{
	"id": "4b72c3de-a448-4b3c-9b08-2e213eac4d7a",
	"created_at": "2026-04-06T00:07:21.860567Z",
	"updated_at": "2026-04-10T03:20:51.754717Z",
	"deleted_at": null,
	"sha1_hash": "365072ddc290aec19b958f52fe7f6a2e877955a3",
	"title": "DARKCOMET - Threat Encyclopedia | Trend Micro (US)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55082,
	"plain_text": "DARKCOMET - Threat Encyclopedia | Trend Micro (US)\r\nArchived: 2026-04-05 21:25:52 UTC\r\nDARKCOMET (also known as FYNLOS) is a Remote Administration Tool (RAT) that is used in many targeted\r\nattacks. It has the ability to take pictures via webcam, listen in on conversations via a microphone attached to a\r\nPC, and gain full control of the infected machine.\r\nThis RAT is also known for its keylogging and file transfer functionality. As such, any remote attacker can load\r\nany files onto the infected machine or even steal documents.\r\nDARKCOMET steals the following information:\r\nAdmin rights\r\nComputer/User name\r\nLanguage/Country\r\nOperating System information\r\nRAM used\r\nWeb Cam information\r\nThis backdoor modifies certain registry entries to disable Security Center functions. Doing this allows this\r\nmalware to execute its routines without being detected. It disables Task Manager, Registry Editor, and Folder\r\nOptions. It modifies registry entries to disable the Windows Firewall settings. This action allows this malware to\r\nperform its routines without being deteted by the Windows Firewall.\r\nInstallation\r\nThis backdoor drops the following copies of itself into the affected system:\r\n%User Temp%\\WinDefender.Exe\r\n%Application Data%\\VIA\\vc.exe\r\n%User Temp%\\lsasrv.exe\r\n%System%\\Windupdt\\winupdate.exe\r\n%Application Data%\\HostProcess\\{malware name}.exe\r\n(Note: %User Temp% is the current user's Temp folder, which is usually C:\\Documents and Settings\\{user\r\nname}\\Local Settings\\Temp on Windows 2000, XP, and Server 2003, or C:\\Users\\{user\r\nname}\\AppData\\Local\\Temp on Windows Vista and 7.. %Application Data% is the current user's Application\r\nData folder, which is usually C:\\Documents and Settings\\{user name}\\Application Data on Windows 2000, XP,\r\nand Server 2003, or C:\\Users\\{user name}\\AppData\\Roaming on Windows Vista and 7.. %System% is the\r\nWindows system folder, which is usually C:\\Windows\\System32.)\r\nIt creates the following folders:\r\n%Application Data%\\dclogs\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET\r\nPage 1 of 4\n\n%Application Data%\\VIA\r\n%System%\\Windupdt\r\n%Application Data%\\HostProcess\r\n(Note: %Application Data% is the current user's Application Data folder, which is usually C:\\Documents and\r\nSettings\\{user name}\\Application Data on Windows 2000, XP, and Server 2003, or C:\\Users\\{user\r\nname}\\AppData\\Roaming on Windows Vista and 7.. %System% is the Windows system folder, which is usually\r\nC:\\Windows\\System32.)\r\nAutostart Technique\r\nThis backdoor adds the following registry entries to enable its automatic execution at every system startup:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nWinDefender = \"%User Temp%\\WinDefender.Exe\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nVIAChipset = \"%Application Data%\\VIA\\vc.exe\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nMicrosoft® Windows® Operating System = \"%User Profile%\\Templates\\msadrh10.exe\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nwinupdater = \"%System%\\Windupdt\\winupdate.exe\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\nHostProcess = \"%Application Data%\\HostProcess\\{malware name}.exe\"\r\nIt modifies the following registry entries to ensure it automatic execution at every system startup:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nWindows NT\\CurrentVersion\\Winlogon\r\nUserinit = \"%System%\\userinit.exe,%Application Data%\\VIA\\vc.exe\"\r\n(Note: The default value data of the said registry entry is %System%\\userinit.exe,.)\r\nOther System Modifications\r\nThis backdoor adds the following registry entries as part of its installation routine:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Policies\\\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET\r\nPage 2 of 4\n\nSystem\r\nEnableLUA = \"0\"\r\nIt adds the following registry keys as part of its installation routine:\r\nHKEY_CURRENT_USER\\Software\\DC3_FEXEC\r\nIt modifies the following registry entries to disable Security Center functions:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\\r\nSecurity Center\r\nAntiVirusDisableNotify = \"1\"\r\n(Note: The default value data of the said registry entry is 0.)\r\nIt creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Policies\\\r\nSystem\r\nDisableTaskMgr = \"1\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Policies\\\r\nSystem\r\nDisableRegistryTools = \"1\"\r\nIt modifies the following registry entries to disable the Windows Firewall settings:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\\r\nServices\\SharedAccess\\Parameters\\\r\nFirewallPolicy\\StandardProfile\r\nEnableFirewall = \"0\"\r\n(Note: The default value data of the said registry entry is \"1\".)\r\nDropping Routine\r\nThis backdoor drops the following files:\r\n%Application Data%\\dclogs\\{date executed}-{number}.dc\r\n%User Temp%\\NovoUpdate.exe\r\n%User Profile%\\Templates\\msadrh10.exe\r\n%User Temp%\\vbc.exe\r\n(Note: %Application Data% is the current user's Application Data folder, which is usually C:\\Documents and\r\nSettings\\{user name}\\Application Data on Windows 2000, XP, and Server 2003, or C:\\Users\\{user\r\nname}\\AppData\\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET\r\nPage 3 of 4\n\nusually C:\\Documents and Settings\\{user name}\\Local Settings\\Temp on Windows 2000, XP, and Server 2003, or\r\nC:\\Users\\{user name}\\AppData\\Local\\Temp on Windows Vista and 7.. %User Profile% is the current user's\r\nprofile folder, which is usually C:\\Documents and Settings\\{user name} on Windows 2000, XP, and Server 2003,\r\nor C:\\Users\\{user name} on Windows Vista and 7.)\r\nOther Details\r\nThis backdoor connects to the following possibly malicious URL:\r\n{BLOCKED}ount3.no-ip.org\r\n{BLOCKED}604.no-ip.org\r\n{BLOCKED}x-update.zapto.org\r\nhttp://{BLOCKED}e.habbo-dev.com/files\r\n{BLOCKED}554.no-ip.biz\r\n{BLOCKED}ster1.no-ip.org\r\n{BLOCKED}2.{BLOCKEDmedia.net\r\nSource: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET"
	],
	"report_names": [
		"DARKCOMET"
	],
	"threat_actors": [],
	"ts_created_at": 1775434041,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/365072ddc290aec19b958f52fe7f6a2e877955a3.pdf",
		"text": "https://archive.orkl.eu/365072ddc290aec19b958f52fe7f6a2e877955a3.txt",
		"img": "https://archive.orkl.eu/365072ddc290aec19b958f52fe7f6a2e877955a3.jpg"
	}
}