{
	"id": "128b985e-93d3-41af-bd26-9447950a3fa8",
	"created_at": "2026-04-06T00:17:32.304994Z",
	"updated_at": "2026-04-10T03:20:20.787889Z",
	"deleted_at": null,
	"sha1_hash": "42a3d1cb1b68f1e7c93114eceb6cffddaa519fae",
	"title": "DarkComet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 92087,
	"plain_text": "DarkComet\r\nBy Contributors to Wikimedia projects\r\nPublished: 2015-05-05 · Archived: 2026-04-05 20:10:36 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nDarkComet\r\nDeveloper Jean-Pierre Lesueur (DarkCoderSc)\r\nFinal release 5.3.1\r\nOperating system Microsoft Windows\r\nType Remote Administration Tool\r\nLicense freeware\r\nWebsite https://www.darkcomet-rat.com/[1]\r\nDarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur (known as DarkCoderSc[2]), an\r\nindependent programmer and computer security coder from France. Although the RAT was developed back in\r\n2008, it began to proliferate at the start of 2012. The program was discontinued, partially due to its use in the\r\nSyrian civil war to monitor activists but also due to its author's fear of being arrested for unnamed reasons.[1] As\r\nof August 2018, the program's development \"has ceased indefinitely\", and downloads are no longer offered on its\r\nofficial website.[3]\r\nDarkComet allows a user to control the system with a graphical user interface. It has many features which allows\r\na user to use it as administrative remote help tool; however, DarkComet has many features which can be used\r\nmaliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or\r\npassword stealing.\r\nHistory of DarkComet\r\nSyria\r\nIn 2011 to 2014, DarkComet was linked to the Syrian conflict. People in Syria began using secure connections to\r\nbypass the government's censorship and the surveillance of the internet. This caused the Syrian Government to\r\nhttps://en.wikipedia.org/wiki/DarkComet\r\nPage 1 of 4\n\nresort to using RATs to spy on its civilians. Many believe that this is what caused the arrests of many activists\r\nwithin Syria.[1]\r\nThe RAT was distributed via a \"booby-trapped Skype chat message\" which consisted of a message with a\r\nFacebook icon which was actually an executable file that was designed to install DarkComet.[4] Once infected, the\r\nvictim's machine would try to send the message to other people with the same booby-trapped Skype chat message.\r\nOnce DarkComet was linked to the Syrian regime, Lesueur stopped developing the tool, stating, “I never imagined\r\nit would be used by a government for spying,” he said. “If I had known that, I would never have created such a\r\ntool.”[1]\r\nTarget Gamers, Military and Governments\r\nIn 2012, Arbos Network company found evidence of DarkComet being used to target military and gamers by\r\nunknown hackers from Africa. At the time, they mainly targeted the United States.[5]\r\nJe Suis Charlie\r\nIn the wake of the January 7, 2015, attack on the Charlie Hebdo magazine in Paris, hackers used the\r\n\"#JeSuisCharlie\" slogan to trick people into downloading DarkComet. DarkComet was disguised as a picture of a\r\nnewborn baby whose wristband read \"Je suis Charlie.\" Once the picture was downloaded, the users became\r\ncompromised.[6] Hackers took advantage of the disaster to compromise as many systems as possible. DarkComet\r\nwas spotted within 24 hours of the attack.\r\nArchitecture and Features\r\nArchitecture\r\nDarkComet, like many other RATs, uses a reverse-socket architecture. The uninfected computer with a GUI\r\nenabling control of infected ones is the client, while the infected systems (without a GUI) are servers.