{
	"id": "0e82b49c-5696-47de-bc9c-bdabe0861e58",
	"created_at": "2026-04-06T00:17:51.404117Z",
	"updated_at": "2026-04-10T03:33:30.447758Z",
	"deleted_at": null,
	"sha1_hash": "502e65a962ee695298b19d6b46959953ce6c72ca",
	"title": "DarkGate Internals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1625796,
	"plain_text": "DarkGate Internals\r\nBy Pierre Le Bourhis\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-11-20 · Archived: 2026-04-05 17:47:42 UTC\r\nIntroduction \u0026 Objectives\r\nDarkGate is sold as Malware-as-a-Service (MaaS) on various cybercrime forums by RastaFarEye persona, in the\r\npast months it has been used by multiple threat actors such as TA577 and Ducktail. DarkGate is a loader with\r\nRAT capabilities developed in Delphi with modules developed in C++, which gained notoriety in the second half\r\nof 2023, due to its capability to operate covertly and its agility to evade detection by antivirus systems. This\r\ntechnical report delves into an in-depth analysis of DarkGate, shedding light on its inner workings, evasion\r\ntechniques, and potential impacts.\r\nThe analysis starts from the following AutoIt script: SHA-256\r\nb049b7e03749e7f0819f551ef809e63f8a69e38a0a70b697f8a5a82a792a1df9\r\nFigure 1. Overview of DarkGate infection chains\r\nData obfuscation\r\nUnusual base64 encoding\r\nThe loader uses various techniques to obfuscate data, including strings and configuration encoding using the\r\nbase64 algorithm with a first unordered alphabet.\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 1 of 22\n\nFigure 2. The two alphabets used for data encoding/decoding\r\nThe second alphabet is used to decode the list of Command and Control (C2) URLs and the C2 HTTP messages,\r\nwhile the first one is used everywhere in the binary to decrypt the configuration and other strings employed for\r\ndynamic API resolution.\r\nAs introduced, the configuration of DarkGate is obfuscated in the PE, it uses a TStringList to store it, TStringList\r\nwhich can be seen as a hashtable in the C world.\r\nFigure 3. DarkGate configuration decoded\r\nThere are many tools to extract this configuration of DarkGate:\r\nhttps://github.com/telekom-security/malware_analysis/blob/main/darkgate/extractor.py\r\nhttps://github.com/esThreatIntelligence/RussianPanda_tools/blob/main/darkgate_config_extractor_2.py\r\nMessage obfuscations\r\nThe communication between the bot and the server is made over HTTP. More details about the C2 communication\r\nare provided in the “Command and Control” section of this report. The content of the communication is\r\nobfuscated with base64 encoding (with the first alphabet) and a single byte XOR operation where the XOR key is\r\nderived from the Bot ID. For further information on the process of computing the BotID, an in depth analysis is\r\nprovided in a recent  DCSO CyTec report.\r\ndigest = MD5(product_id+processor+user+computer)\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 2 of 22\n\nThe digest is encoded using a custom alphabet, which is leveraged as lookup table nibble-wise according to\r\nDCSO CyTec.\r\nFigure 4. IDA decompiled function used to XOR data\r\nThe following is a Python version of the XOR key derivation used by DarkGate. The seed of the key corresponds\r\nto the length of the bot identifier, and the key is XORed with each character to build the final XOR key:\r\nxorKey = len(botID)\r\nfor char in xorKey:\r\n xorKey ^= ord(char)\r\nThe following CyberChef recipe implements the deobfuscation function for the C2 messages.\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 3 of 22\n\nFigure 5. Message deobfuscation using CyberChef\r\nNB: the first string is a wide string in hexadecimal representation.\r\n(500072006F006700720061006D0020004D0061006E006100670065007200 = Program Manager).\r\nFile obfuscation\r\nThe malware encrypts some of the files it creates using the Rijndael algorithm with a key length of 160 bits. It\r\nuses a stream cipher called CFB8Bit instead of the commonly used block cipher. Again, the process used to create\r\nthe key is explained in the DCSO CyTec report2\r\ndigest = MD5(product_id+processor+user+computer)\r\nbot_id = custom_encode(digest)\r\ndigest2 = MD5(\"mainhw\"+bot_id+internal_mutex)\r\nencoded = custom_encode(digest2)\r\naes_key = encoded[:7].lower()\r\nAs shown above in the extract of code used to build the AES secret key, it uses string concatenation and custom\r\nencoding to generate both the AES key and the bot identifier. For instance, this function is used to encrypt the\r\ncontent of its logs, e.g. crash log.