{ "id": "21e650ab-a4f4-4ac8-934b-f7b3d04f94da", "created_at": "2026-04-06T00:11:22.16396Z", "updated_at": "2026-04-10T03:37:09.32908Z", "deleted_at": null, "sha1_hash": "5eeb4142f7c883b08d45f785e872199ca33189ea", "title": "Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2749840, "plain_text": "Enter The DarkGate - New Cryptocurrency Mining and\r\nRansomware Campaign\r\nBy Adi Zeligson and Rotem Kerner\r\nPublished: 2018-11-13 · Archived: 2026-04-05 23:05:52 UTC\r\nThreat Analysis: This blog originally appeared on the enSilo website and is republished here for threat research purposes. enSilo\r\nwas acquired by Fortinet in October 2019.\r\nSummary of the Malware Campaign\r\nRecently, enSilo researcher Adi Zeligson - now part of the FortiGuard Labs research team -  discovered a never-before-detected, highly sophisticated malware campaign named DarkGate. Targeting Windows workstations and\r\nsupported by a reactive Command and Control system, DarkGate malware is spread through torrent files. When\r\nexecuted by the user, DarkGate malware is capable of avoiding detection by several AV products, and of executing\r\nmultiple payloads including cryptocurrency mining, crypto stealing, ransomware, and the ability to remotely take\r\ncontrol of the endpoint. \r\nThe critical elements of the DarkGate malware are that it:\r\nLeverages a C\u0026C infrastructure cloaked in legitimate DNS records from legitimate services, including\r\nAkamai CDN and AWS, which helps it avoid reputation-based detection techniques\r\nUses multiple methods for avoiding detection by traditional AV using vendor-specific checks and actions,\r\nincluding the use of the process hollowing technique\r\nHas the ability to evade the elimination of critical files by several known recovery tools\r\nUses two distinct User Account Control (UAC) bypass techniques to escalate privileges\r\nIs capable of detonating multiple payloads with capabilities that include cryptocurrency mining, crypto\r\nstealing (theft of credentials associated with crypto wallets), ransomware, and remote control\r\nThe technical analysis of the DarkGate malware that follows demonstrates how advanced malware can avoid\r\ndetection by traditional AV products and highlights the importance of the post-infection protection capabilities of\r\nthe enSilo Endpoint Security Platform.\r\nTechnical Analysis\r\nNamed DarkGate by the author, the malware seeks to infect targets across Europe, particularly in Spain and\r\nFrance. DarkGate has several capabilities, including crypto mining, stealing credentials from crypto wallets\r\n(crypto stealing), ransomware, and remote access and control.\r\nenSilo observed that the author behind this malware established a reactive Command and Control infrastructure\r\nthat is staffed by human operators who act upon receiving notifications of new infections with crypto wallets.\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 1 of 22\n\nWhen the operator detects any interesting activity by one of the malware, they then proceed to install a custom\r\nremote access tool on the machine for manual operations.\r\nAs part of our normal research activities, we occasionally perform a controlled infection of what seems to be a\r\nlegitimate user endpoint. The controlled infection is performed in order to investigate several aspects of the\r\nmalware, as well as the reactivity of the malware operator. For example, in one of these encounters our research\r\nteam was able to determine that the operator detected our activity and immediately responded to our activity by\r\ninfecting the test machine with a customized piece of ransomware.\r\nIt appears that the author behind this malware invested significant time and effort into remaining undetected by\r\nleveraging multiple evasion techniques. One of the techniques used is a user-mode hooks bypass that enabled the\r\nmalware to evade identification by various AV solutions for an extended period of time.\r\nThe enSilo research team tracked “DarkGate” and its variants, and discovered that most AV vendors failed to\r\ndetect it. It was this discovery that led us to start investigating the unique characteristics of the malware, which are\r\ndescribed in the Technical Analysis section. It is clear that DarkGate is under constant development as it is being\r\nimproved with every new variant.