{
	"id": "51f477ca-1b3c-44ba-ab95-2d8794cf46e8",
	"created_at": "2026-04-06T00:18:58.917254Z",
	"updated_at": "2026-04-10T03:23:52.376941Z",
	"deleted_at": null,
	"sha1_hash": "44cd6a6e05bcd4cf46ff62662b070bb4550e19fe",
	"title": "Enter The Gates: An Analysis of the DarkGate AutoIt Loader | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5024106,
	"plain_text": "Enter The Gates: An Analysis of the DarkGate AutoIt Loader |\r\nSplunk\r\nBy Splunk Threat Research Team\r\nPublished: 2024-01-17 · Archived: 2026-04-05 19:02:32 UTC\r\nAutoIt is a scripting language designed for automating the Windows GUI and general scripting. Over the years, it\r\nhas been utilized for malicious purposes, including AutoIt-compiled malware, which dates back to as early as\r\n2008.\r\nMalware creators have exploited the versatility of AutoIT in a variety of ways, such as using obfuscated scripts for\r\npayload decryption, utilizing legitimate tools like BaSupportVNC, and even creating worms capable of spreading\r\nthrough removable media and Windows shares.\r\nDarkGate is one of the malware that uses Auto-It compiled loaders that poses a significant threat due to its\r\nsophisticated evasion techniques and persistence within compromised systems. The malware employs multi-stage\r\npayloads and leverages obfuscated AutoIt scripting, complicating its identification through traditional signature-based methods. Its ability to exfiltrate sensitive data and establish command and control communications demands\r\nvigilant detection and analysis.\r\nIn this blog, the Splunk Threat Research Team (STRT) provides a deep dive analysis of DarkGate malware and its\r\nuse of AutoIt. Below, we’ll cover:\r\nThe DarkGate loader and campaign flow\r\nDarkGate Tactics, Techniques, and Procedures\r\nAtomic Test for AutoIt malware\r\nDarkGate detections from the Splunk Threat Research Team\r\nLoader/Campaign Flow\r\nThe Splunk Threat Research Team has identified multiple campaigns deploying a loader designed to initiate\r\nDarkGate on compromised hosts. One such instance involves the discovery of malicious PDF files, detected and\r\nsubmitted to Splunk Attack Analyzer. The PDF file acts as a carrier, triggering a sequence where a malicious CAB\r\nfile is downloaded. This CAB file, in turn, fetches a .MSI file, which contains and loads the DarkGate malware\r\npayload.\r\nThis chain of events showcases a method employed by threat actors, utilizing seemingly maliciously crafted PDF\r\nfiles as a gateway to execute a sequence resulting in the installation of the DarkGate malware. The multi-stage\r\nnature of this attack demonstrates the intricacy and stealth employed by adversaries to infiltrate and compromise\r\ntargeted systems.\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 1 of 15\n\nFigure 1: Analysis of malicious PDF infection chain in Splunk Attack Analyzer\r\nIn Figure 1, a detailed diagram showcases the .MSI file's functionality, executing its role in the orchestration of\r\nDarkGate's deployment. This file manifests a sequence where it loads multiple components, including the\r\nlegitimate wndbg.exe, a DLL module, and two .BIN files, all instrumental in the execution of DarkGate.\r\nMoreover, the Splunk Threat Research Team found another variant of this malicious .MSI. This variant extends its\r\ninfection strategy by introducing an additional .CAB installer into the installation process on the targeted host.\r\nThis augmented approach further amplifies the complexity and sophistication of the infection methodology\r\nadopted by threat actors, emphasizing their persistent efforts to evade detections.\r\nUpon analysis and reverse engineering of the .MSI file, our investigation unveiled a loader execution flow with a\r\nseries of file executions, as visualized in Figure 2.\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 2 of 15\n\nFigure 2: Malicious MSI Infection Flow (For a larger resolution of this diagram visit this link)\r\nWe've segmented the loader execution flow into four distinct phases:\r\nPhase 1: .MSI executes .CAB\r\nPhase 2: Exploiting DLL side-loading through Wndbg.exe\r\nPhase 3: The AutoIt loader\r\nPhase 4: The final loader\r\nBelow, we’ll dive into each of these phases to elaborate on the specific files and processes initiated by the .MSI\r\nfile, which ultimately lead to the decryption of the actual DarkGate malware.\r\nPhase 1: .MSI Executes .CAB\r\nThe initial phase of the execution flow involves the .MSI file attempting to launch its primary component, an\r\nembedded .CAB file labeled \"Binary.bz.WrappedSetupProgram.