\r\nRAT TTPs\r\nReverse shell\r\nDarkGate implements a reverse shell that is started in a dedicated process, using pipes to redirect the standard\r\ninput, output and error data streams (e.g. stdin, stdout, stderr).\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 4 of 22\n\nFigure 6. DarkGate function used to set up the reverse shell, leveraging standard input/output to\r\ncreate interactive shell\r\nOnce the connection is established, the commands are redirected to the local pipes of the victim’s machine. These\r\ncommands are executed on the victim’s system via a command interpreter, and the results are sent back to the\r\nattacker through the pipe. Essentially, this allows the attacker to interact with the victim’s system as if it has a\r\ncommand prompt or shell on that machine.\r\nThe connection is bidirectional, meaning the attackers can send commands and receive responses in real-time,\r\nenabling them to navigate the victim’s system, exfiltrate data, or perform other malicious actions.\r\nPowerShell script execution\r\nTo facilitate the post compromise stage, DarkGate provides the capability to execute PowerShell files and\r\ncommands. \r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 5 of 22\n\nFigure 7. DarkGet code used to 1) execute (if the file already exists) or 2) download and execute\r\nPowerShell script\r\nAs shown in the figure 7, the function allows the download of a new PowerShell script if needed (by sending the\r\naction id 1489). Then, the function configures the PowerShell environment by searching the powershell.exe binary\r\nin its dedicated directory (it uses the directory alias Synactive to avoid basic detection of the PowerShell path).\r\nFigure 8. function used to execute the PowerShell script\r\nThe output of this execution is sent to “c:\\temp\\tskm” before being sent to the Command and Control.\r\nKeylogger\r\nTo perform advanced keylogging activities on the infected host, the malware retrieves the foreground windows\r\n(the one the user is interacting with) to retrieve its process identifier. Then it combines the two Windows functions\r\nGetAsyncKeyState and GetKeyNameText aiming at capturing users’ keystrokes and writes them to the log file\r\n“masteroflog”.\r\nDiscord token hunting\r\nAnother functionality provided by DarkGate is to collect Discord tokens. To do it, it searches for the Discord\r\nprocess using a well documented technique that involves the windows API functions: CreateToolhelp32Snapshot,\r\nProcess32First and Process32Next.\r\nThen it attempts to open the process memory with access rights:\r\nPROCESS_QUERY_LIMITED_INFORMATION | PROCESS_DUP_HANDLE\r\nOnce the memory is acquired, the malware searches for this first string:  \r\n\"events\":[{\"type\":\"channel_opened\",\"properties\":{\"client_track_timestamp\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 6 of 22\n\nThen, it looks for the following string:\r\n{“token”: “\r\nAnd it extracts all the characters until it matches another double quote, that terminates the token.\r\nIn short, this method is used to search for the JSON discord token built in memory of the process.\r\nRemote access\r\nIn addition to the reverse shell functionality,  DarkGate also provides remote desktop access using hidden Virtual\r\nNetwork Computing (hVNC). To set up the access, the loader first checks if the software is installed on the\r\ninfected machine and if not, it downloads it. If the software is already installed and configured with an access,\r\nDarkGate substitutes it with the following login / password default combination: SafeMode / darkgatepassword0\r\nFor the software the user SafeMode is created with the following command line:\r\ncmd.exe “/c cmdkey /generic:\\\"127.0.0.2\\\" /user:\\\"SafeMode\\\" /pass:\\\"darkgatepassword0\\\"”\r\nPrivilege escalation\r\nDarkGate uses different techniques to elevate its privileges on the infected host from standard user to local admin\r\nto system. For that purpose, the malware implements three techniques:\r\nRestarts itself using PsExec from the Sysinternal suite;\r\nExecutes a raw stub that contains some privilege escalation code (we are not able to provide more\r\ninformation on this technique because no code related to this technique was found on the analysed\r\nsamples);\r\nExecutes an embedded executable to elevate its privileges.