\r\nFurther investigation is required to determine the ultimate motivations behind the malware. While cryptocurrency\r\nmining, crypto stealing, and ransomware capabilities suggest the goal is financial gain, it’s not clear if the author\r\nhas another motive.\r\nFamily Ties\r\nWithin DarkGate, we were able to identify ties to a previously detected password stealer malware called Golroted.\r\nThe Golroted malware is notable because of its use of the Nt* API calls for performing process hollowing.\r\nAdditionally, Golroted used a second technique, UAC bypass, based on a schedule task called SilentCleanup.\r\nDarkGate utilizes both of these techniques.\r\nAfter performing a binary diff between Golroted and DarkGate, we discovered a significant amount of\r\noverlapping code. As shown in Figure 1, both malware variants perform the process hollowing method on the\r\nprocess vbc.exe. However, DarkGate contains a slightly modified version of the process hollowing function.\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 2 of 22\n\nFIGURE 1: BINARY DIFF BETWEEN GOLRATED AND DARKGATE\r\nInfection Tactics and Methods\r\nWe identified two distinct infection methods employed by the author of DarkGate, as well as the author of\r\nGolroted. Both infection methods are spread through Torrent files posing as a popular movie and a television\r\nseries that then execute VBscript on the victim. \r\nThe second file, the-walking-dead-9-5-hdtv-720p.torrent.vbe, uses a more trivial approach to infecting victims. It\r\ndistributes emails containing malicious attachments from a spoofed address. An example of this is shown in\r\nFigure 3.\r\nFIGURE 2: SCREEN CAPTURE OF TORRENT FILES\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 3 of 22\n\nFIGURE 3: EXAMPLE OF EMAIL DISTRIBUTED BY THE-WALKING-DEAD-9-5-HDTV-720P.TORRENT.VBE\r\nFour Stages of Unpacking DarkGate Malware\r\nOne of the unique techniques used by the DarkGate malware lies within its multi-stage unpacking method. The\r\nfirst file executed is an obfuscated VBScript file, which functions as a dropper and performs several actions. In the\r\nfirst stage, several files are dropped into a hidden folder “C:\\{computername}”. The files are autoit3.exe, which in\r\nsome versions is disguised with a random name: test.au3, pe.bin and shell.txt. Next, test.au3 AutoIt script is\r\nexecuted using the dropped instance of autoit3.exe.\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 4 of 22\n\nFIGURE 4: THE DE-OBFUSCATED VBS\r\nIn the second phase, the AutoIt code creates a shortcut of itself with the name “bill.ink” under the startup folder.\r\nOnce completed, it triggers a third stage in which the binary code stored in the file “C:\\{computername}\\shell.txt”\r\nis decrypted and then executed. The AutoIt script uses a rather unusual technique for executing the binary code.\r\nThe steps involved in the technique are:\r\nLoads the binary code from shell.txt into the process memory\r\nCopies the data into an executable memory space (DLLStructCreate and DllStructSetData)\r\nInvokes CallWindowProc with reference to our binary code as the lpPrevWndFunc parameter\r\nFIGURE 5: THE DE-OBFUSCATED AUTOIT SCRIPT\r\nFinally, in the fourth and final stage of the unpacking technique, the binary code originally loaded from shell.txt\r\nperforms the followings actions:\r\nSearches for the executable file, which is also the name of an executable found in Kaspersky AV.\r\nReads the dropped file “pe.bin” and decrypts it.\r\nUses process hollowing to inject the decrypted code from pe.bin into the process “vbc.exe”.\r\nWe discovered that if DarkGate detects the presence of Kaspersky AV, it loads the malware as part of the shellcode\r\nrather than using the process hollowing method. The decrypted pe.bin file is the core of DarkGate. The core is\r\nresponsible for its communication with the C\u0026C (Command and Control) server and for executing commands\r\nreceived from it.\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 5 of 22\n\nLet’s summarize this four-stage unpacking technique \r\n1. The initial dropper code is delivered using VBScript, which drops all the relevant files:\r\nautoit3.exe\r\ntest.au3\r\npe.bin\r\nshell.txt\r\nautoit3.exe\r\ntest.au3\r\npe.bin\r\nshell.txt\r\nautoit3.exe\r\nautoit3.exe\r\nautoit3.exe\r\ntest.au3\r\npe.bin\r\nshell.txt \r\nautoit3.exe\r\ntest.au3\r\npe.bin\r\nshell.txt\r\nOnce, delivered it then runs the AutoIt script. \r\n2. The AutoIt script runs using the AutoIt interpreter, which decrypts the binary code and loads it into memory.