[7]\r\nWhen DarkComet executes, the server connects to the client and allows the client to control and monitor the\r\nserver. At this point the client can use any of the features which the GUI contains. A socket is opened on the server\r\nand waits to receive packets from the controller, and executes the commands when received. In some cases, the\r\nmalware may use system utilities to evade detection and gain persistence. For example, it can employ the\r\nT1564.001 technique by starting attrib.exe through cmd.exe to hide the main executable.\r\nFeatures\r\nThe following list of features is not exhaustive but are the critical ones that make DarkComet a dangerous tool.\r\nMany of these features can be used to completely take over a system and allows the client full access when\r\ngranted via UAC.\r\nSpy Functions\r\nWebcam Capture\r\nhttps://en.wikipedia.org/wiki/DarkComet\r\nPage 2 of 4\n\nSound Capture\r\nRemote Desktop\r\nKeylogger\r\nNetwork Functions\r\nActive Ports\r\nNetwork Shares\r\nServer Socks5\r\nLAN Computers\r\nNet Gateway\r\nIP Scanner\r\nUrl Download\r\nBrowse Page\r\nRedirect IP/Port\r\nWiFi Access Points\r\nComputer Power\r\nPoweroff\r\nShutdown\r\nRestart\r\nLogoff\r\nServer Actions\r\nLock Computer\r\nRestart Server\r\nClose Server\r\nUninstall Server\r\nUpload and Execute\r\nRemote Edit Service\r\nUpdate Server\r\nFrom URL\r\nFrom File\r\nDarkComet also has some \"Fun Features\".\r\nFun Features\r\nFun Manager\r\nPiano\r\nMessage Box\r\nMicrosoft Reader\r\nRemote Chat\r\nDetection\r\nDarkComet is a widely known piece of malware. If a user installs an antivirus, or a DarkComet remover, they can\r\nun-infect their computer quickly. Its target machines are typically anything from Windows XP, all the way up to\r\nhttps://en.wikipedia.org/wiki/DarkComet\r\nPage 3 of 4\n\nWindows 10.\r\nCommon anti-virus tags for a DarkComet application are as follow:\r\nTrojan[Backdoor]/Win32.DarkKomet.xyk\r\nBDS/DarkKomet.GS\r\nBackdoor.Win32.DarkKomet!O\r\nRAT.DarkComet\r\nWhen a computer is infected, it tries to create a connection via socket to the controller’s computer. Once the\r\nconnection has been established the infected computer listens for commands from the controller, if the controller\r\nsends out a command, the infected computer receives it, and executes whatever function is sent.\r\nReferences\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n McMillan, Robert. \"How the Boy Next Door Accidentally Built a Syrian Spy Tool\".\r\nWired.\r\n2. ^ \"DarkCoderSc | SOLDIERX.COM\". SoldierX. Retrieved 13 October 2017.\r\n3. ^ \"Project definitively closed since 2012\". “DarkComet-RAT development has ceased indefinitely in July\r\n2012. Since the [sic], we do not offer downloads, copies or support.”\r\n[permanent dead link]\r\n4. ^ \"Spy code creator kills project after Syrian abuse\". BBC. 10 July 2012.\r\n5. ^ Wilson, Curt. \"Exterminating the RAT Part I: Dissecting Dark Comet Campaigns\". Arbor.\r\n6. ^ Vinton, Kate. \"How Hackers Are Using #JeSuisCharlie To Spread Malware\". Forbes.\r\n7. ^ Denbow, Shawn; Hertz, Jesse. \"pest control: taming the rats\" (PDF). Matasano. Archived from the\r\noriginal (PDF) on 2015-03-28. Retrieved 2015-05-05.\r\nExternal links\r\nOfficial website (now defunct)\r\nSource: https://en.wikipedia.org/wiki/DarkComet\r\nhttps://en.wikipedia.org/wiki/DarkComet\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://en.wikipedia.org/wiki/DarkComet"
	],
	"report_names": [
		"DarkComet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434652,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/42a3d1cb1b68f1e7c93114eceb6cffddaa519fae.pdf",
		"text": "https://archive.orkl.eu/42a3d1cb1b68f1e7c93114eceb6cffddaa519fae.txt",
		"img": "https://archive.orkl.eu/42a3d1cb1b68f1e7c93114eceb6cffddaa519fae.jpg"
	}
}