\r\nPersistence\r\nTo keep access upon reboot on the infected host, DarkGate implements a set of persistence methods depending on\r\nthe bot configuration. Attackers can configure the bot persistence using one of these techniques:\r\n1. Create a LNK file in the Startup folder that executes AutoIt3.exe with the AU3 script\r\n2. Set the registry key CurrentVersion\\Run with the LNK file.\r\n3. Use one of the three DLLs loaded using Extexport.exe (more detail in the section: “LOLBAS DLL\r\nloading”)\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 7 of 22\n\nFigure 9. Lnk executing the Autoit.exe with DarkGate AU3 script to maintain the persistence\r\nIn case a file is removed or the registry key is deleted by an antivirus software, the loader raises a critical error\r\n(BSOD: Blue Screen Of Death). The BSOD is triggered by a call to NtRaiseHardError with the ErrorCode value\r\nof 0xC0000350 corresponding to STATUS_HOST_DOWN.\r\nOf note, this feature was announced earlier this year on a top-tier cybercrime forum, by “RastaFarEye” (the\r\npresumed DarkGate author).\r\nFigure 10. DarkGate advertisement on the XSS forum, announcing its BSOD feature \r\nDefense evasion\r\nUnion Api – Call Native Api using syscall\r\nThe developer of DarkGate highly likely borrows a technique detailed in a Malaysian article dating back to 2012\r\nwhich is a copy of GameDeception.]net that is down since 2013. Anti-virus (AV) solutions often hook calls to\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 8 of 22\n\nntdll to identify potential malicious behaviour. This section covers the technique dubbed “Union API” in the\r\nCyberCoding article and used by DarkGate.\r\nThis technique consists in retrieving the handle of ntdll by inspecting the PEB (Process Environment Block)\r\nstructure, specifically in the InMemoryOrderModuleList. Then, it searches by hash where 0x240C0388 is the\r\nadler-32 hash of ntdll. Once the handle is retrieved, the module copies its content, section by section, in a newly\r\ndedicated memory.\r\nFigure 11. Union-API lazy loading of the DLL\r\nWhereafter, the loader sets the way syscall must be invoked regarding the CPU architecture. The loader is CPU\r\narchitecture agnostic, it configures a redirect function concerning the type of architecture that is detected, using\r\nWOW32Reserved function where for x64 it uses: \r\nlea edx, [esp + argX]\r\ncall large dword ptr fs:0C0h\r\nand x86 architecture uses:\r\n__asm { sysenter }\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 9 of 22\n\nEach syscall has its own number of parameters, callee function pushes an array of parameters and calls the\r\nunioned API function with the array of parameters and the number of parameters (which is predefined by the\r\ncallee). The number of parameters is used in a switch case to dispatch the call to the ntdll api with the correct\r\namount of parameters. E.g.:\r\nApiCall32(“NtfunctionName”, [1, 2, 3], 3)\r\nFigure 12. Switch case used to invoke the conform version of ntdll Api call\r\nEach parameters are previously push on the stack before calling the system call stubs. And the\r\nsyscall number is moved into EAX register.\r\nTo get the syscall number corresponding to the provided ntdll function name, the module loops\r\nover the IMAGE_DIRECTORY_EXPORT-\u003eAdddressOfNames until the provided hash match the hash obtains\r\nfrom the function name in IMAGE_DIRECTORY_EXPORT-\u003eAddressOfNameOrdinals.\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 10 of 22\n\nFigure 13. Get syscall number\r\nHere is an example of code used by DarkGate to write executable code into another process\r\nmemory using the union API:\r\nFigure 14. Example of callee function using the union API technique\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 11 of 22\n\nMalware author(s) use(s) this technique in conjunction with code obfuscation to make the analysis and detection\r\nof the malicious code even more challenging.