\r\n3. The binary code then executes and attempts to avoid detection by Kaspersky AV.\r\n4. The final binary is decrypted and executed.\r\nFIGURE 6: THE FOUR STAGES OF THE UNPACKING TECHNIQUE\r\n \r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 6 of 22\n\nThe final binary copies all files from “C:\\{computer_name} “ to a new folder under “C:\\Program data” with the\r\nname derived from the first eight digits of the user generated id (ID2 - explained later on).\r\nThe final binary installs a key in the registry designed to help it maintain persistency under the key:\r\n“\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”.\r\nThe key name is the first eight digits of the user-generated id, and the value is the AutoIt script that was copied\r\nfrom C:\\{computer_name} to the “program data” folder, as shown below in Figure 7:\r\nFIGURE 7: EXAMPLE OF REGISTRY KEY USED TO ESTABLISH PERSISTENCY\r\nCryptocurrency Mining\r\nThe first connection the malware makes to the C\u0026C server is to get the file it needs to start the cryptocurrency\r\nmining process. \r\nFIGURE 8: RETRIEVING THE FILE\r\nAs shown in Figure 9, the command “startminer” is sent as part of the response in order to tell the malware to start\r\nmining and to separate the different parts of the message. The first part is encrypted into config.bin - that is the\r\nminer command line. The second part is written in cpu.bin, and when decrypted is the miner executable. The\r\nmining itself is done through the process “systeminfo.exe” by using process hollowing.\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 7 of 22\n\nFIGURE 9: RETRIEVING THE CRYPTO MINER PAYLOAD\r\nStealing Crypto Wallet Credentials\r\nAnother capability of the malware is that it can search for, and steal, credentials for crypto wallets. The malware\r\nlooks for specific strings in the names of windows in the foreground that are related to different kinds of crypto\r\nwallets, and if a matching string is found, sends the server an appropriate message.\r\nThe following table contains the list of targeted wallet website/applications:\r\nSTING SEARCH  TARGET \r\nsign-in / hitbtc https://hitbtc.com/\r\nbinance - log in https://www.binance.com/login.html\r\nlitebit.eu - login https://www.litebit.eu/en/login\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 8 of 22\n\nbinance - iniciar sesi https://www.binance.com/login.html\r\ncryptopia - login https://www.cryptopia.co.nz/Login\r\nuser login - zb spot exchange\r\nsign in | coinEx https://www.coinex.com/account/signin?lang=en_US\r\nelectrum https://electrum.org/#home\r\nbittrex.com - input https://international.bittrex.com/\r\nexchange - balances\r\neth) - log in\r\nblockchain wallet https://www.blockchain.com/wallet\r\nbitcoin core https://bitcoincore.org/\r\nkucoin https://www.kucoin.com/#/\r\nmetamask https://metamask.io/\r\nfactores-Binance\r\nlitecoin core https://litecoin.org/\r\nmyether https://www.myetherwallet.com/\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 9 of 22\n\nTABLE 1: TARGET CRYPTO WALLETS AND STRING VALUES \r\nCommand and Control\r\nJudging from what we’ve seen so far, it seems like the author of DarkGate leveraged sophisticated techniques to\r\navoid detection both by endpoint and network security products.\r\nThe malware contains six hard-coded domains, shown below, which it attempts to communicate with upon\r\ninfection. It looks like the domains are chosen carefully to disguise the C\u0026C server as a known legitimate service,\r\nsuch as Akamai CDN or AWS, and avoids looking suspicious to anyone who may be monitoring the network\r\ntraffic.\r\nakamai.la\r\nhardwarenet.cc\r\nec2-14-122-45-127.compute-1.amazonaws.cdnprivate.tel\r\nawsamazon.cc\r\nbattlenet.la\r\na40-77-229-13.deploy.static.akamaitechnologies.pw\r\nAdditionally, it seems the author has employed another trick by using NS records that look like legitimate rDNS\r\nrecords from Akamai or Amazon. The idea behind using rDNS is that they’re overlooked and easily dismissed by\r\nanyone monitoring network traffic.