nSome of the other RATs we will discuss in this series are not so friendly, they are developed for the sole purpose\r\nof espionage and that is apparent in the infection methods used. As a general precaution, here is a list of standard\r\nsecurity practices you can do to keep yourself safe:\r\nAlways keep up to date definitions of your antivirus/Anti-Malware software\r\nAlways update your operating system\r\nNever click on links in e-mails from people you do not know or trust\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 13 of 14\n\nAlways keep the most up to date security patches for your browser and extension applications (Adobe\r\nproducts, Java, etc.)\r\nIf possible, completely disable the Java functionality in your browser, this makes it impossible to be\r\nexploited through Java.\r\nWhile these measures seem simple enough, they are the best protection for your system while not draining your\r\nability to perform standard tasks or your wallet.\r\nAbout the author\r\nOver 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/"
	],
	"report_names": [
		"you-dirty-rat-part-1-darkcomet"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434322,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0825c023ddbc93c1a00d1fa0cc4525da247d0640.pdf",
		"text": "https://archive.orkl.eu/0825c023ddbc93c1a00d1fa0cc4525da247d0640.txt",
		"img": "https://archive.orkl.eu/0825c023ddbc93c1a00d1fa0cc4525da247d0640.jpg"
	}
}