\r\nDynamic API resolution\r\nAs many other malware, DarkGate also uses dynamic API resolution:\r\n1. Dynamic Loading: Dynamic API resolution involves loading external libraries or APIs into a program’s\r\nmemory during runtime. \r\n2. Function Pointers: To access functions within dynamically loaded libraries or APIs, the malware uses\r\nfunction pointers. Function pointers are variables that store the memory address of a function within the\r\nloaded library. These pointers are assigned and invoked at runtime.\r\nEach time DarkGate calls a function from DLLs usually tracked by AV, it dynamically loads the function using\r\nGetProcAddress from Kernel32 DLL. The function takes the name of the function to load as a parameter (the\r\nname is decoded from its base64 form using the first alphabet) and returns the address of the desired function that\r\nis assigned to a function pointer. The function pointer is invoked just after being assigned with its custom\r\nparameters.\r\nFigure 15. Example of code calling a DLL function using Dynamic API resolution\r\n1. The caller function passes the parameters of the function to resolve, then the function decodes the function\r\nname (base64 with the custom alphabet). \r\n2. Uses GetProcAddress from Kernel32.dll to get the address (type FARPROC) of the function\r\n3. Calls the function pointer with the parameters pushed by the caller function.\r\nToken thief via UpdateProcThreadAttribute\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 12 of 22\n\nMany security solutions based on behaviour analytics leverage detection rules based on the parent-child process\r\nrelationship. As part of its MaaS kit, DarkGate provides to its customers the possibility to spoof a specific process\r\nidentifier to execute a cmd.exe. \r\nWindows introduced the PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute in Windows 8.1 and\r\nWindows Server 2012 R2, which allows programmers to specify a parent process handle when creating a new\r\nprocess. This is used for purposes like creating child processes in job objects, but it does not directly allow\r\nspoofing the parent PID. It’s mainly designed for creating child processes that inherit some characteristics from\r\ntheir parents.\r\nFigure 16. Code used by DarkGate to exploit the parent PID spoofing technique\r\nFurthermore, the technique implemented here, in addition to the technique of spoofing a parent process PID,\r\nallows an attacker to elevate its privileges. For instance, targeting a process owned by NT\\SYSTEM allows a local\r\nadministrator to grant its privileges to the SYSTEM one.\r\nIn addition to privilege escalation via the token thief, the code in the Figure 16 is used to execute a payload into\r\nprocess memory using NtCreateThreadEx with the Union API.\r\nOf note, this technique is detailed in the a ”APT techniques: Token thief via UpdateProcThreadAttribute” article\r\nwritten by Cocomelonc.\r\nLOLBAS DLL loading\r\nExtexport is a binary executable that can be found in some Windows systems. It is a legitimate part of the\r\nMicrosoft Windows operating system and is used for extracting and exporting data from Exchange Server\r\ndatabases. This binary is part of the LOLBAS (Living Off the Land Binaries and Scripts). The binary can be used\r\nto load additional DLLs located in the c:\\test\\ directory without explicitly importing or executing them. For the\r\nloading process to occur, the DLL file must have  one of the following names: sqlite3.dll, mozcrt19.dll,\r\nmozsqlite3.dll. Extexport is a valuable tool for attackers looking to fly under the radar.\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 13 of 22\n\nFigure 17. Function that searches extexport.exe to silently load attackers DLL\r\nThis DLLs loading is one of the exploit implements used by DarkGate to leverage its compromission, the loader\r\nused this technique in addition to the token thief via UpdateProcThreadAttribute details in the previous section to\r\nhave an elevated DLL execution.