\r\nTwo Methods Used To Avoid Detection\r\nIt appears what the author of DarkGate fears most is detection by AV software. They have invested significant\r\neffort in anti-VM and user validation techniques, rather than anti-debugging measures. \r\nANTI-VM: Machine Resources Checkup\r\nThe first method used by DarkGate to avoid detection by AV software is to determine if the malware has landed\r\ninside a sandbox/virtual machine. Based on the tactics used, we believe the author assumes sandbox/virtual\r\nmachines (VMs) are generally low on resources, which is generally correct since sandboxes are optimized to\r\ncontain the coexistence of as many VMs as possible.\r\nIn Figure 10, we can see the use of Delphi’s Sysutils::DiskSize and GlobalMemoryStatusEx for collecting both\r\ndisk size and physical memory. If the machine contains less than 101GB of disk space, or has an amount of RAM\r\nless than or equal to 4GB, it will be considered as a VM and the malware will automatically terminate.\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 10 of 22\n\nFIGURE 10: CHECKING THE MACHINE DISK AND RAM\r\nANTI-AV\r\nDarkGate attempts to detect if any of the AV solutions listed in Table 2 are present on an infected machine. For\r\nmost of the AV solutions, if the malware detects any of these AV solutions, it will just notify the server – with the\r\nexception of IOBit, TrendMicro, or Kaspersky .\r\nPROCESS NAME SOLUTION\r\nastui.exe  Avast\r\n avpui.exe  Kaspersky\r\navgui.exe AVG\r\n egui.exe Nod32\r\nbdagent  Bitdefender\r\navguard.exe Avira\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 11 of 22\n\nnis.exe Norton\r\nns.exe Norton\r\nnortonsecurity.exe Norton\r\nuiseagnt.exe  Trend Micro\r\nbytefence.exe  ByteFence\r\npsuaconsole.exe  Panda\r\nsdscan.exe Search \u0026 Destroy\r\nmcshield.exe McAfee\r\nmcuicnt.exe McAfee\r\nmpcmdrun.exe Windows Defender\r\nsuperantispyware.exe SUPER AntiSpyware\r\nvkise.exe Comodo\r\nmbam.exe MalwareBytes\r\ncis.exe  Comodo\r\nmsascuil.exe Windows Defender\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 12 of 22\n\nTABLE 2: AV EXECUTABLES SEARCHED FOR BY DARKGATE MALWARE\r\nThe existence of AV solutions from IOBit, TrendMicro, or Kaspersky trigger special conditions:\r\nIOBit: If the path “C:\\\\Program Files (x86)\\\\IObit” exists, the malware is going to try and tackle a process\r\nnamed “monitor.exe” by terminating it. Additionally, it will spawn a new thread that repeatedly looks for\r\nthe process “smBootTime.exe” and terminate the process if it exists.\r\nTrend Micro: If the Trend Micro AV process name is detected, the code will not execute the key logging\r\nthread.\r\nKaspersky: The malware checks multiple times during execution, both during the unpacking process and in\r\nthe malware itself, for the presence of Kaspersky AV. If detected in the final executable, and less than 5\r\nminutes have passed since the machine’s startup, then it won’t initiate the key logging thread and the\r\nupdate thread that is responsible for:\r\nCopying all of the malware-related files to a folder under “C:\\Program Data”.\r\nPerforming the recovery tools check described in the next section.\r\nAnd finally, if detected in the shellcode and more than 4:10 minutes have passed since system startup, it\r\nwill not use the process hollowing technique to execute the final executable, and will instead load and\r\nexecute it directly.\r\nRecovery Tools\r\nThe malware also tries to detect several known recovery tools using the process names listed in Table 3:\r\nPROCESS NAME TARGET \r\nadwcleaner.exe MalwareBytes Adwcleaner\r\nfrst64.exe Farbar Recovery Scan Tool\r\nfrst32.exe Farbar Recovery Scan Tool\r\nfrst86.exe Farbar Recovery Scan Tool\r\nTABLE 3: RECOVERY TOOLS PROCESS NAMES AND TARGETS\r\nIf such a process is found, the malware will initiate a new thread that will reallocate the malware files every 20\r\nseconds, making sure that if the files were deleted during the lifetime of a recovery tool they will be recreated and\r\nrelocated somewhere else.\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 13 of 22\n\nDirect Syscall Invocation    \r\nIn order to hide the use of the process hollowing technique, DarkGate uses a special capability that enables it to\r\ncall kernel mode functions directly. This can potentially help the malware escape any breakpoints set by a\r\ndebugger, as well as evade userland hooks set by the different security products.\r\nHow Does it Work?