\" This component serves as a pivotal element\r\nwithin the MSI's operational sequence, marking the outset of its intended execution src.\r\nFigure 3: Binary.bz.WrappedSetupProgram Query for Execution\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 3 of 15\n\nWithin the .CAB file, a collection of files has been identified, as depicted in Figure 4. Among these files, the\r\npivotal components driving the initiation of DarkGate malware include windbg.exe, dbgeng.dll, data.bin, and\r\ndata2.bin.\r\nHowever, it's important to note that the four .png files are utilized solely as decoys or dummies in this specific\r\nscenario, designed to obfuscate or mislead the observer from the critical components of the DarkGate execution.\r\n \r\nFigure 4: .CAB Extracted Files\r\nPhase 2: Exploiting DLL Side-Loading Through Wndbg.exe\r\nThe next phase in installing this malicious .CAB file involves the execution of a specially crafted dbgeng.dll using\r\nDLL side-loading techniques via windbg.exe. This process essentially entails windbg.exe automatically loading\r\nthe dbgeng.dll, facilitating the progression of the malicious code.\r\nThe dbgeng.dll module functions to read and decode the contents of the base64 encoded data.bin file, utilizing\r\ncustomized base64 character sets for decoding purposes. The decoded data.bin is actually an executable that will\r\nprocess the data2.bin.\r\nFigure 5: data.bin decoded\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 4 of 15\n\nPhase 3: The AutoIt Loader\r\nIn this phase, the decrypted .exe from the data.bin file proceeds to decode the data2.bin file. Unlike its\r\npredecessor, data2.bin holds two encoded files, separated by the 'splitres' string.\r\nThe first decoded file resulting from the base64 process is a valid Autoit3.exe, employed to execute the second\r\nfile: a compiled AutoIt script named script.au3. Both files are dropped within the 'c:\\tmpa' directory and executed\r\nthrough the straightforward commandline directive.\r\nFigure 6: Decoded files from data2.bin\r\nFigure 7: Command line for execution of compiled AutoIt script\r\nAs part of our analysis, we decompiled the script.au3 file to unveil the underlying AutoIt script. This exploration\r\nwas crucial to understand the full scope and behavior of this malicious script, allowing us to gain insight into its\r\ncomplete functionality and operational behavior.\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 5 of 15\n\nFigure 8 presents a code snippet from the decompiled script.au3, revealing the initialization phase along with\r\nnumerous concatenations of hexadecimal strings stored within the 'oylnnnhx' variable. This concatenated content\r\nconstitutes a shellcode encapsulated with an .exe file, set to execute using the 'Execute' command in AutoIt.\r\nAdditionally, we've included the de-obfuscated version of all 'BinaryToString' values in commented format. This\r\nprovides a comprehensive view of the entire process, including how it was executed by leveraging the callback\r\nfunction of the EnumWindows() API.\r\nFigure 8: Decompiled script.au3\r\nPhase 4: The Final Loader\r\nThe final loader encompasses both shellcode and an .exe file designed to decrypt the DarkGate malware. Notably,\r\nthe shellcode employs an intriguing technique utilizing the 'MZ' or DOS header bytes from the embedded win32\r\nPE within its code as part of its shellcode to initiate execution at the win32 PE file entry point. This methodology\r\nmirrors a technique employed by the Cobalt Strike beacon, as documented in tccontre’s blog.\r\nFigure 9: MZ header as shellcode\r\nThe embedded win32 PE file, triggered by the shellcode execution, will read the compiled AutoIt script script.au3.\r\nIts primary objective is to search for a specific string recognized as the AutoIt script compiled bytes header,\r\ndenoted by 'AU3!EA06.' This string search operation holds significance, as it aims to pinpoint an essential 8-byte\r\ndecryption key instrumental in decrypting the DarkGate malware. The 8-byte decryption key is placed right after\r\nthe 'AU3!EA06' string.\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 6 of 15\n\nFigure 10: Search for AU3!EA06 bytes header\r\nFigure 11 illustrates the decryption process of the encrypted DarkGate malware employing an 8-byte decryption\r\nkey through a straightforward XOR operation.