\r\nAPC injection via NtTestAlert\r\nTo reduce its footprint on the system and to evade detection, the loader uses APC injection (Asynchronous Process\r\nCall) via the NtTestAlert function from ntdll. The technique is used to execute arbitrary code within the address\r\nspace of another process. \r\nAsynchronous Procedure Call is a function that gets executed asynchronously within the context of a specific\r\nthread. It’s a way to queue a function for execution in the context of another thread. \r\nAPC Queuing, the NtQueueApcThread system calls are often used to insert an APC into a target thread. These\r\ncalls allow malware authors to specify the target thread handle and the address of the function (the APC) to be\r\nexecuted within that thread’s context.\r\nTo perform APC Injection, the attacker first allocates memory within the target process and writes the malicious\r\ncode (here cmd.exe) into that memory space. Then, it uses  NtQueueApcThread, to queue the address of this\r\nmemory as an APC in the target thread.To trigger the execution of the injected code, the attacker typically relies\r\non a mechanism that triggers the target thread to execute APCs. While there are several methods to achieve this, in\r\nthe case of DarkGate, it uses  NtTestAlert.\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 14 of 22\n\nFigure 18. Function used to create Process in SUSPENDED status\r\nAs highlighted in the figure above, a new process is created in SUSPENDED state, the handler of the process is\r\nappended to a newly created APC queue. To resume the thread in order to execute the cmd.exe, the loader executes\r\nthe syscall NtTestAlert which causes it to execute any pending APCs.\r\nFigure 19. Code used to create the APC Queue and call NtTestAlert to start the SUSPENDED\r\nprocess\r\nAs a copycat of the DarkGate code, here is the functionality re-coded in C++ reproducing the parent ID spoofing.\r\nFigure 20.  Example of the PoC to spoof the parent PID part of the token thief technique\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 15 of 22\n\nMore details and a proof of concept of this technique is available in the article “APC injection via NtTestAlert.\r\nSimple C++ malware”. \r\nThis technique is used by the malware to inject a payload into other process memory, where the payload could be\r\na PE or command line.\r\nEnvironment detection\r\nAs other malware, DarkGate has an environment detection capability, as it attempts to detect numerous artefacts\r\non the infected host.\r\nThe loader looks at physical resources, like the RAM size, the number of CPU, which type of graphical card is\r\npresent (e.g.: is the card virtualized: vmware, Microsoft Hyper-V?).It also verifies that no security solutions are\r\ninstalled on the victim’s machine by looking at the running processes (uiseagnt.exe, superantispyware.exe, etc.)\r\nand also checks the path to installed anti-virus solutions (e.g.: C:\\Program Files\\Malwarebytes,\r\nC:\\ProgramData\\Kaspersky Lab, etc.).\r\nFigure 21. Checking for virtual solution setup for the graphical card\r\nThe list of paths and binaries checked by DarkGate is provided on our Github repository.\r\nCommand and Control\r\nThe communication with the attacker’s server is made over HTTP, where messages are obfuscated. The HTTP\r\nrequests rely on POST requests using HTML form.\r\nThe first version of DarkGate observed in the wild was communicating with their C2 on the port 2351 (which is\r\ndefined in the configuration) and 9999 (which is hardcoded in the binary). This changed recently, where DarkGate\r\ncustomer can add alternative C2 (the second one: 9999), as highlighted in this Tria.ge execution: 231025-\r\nys84bsfb32.\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 16 of 22\n\nFigure 22. Extract of DarkGate communication\r\nThe structure of the form data messages.\r\nForm item Description\r\nid Bot identifier generated at the infection\r\ndata Raw message (not always obfuscated)\r\nact Action identifier\r\nTable 1. Structure of the form data message\r\nAs introduced in the section “Data Obfuscation”, the form “data” is almost always obfuscated. \r\nThe form “data” is the base64 encoded version of XOR data. In this case, the base64 uses the second alphabet\r\nand the XOR key is built from the bot identifier. For future investigation Sekoia.io provides a script to deobfuscate\r\nthe communication.