\r\nWhen using functions from ntdll.dll, a system call is made to the kernel. The way the call is done is different\r\nbetween 32 and 64-bit systems, but they both eventually call the function “KiFastSystemCall”, which is different\r\nfor each architecture. The “KiFastSystemCall” function is used to switch between ring 3 and ring 0. The Darkgate\r\nmalware avoids loading the ntdll.dll functions the proper way, and instead creates its\r\nown “KiFastSystemCall” function that will make the syscall.\r\nDarkGate is a 32-bit process that can become a challenge when running on a 64-bit system due to the differences\r\nbetween the systems when switching to the kernel. In order to use the right “KiFastSystemCall” function for the\r\nprocess, the Darkgate malware checks which architecture it’s running on by searching for the path\r\n“C:\\Windows\\SysWOW64\\ntdll.dll”. If this path exists, it means the process is running on a 64-bit system.\r\nFIGURE 11: ASSIGN THE RIGHT FUNCTION BASED ON THE ARCHITECTURE\r\nIn a 32-bit system, the “KiFastSystemCall” function will look like this:\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 14 of 22\n\nFIGURE 12: 32-BIT SYSTEM KIFASTSYSTEMCALL FUNCTION\r\nIn a 64-bit system, the following code is used to call the “KiFastSystemCall” 64-bit function from a 32-bit\r\nprocess:\r\nFIGURE 13: 64-BIT SYSTEM KIFASTSYSTEMCALL FUNCTION\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 15 of 22\n\nThe offset “fs:0C0h” is a pointer in the TEB (Thread Information Block) to “FastSysCall” in wow64. This pointer\r\npoints to an address in “wow64cpu.dll” that jumps to the 64-bit “KiFastSystemCall” function. The DarkGate\r\nmalware will pass to the assigned function the ntdll requested function syscall number and the needed parameters.\r\nThis way, a kernel function is called without the need to call the function from within ntdll.dll. To conclude, the\r\nDarkGate malware creates its own “KiFastSystemCall” to bypass ntdll.dll.\r\nWe found a similar code that might have been the source of the DarkGate code.\r\nUAC Bypass Capabilities\r\nDarkGate uses two distinct UAC bypass techniques that it uses to try and elevate privileges.\r\nDisk-Clean up Bypass\r\nThe first UAC bypass technique exploits a scheduled task called DiskCleanup. This scheduled task uses the\r\npath %windir%\\system32\\cleanmgr.exe to execute the actual binary. Therefore, the malware overrides\r\nthe %windir% environment variable with the registry key: “HKEY_CURRENT_USER\\Enviroment\\windir” with\r\nan alternative command, which will execute the AutoIt script. This bypass process was covered by Tyranid’s Lair.\r\nFIGURE 14: DISK-CLEANUP UAC BYPASS\r\nEVENTVWR UAC Bypass\r\nAnother UAC bypass exploits the fact that eventvwr.exe, by default, runs in high integrity, and will execute the\r\nmmc.exe binary (Microsoft Management Console). The mmc.exe command is taken from the registry\r\nkey “HKCU\\Software\\Classes\\mscfile\\shell\\open\\command”. This registry key is also writable from a lower\r\nintegrity level, which enables it to execute an AutoIt script in a higher integrity.\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 16 of 22\n\nFIGURE 15: EVENTVWR UAC BYPASS\r\nKeylogging\r\nA thread is started that is responsible for capturing all keyboard events and then logging them to a predefined log\r\nfile. Other than logging the key logs, it also logs the foreground windows and the clipboard. The log is saved with\r\nthe name “current date.log” in the following directory listed below:\r\n“C:\\users\\ {username}\\appdata\\roaming\\{ID1}”.\r\nFIGURE 16: KEYLOG FILE\r\nInformation Stealing\r\nDarkGate uses some of the NirSoft tools in order to steal credentials or information from infected machines. The\r\ntoolset that is used enables it to steal user credentials, browser cookies, browser history, and Skype chats. All tools\r\nare executed using the process hollowing technique into a newly created instance of vbc.exe or regasm.exe.\r\nDarkGate uses the following applications to steal credentials:\r\nMail PassView\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 17 of 22\n\nWebBrowserPassView\r\nChromeCookiesView\r\nIECookiesView\r\nMZCookiesView\r\nBrowsingHistoryView\r\nSkypeLogView\r\nThe resulting data collected from the tools is extracted from the hosting process memory. DarkGate malware first\r\nlooks for the tool’s window by using The FindWindow API function. It then uses the SysListView32 control and\r\nthe sendMessage API function in order to retrieve the information needed from the tool. The retrieval works by\r\nfirst allocating a memory buffer in the hollowed process, as shown in Figure 17.