\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 7 of 15\n\nFigure 11: Decrypting Darkgate malware\r\nDarkGate Tactics, Techniques, and Procedures\r\nThere are a number of Tactics, Techniques, and Procedures (TTPs) related to DarkGate — too many for us to\r\ncover a single blog post. Other blogs have covered some of these, such as:\r\nInformation theft through key logging\r\nLeveraging remote connections\r\nEstablishing persistence via registry run keys\r\nBrowser Information Stealer\r\nC2 communication\r\nTherefore, in this post we’re going to highlight four TTPs we haven’t seen covered as much:\r\nLateral movement via PSEXEC\r\nMalicious download and execution (CryptoMiner)\r\nProxy Setup\r\nRDP Configuration\r\nLateral Movement via PSEXEC\r\nDarkGate leverages PSEXEC for its privilege escalation capabilities and potentially for lateral movement within\r\ncompromised networks, enabling the exfiltration or collection of sensitive information\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 8 of 15\n\nFigure 12: Psexec Execution\r\nMalicious Download and Execution (CryptoMiner)\r\nDarkGate possesses the capability to download and install a malicious CryptoMiner malware on the compromised\r\nhost, constituting a part of its malicious behavior and exploitation of the compromised system.\r\nFigure 13: Installation of CryptoMiner\r\nProxy Setup\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 9 of 15\n\nThis malware will also try to enable proxy and set up a proxy server in the compromised host to anonymize its\r\ncommunications. It can route its traffic through the proxy, obscuring the actual source of the communication,\r\nwhich can make it harder to trace back to the attacker.\r\nFigure 14: Proxy Setup\r\nRDP Configuration\r\nDarkGate also manipulates multiple registry settings related to Remote Desktop Protocol (RDP) configurations on\r\nthe compromised host. These alterations grant DarkGate control over the system through this protocol, allowing\r\nthe malware to potentially modify RDP settings to suit its operational needs or facilitate remote access and\r\ncontrol.\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 10 of 15\n\nFigure 15: RDP Settings\r\nAtomic Testing\r\nFor testing purposes, we wanted to create a new Atomic Test that folks may load up and begin utilizing right away.\r\nThis Atomic test is centered around the AutoIt3 execution.\r\nattack_technique: T1059\r\ndisplay_name: Command and Scripting Interpreter\r\natomic_tests:\r\n- name: AutoIt Message Box Test with Download and Extract\r\n description: |\r\n Downloads AutoIt to the temporary directory, extracts it, and executes an AutoIt script that shows a message\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n autoit_script_src:\r\n description: The local src to the AutoIt script to execute\r\n type: Path\r\n default: \"PathToAtomicsFolder\\\\T1059\\\\src\\\\automsgbox.au3\"\r\n executor:\r\n name: powershell\r\n elevation_required: false\r\n command: |\r\n $ErrorActionPreference = 'Stop';\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 11 of 15\n\n$autoitExePath = \"$env:TEMP\\\\autoit-v3\\\\install\\\\autoit3.exe\";\r\n if (-not (Test-Path -Path $autoitExePath)) {\r\n iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \"$env:TEMP\\\\autoit-\r\n Expand-Archive -LiteralPath \"$env:TEMP\\\\autoit-v3.zip\" -DestinationPath \"$env:TEMP\\\\autoit-v3\";\r\n }\r\n Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \"#{autoit_script_src}\").Path;\r\nSave this to where Autoit3.exe can access:\r\nAutomsgbox.au3\r\nMsgBox(0, \"Atomic Message\", \"hello from Atomic Red Team\")\r\nThe Atomic test will download AutoIT3.exe, and run the automsgbox.au3 file.\r\nA successful run will have a message box popup:\r\nFigure 16: AutoIt Atomic Test\r\nThe telemetry traces will now be left correlating with the security content that has been generated.\r\nSecurity Content\r\nThe Splunk Threat Research Team has curated relevant detections and tagged them to the DarkGate Analytic\r\nStory to help security analysts detect adversaries leveraging the malware.\r\nThis release used and considered relevant data endpoint telemetry sources such as:\r\nProcess Execution \u0026 Command Line Logging\r\nWindows Security SACL Event ID, Sysmon, or any Common Information Model-compliant EDR\r\ntechnology\r\nWindows Security Event Log\r\nWindows System Event Log\r\nWindows PowerShell Script Block Logging\r\nBelow are some of the analytic SPL searches that the Splunk Threat Research Team developed for DarkGate\r\nmalware.