\r\nSEKOIA-IO/Community – DarkGate/scripts/DarkGate-C2-communication-deobfuscator.py\r\nBased on the reverse engineering technique, we centralised in a table (Annex X) the action identifier and the type\r\nof action executed by the malwareIt is worth mentioning that our investigation did not cover the entire action ID\r\nrange.\r\nSomehow, DarkGate’s communication with the C2 is different compared to its standard obfuscation method\r\n(base64 + XOR) on particular action IDs:\r\n1. Base64 encoding (2sc alphabet) (see CyberChef recipe in Figure 23)\r\n2. ZLib compressed data\r\n3. Uncompressed data is a pseudo map where key are integer and value are base64 encoded again with the\r\nsecond alphabet (see CyberChef recipe in Figure 24)\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 17 of 22\n\nFigure 23. CyberChef recipe to decode and decompress (Zlib) C2 message\r\nFigure 24. CyberChef recipe to deobfuscate the decoded message in Figure 23\r\nWhen it comes to the decoded data from the C2 communication, some data are represented in their hexadecimal\r\nwide string format (for exemple action id: 3500).\r\nA correspondence table of the action ID and what it does on the infected host is available here.\r\nHunting for artefact on infected host\r\nDue to its extensive range of functionalities, DarkGate leaves a multitude of artefacts on the infected host that can\r\nbe helpful for post compromission hunting, such as registry keys, log and debug files.\r\nThe temporary directory is frequently used to drop files (PE, DLL) but also text, logs and debug files. Here is the\r\nlist of files to look for when hunting for DarkGate infection traces:\r\nC:\\temp\\tskm\r\nC:\\temp\\id.txt\r\nC:\\darkgateminertest\r\nC:\\temp\\testgpudec.txt\r\nC:\\temp\\etc.txt\r\nC:\\temp\\xmr.txt\r\nC:\\temp\\a\r\nc:\\temp\\PsExec.exe\r\nC:\\temp\\anydesk.exe\r\nC:\\temp\\rdpwrap.ini\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 18 of 22\n\nC:\\temp\\test.rdp\r\nC:\\debug\\data.bin\r\nC:\\test\\sqlite.dll\r\nC:\\test\\mozcrt19.dll\r\nC:\\test\\mozsqlite3.dll\r\nTo leverage some of its functionalities, DarkGate overwrite files on the machine: \r\nC:\\Users\\SafeMode\\AppData\\Roaming\\AnysDesk\\system.conf\r\nC:\\Users\\\u003ccreated user\u003e\\AppData\\Roaming\\AnysDesk\\system.conf\r\nWhile in the earliest version the loader created the user SafeMode, in the more recent one the attacker can define\r\na custom username. \r\nModified registry keys:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\r\nHKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\DisableRemoteDesktopAntiAlias\r\nHKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\DisableSecuritySettings\r\nHKCU:\\Software\\Microsoft\\Terminal Server Client\\AuthenticationLevelOverride\r\nRead registry keys:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber\r\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName\r\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDVersion\r\nFinal words\r\nWe assess with high confidence that  the threat actors behind DarkGate have advanced skills in malware\r\ndeveloppement. However, some elements of their project rely on techniques with PoCs are available in open\r\nsource  (e.g: Cocomelonc blog posts series on malware developpement). \r\nFurthermore, instead of developing its own modules for remote access or for credential stealing, the malware uses\r\nlegitimate tools (hVNC binary, Nirsoft toolset) that are well detected by security solutions. Nevertheless, the wide\r\nrange of techniques used make DarkGate unique within the cybercrime landscape. It is also profitable from a\r\nthreat actor’s perspective, independently of their advancement (e.g.: TA577) and their objectives. \r\nAfter examining the various DarkGate stages (the AutoIT script, its shellcode and also its core), it becomes\r\nevident that DarkGate represents a significant threat. Consequently, it is imperative to maintain continuous\r\ntracking and monitoring of DarkGate in both the short and long term.\r\nFinally, the analysis of the loader detailed in this report is not exhaustive. The sections of this article related to the\r\nexecution of piding.exe and to the inter process communication via SendMessage are incomplete, mainly due to\r\nthe absence, within our surveilled perimeter, of of complete infection cases involving  these functionalities.