\r\nFIGURE 17: MEMORY ALLOCATION IN HOLLOWED PROCESS\r\nIt will then use the “GetItem” function to make it write the item to the allocated buffer. The “GetItem” function is\r\nused by calling the API function “SendMessage” with the message “LVM_GETITEMA” and the allocated buffer\r\nas a parameter:\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 18 of 22\n\nFIGURE 18: GETITEM MESSAGE AND THE RETRIEVAL OF THE ITEM FROM THE HOLLOWED\r\nPROCESS\r\nAfter the item is written to the allocated buffer, it will then read this memory region to retreive stolen information.\r\nDeleting Restore Points\r\nThe malware has the ability to delete all restore points, including “cmd.exe /c vssadmin delete shadows /for=c: /all\r\n/quiet”\r\nRDP INSTALL\r\nThis command will decrypt and execute the received file, which is probably an rdp connection tool, using the\r\nprocess hollowing method. The hollowed process in this case is a copy of systeminfo.exe in the %temp%\r\ndirectory.\r\nIn addition, the following commands will be executed using cmd.exe:\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 19 of 22\n\nexe /c net user /add SafeMode Darkgate0!\r\nexe /c net localgroup administrators SafeMode /add\r\nexe /c net localgroup administradores SafeMode /add\r\nexe /c net localgroup administrateurs SafeMode /add\r\nIt is interesting to see that the newly created user is added to both the Spanish and French admin groups.\r\nGetbotdata\r\nThe server can request the following details about the victim:\r\nLocale\r\nUser name\r\nComputer name\r\nWindow name\r\nTime, representing the period of time that passed since the last input on the host\r\nProcessor type\r\nDisplay adapter description\r\nRAM amount\r\nOS type and version\r\nIs user admin\r\nThe encrypted content of config.bin\r\nEpoch time\r\nAV type – search by process name. If not found, this field will contain the text “Unknown”.\r\nIn some versions it will also look for the folder “c:\\Program Files\\e-Carte Bleue” (we think that might be the\r\nfolder where DarkGate saves its screenshots). The data is then encrypted and sent to the server. In addition, it\r\ncreates the file Install.txt under the %appdata% path and writes the Epoch time in it.\r\nMalware version\r\nThe port used by the connection \r\nSolutions \r\nThe FortiEDR platform is capable of blocking the threat.\r\nIOCS\r\nDOMAINS \r\nakamai.la\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 20 of 22\n\nhardwarenet.cc\r\nec2-14-122-45-127.compute-1.amazonaws.cdnprivate.tel\r\nawsamazon.cc\r\nbattlenet.la\r\na40-77-229-13.deploy.static.akamaitechnologies.pw\r\nSAMPLE HASHES \r\n3340013b0f00fe0c9e99411f722f8f3f0baf9ae4f40ac78796a6d4d694b46d7b\r\n0c3ef20ede53efbe5eebca50171a589731a17037147102838bdb4a41c33f94e5\r\n3340013b0f00fe0c9e99411f722f8f3f0baf9ae4f40ac78796a6d4d694b46d7b\r\n0c3ef20ede53efbe5eebca50171a589731a17037147102838bdb4a41c33f94e5\r\n52c47a529e4ddd0778dde84b7f54e1aea326d9f8eeb4ba4961a87835a3d29866\r\nb0542a719c6b2fc575915e9e4c58920cf999ba5c3f5345617818a9dc14a378b4\r\ndadd0ec8806d506137889d7f1595b3b5447c1ea30159432b1952fa9551ecfba5\r\nc88eab30fa03c44b567bcb4e659a60ee0fe5d98664816c70e3b6e8d79169cbea\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 21 of 22\n\n2264c2f2c2d5a0d6d62c33cadb848305a8fff81cdd79c4d7560021cfb304a121\r\n3c68facf01aede7bcd8c2aea853324a2e6a0ec8b026d95c7f50a46d77334c2d2\r\na146f84a0179124d96a707f192f4c06c07690e745cffaef521fcda9633766a44\r\nabc35bb943462312437f0c4275b012e8ec03899ab86d353143d92cbefedd7f9d\r\n908f2dfed6c122b46e946fe8839feb9218cb095f180f86c43659448e2f709fc7\r\n3491bc6df27858257db26b913da8c35c83a0e48cf80de701a45a30a30544706d\r\nFind out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief.\r\nDiscover how the FortiGuard Security Rating Service provides security audits and best practices to guide\r\ncustomers in designing, implementing, and maintaining the security posture best suited for their organization.\r\nSource: https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" ], "report_names": [ "enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434282, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5eeb4142f7c883b08d45f785e872199ca33189ea.pdf", "text": "https://archive.orkl.eu/5eeb4142f7c883b08d45f785e872199ca33189ea.txt", "img": "https://archive.orkl.eu/5eeb4142f7c883b08d45f785e872199ca33189ea.jpg" } }