\r\nWindows Credentials from Password Stores Creation\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 12 of 15\n\nThis analytic identifies a process execution of Windows OS’s cmdkey.exe tool. This tool is being abused or used\r\nby several post exploitation tools and malware such as Darkgate to create stored user names, passwords or\r\ncredentials in the targeted Windows OS host.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process\r\n by Processes.process_name Processes.original_file_name Processes.process Processes.process_id\r\n Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Pr\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_credentials_from_password_stores_creation_filter`\r\nFigure 17: Detection Test 1\r\nWindows Modify Registry DisableRemoteDesktopAntiAlias\r\nThis analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias. This registry\r\nsetting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within\r\nRemote Desktop sessions.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableRemoteDesktopAntiAlias\" Registry.registry_value_\r\n by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Reg\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_modify_registry_disableremotedesktopantialias_filter`\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 13 of 15\n\nFigure 18: Detection Test 2\r\nWindows Modify Registry DontShowUI\r\nThis analytic identifies a modification in the Windows Error Reporting registry. This registry value is present and\r\nset to a specific configuration that influences the behavior of error reporting dialogs or prompts, suppressing them\r\nfrom being displayed to the user. For instance, setting DontShowUI to a value of 1 often indicates that the\r\nWindows Error Reporting UI prompts will be suppressed, meaning users won't see error reporting pop-ups when\r\nerrors occur.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\DontShowUI\" Registr\r\n by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Reg\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_modify_registry_dontshowui_filter`\r\nFigure 18: Detection Test 3\r\nOverall, the DarkGate Analytic Story introduces 41 detections across MITRE ATT\u0026CK techniques. The table\r\nbelow provides details on the indicators of compromise (IOCs) the Splunk Threat Research Team analyzed to\r\ndevelop the analytic story, which were the DarkGate phishing attachment and two loader hashes.\r\nIn Summary\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 14 of 15\n\nBy understanding DarkGate malware’s behaviors, the Splunk Threat Research Team was able to generate\r\ntelemetry and datasets to develop and test Splunk detections to help defend against and respond to this threat.\r\nSecurity analysts, blue teamers and Splunk customers can use the insights and detections described in this blog to\r\ndiscover DarkGate tactics, techniques and procedures potentially being used by threat actors and adversaries in\r\ntheir environments.\r\nEarly detection of DarkGate activities enables prompt containment and remediation, mitigating potential damage\r\nand preventing further propagation. Collaborative sharing of threat intelligence across security communities is\r\ncrucial to enhance collective defense strategies. Continuous monitoring, alongside updated defense mechanisms,\r\nis essential to keep pace with DarkGate's evolving tactics and ensure robust protection against its threats.\r\nLearn More\r\nYou can find the latest Splunk content about security analytic stories on GitHub and in Splunkbase. Splunk\r\nSecurity Essentials also has all these detections now available via push update.\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank Teoderick Contreras and Michael Haag for authoring this post and the entire Splunk\r\nThreat Research Team for their contributions, including Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto,\r\nEric McGinnis, and Patrick Bareiss.\r\nSource: https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nhttps://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html"
	],
	"report_names": [
		"enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434738,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44cd6a6e05bcd4cf46ff62662b070bb4550e19fe.pdf",
		"text": "https://archive.orkl.eu/44cd6a6e05bcd4cf46ff62662b070bb4550e19fe.txt",
		"img": "https://archive.orkl.eu/44cd6a6e05bcd4cf46ff62662b070bb4550e19fe.jpg"
	}
}