\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 19 of 22\n\nResources\r\nhttps://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-darkgate-d9102a457232\r\nhttps://github.security.telekom.com/2023/08/darkgate-loader.html\r\nhttps://github.com/telekom-security/malware_analysis/blob/main/darkgate/extractor.py\r\nhttps://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams\r\nhttps://gist.github.com/Hanan-Natan/98d9740db4e8482b222187267062c950\r\nhttps://cocomelonc.github.io/tutorial/2022/10/28/token-theft-2.html\r\nhttps://cocomelonc.github.io/tutorial/2021/11/20/malware-injection-4.html#nttestalert\r\nhttps://labs.withsecure.com/publications/darkgate-malware-campaign\r\nhttps://github.com/esThreatIntelligence/RussianPanda_tools/blob/main/darkgate_config_extractor_2.py\r\nMITRE ATT\u0026CK TTPs\r\nTactic Technique\r\nResource\r\nDevelopment\r\nT1608.002 – Stage Capabilities: Upload Tool\r\nExecution T1059.001 – Command and Scripting Interpreter: PowerShell\r\nExecution\r\nT1059.003 – Command and Scripting Interpreter: Windows Command\r\nShell\r\nExecution T1106 – Native API\r\nPersistence\r\nT1547.001 – Boot or Logon Autostart Execution: Registry Run Keys /\r\nStartup Folder\r\nPrivilege Escalation T1548.002 – Bypass User Account Control\r\nPrivilege Escalation T1055.004 – Process Injection: Asynchronous Procedure Call\r\nPrivilege Escalation T1134 – Access Token Manipulation\r\nDefense Evasion T1134.004 – Parent PID Spoofing\r\nDefense Evasion T1027 – Obfuscated Files or Information\r\nDefense Evasion\r\nT1027.007 – Obfuscated Files or Information: Dynamic API\r\nResolution\r\nDefense Evasion T1027.009 – Obfuscated Files or Information: Embedded Payloads\r\nDefense Evasion T1070.004 – Indicator Removal: File Deletion\r\nDefense Evasion T1112 – Modify Registry\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 20 of 22\n\nDefense Evasion T1140 – Deobfuscate/Decode Files or Information\r\nDefense Evasion T1620 – Reflective Code Loading\r\nCommand and\r\nControl\r\nT1071.001 – Web Protocols\r\nCommand and\r\nControl\r\nT1090.001 – Internal Proxy\r\nCommand and\r\nControl\r\nT1104 – Multi-Stage Channels\r\nCommand and\r\nControl\r\nT1105 – Ingress Tool Transfer\r\nCommand and\r\nControl\r\nT1132.002 – Non-Standard Encoding\r\nCommand and\r\nControl\r\nT1219 – Remote Access Software\r\nCommand and\r\nControl\r\nT1571 – Non-Standard Port\r\nDiscovery T1010 – Application Window Discovery\r\nDiscovery T1057 – Process Discovery\r\nDiscovery T1082 – System Information Discovery\r\nDiscovery T1083 – File and Directory Discovery\r\nDiscovery T1217 – Browser Information Discovery\r\nCollection T1056.001 – Keylogging\r\nTable 2. MITRE ATT\u0026CK TTPs\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io.\r\nFeel free to read other TDR analysis here :\r\nLoader Malware RAT Reverse\r\nShare this post:\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 21 of 22\n\nSource: https://blog.sekoia.io/darkgate-internals/\r\nhttps://blog.sekoia.io/darkgate-internals/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sekoia.io/darkgate-internals/"
	],
	"report_names": [
		"darkgate-internals"
	],
	"threat_actors": [
		{
			"id": "b4f83fef-38ee-4228-9d27-dde8afece1cb",
			"created_at": "2023-02-15T02:01:49.569611Z",
			"updated_at": "2026-04-10T02:00:03.351659Z",
			"deleted_at": null,
			"main_name": "TA577",
			"aliases": [
				"Hive0118"
			],
			"source_name": "MISPGALAXY:TA577",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "22d450bb-fc7a-42af-9430-08887f0abf9f",
			"created_at": "2024-11-01T02:00:52.560354Z",
			"updated_at": "2026-04-10T02:00:05.276856Z",
			"deleted_at": null,
			"main_name": "TA577",
			"aliases": [
				"TA577"
			],
			"source_name": "MITRE:TA577",
			"tools": [
				"Pikabot",
				"QakBot",
				"Latrodectus"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434671,
	"ts_updated_at": 1775792010,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/502e65a962ee695298b19d6b46959953ce6c72ca.pdf",
		"text": "https://archive.orkl.eu/502e65a962ee695298b19d6b46959953ce6c72ca.txt",
		"img": "https://archive.orkl.eu/502e65a962ee695298b19d6b46959953ce6c72ca.jpg"
	}
}