{
	"id": "86d1e0ef-eb12-4966-b998-0fde70ee99e1",
	"created_at": "2026-04-06T00:09:57.0816Z",
	"updated_at": "2026-04-10T03:21:49.981096Z",
	"deleted_at": null,
	"sha1_hash": "87f67d091c77b954b4a86e13a1c0189632f4fd9d",
	"title": "DarkVision RAT | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 716598,
	"plain_text": "DarkVision RAT | ThreatLabz\r\nBy Muhammed Irfan V A\r\nPublished: 2024-10-10 · Archived: 2026-04-05 22:23:17 UTC\r\nTechnical Analysis\r\nThe following sections offer a technical analysis of an attack chain used to deploy DarkVision RAT, as well as an\r\nin-depth examination of the RAT itself.\r\nThe figure below illustrates the attack chain for the DarkVision RAT campaign discussed in this blog.\r\nFigure 1: An example attack chain distributing DarkVision RAT as the payload in the final stage. \r\nFirst stage: Shellcode decryption in DarkVision RAT attack\r\nThe initial stage in this attack chain is a .NET executable file, protected using .NET Reactor. Upon execution of\r\nthe .NET file, the first stage runs the following command:\r\ncmd /c timeout 10\r\nAfter the brief 10-second delay, the .NET file moves on to its next phase, where it decrypts the second stage\r\nshellcode.\r\nThe .NET executable uses Triple Data Encryption Standard (3DES) to decrypt the second stage shellcode.\r\nThe key and IV are encoded in Base64 format. The Base64-encoded strings are  xwmyVxHV39B5ns41HJtzRQ==  for\r\nthe key and  SzD5abWvrRk= for the IV. The .NET executable file decodes these strings back into their original\r\nbinary form. The decoded key and IV are then fed into the 3DES algorithm to decrypt the shellcode.\r\nThe decrypted shellcode is written to a block of memory that is made executable using  VirtualAlloc\r\nand  VirtualProtect . The .NET executable then uses the APIEnumCalendarInfo ’s callback function to execute\r\nthe shellcode leading to the second stage.\r\nSecond stage: Donut loader\r\nThe decrypted second stage shellcode is the open source Donut loader. This x86 position-independent shellcode is\r\ndesigned to load .NET assemblies directly into memory. Donut loader uses the Chaskey block cipher to encrypt its\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 1 of 11\n\nmodules.\r\nWe won’t be covering the specifics of Donut’s loading process, as several excellent write-ups already exist on the\r\ntopic. Instead, to proceed with our analysis, we used Donut Decryptor to extract the third stage payload.\r\nThird stage\r\n \r\nLoading DarkVision RAT with PureCrypter \r\nThe third stage of the attack chain is a .NET assembly, identified as PureCrypter, which has been previously\r\nanalyzed by ThreatLabz. The main function of the PureCrypter injector starts by decompressing ( gunzip ) and\r\ndeserializing an object into a  protobuf structure, as shown in the figure below.\r\nFigure 2: PureCrypter  protobuf structure.\r\nOne of the key members in this  protobuf structure is  gr2pwD82LI which contains an element\r\nnamed  Uoepndv4TW . This particular element holds the DarkVision RAT payload portable executable (PE) content,\r\nwhich is encrypted using Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode.\r\nAnother important part of the  protobuf structure is a member named  IUQ99bXImZ , which contains the startup\r\nsettings for DarkVision RAT.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 2 of 11\n\nWindows Defender exclusion and persistence tactics in PureCrypter\r\nPureCrypter executes a PowerShell command that has been encoded in Base64 format. When decoded, this\r\ncommand tells PowerShell to add malicious file paths and process names used by the RAT to the list of exclusions\r\nin Windows Defender. The example below shows the PowerShell commands used to add Windows Defender\r\nexclusions for malicious file paths and process names used by DarkVision RAT.\r\nAdd-MpPreference -ExclusionPath C:\\yknoahdrv.exe;\r\nAdd-MpPreference -ExclusionProcess yknoahdrv.exe;\r\nAdd-MpPreference -ExclusionPath C:\\Users\\REDACTED\\AppData\\Roaming\\Siguhl.exe; Add-MpPreference -ExclusionProcess\r\nPureCrypter doesn't stop at evading detection as it also helps DarkVision RAT achieve persistence. PureCrypter\r\nwrites the current file to %APPDATA%\\Sighul.exe and adds persistence for this file as per the protobuf struct by\r\nusing the Auto-run registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the name set to\r\nSighul . Then, according to the values in the protobuf struct, the decrypted DarkVision RAT file is injected\r\ninto itself (current process), and execution is transferred to the entry point of DarkVision RAT, leading to the\r\nfourth stage.\r\nFourth stage: Persistence and C\u0026C protocol\r\nDarkVision RAT first dynamically resolves APIs using  GetProcAddress and  LoadLibrary . The RAT always\r\nreloads the libraries again using  LoadLibrary to avoid userlands hooks placed by antivirus and endpoint\r\ndetection and response (EDR) software. The API names used by the malware are stored in XOR-encoded form\r\nand are decoded using the XOR key  [19 72 19 72] . DarkVision RAT also uses XOR encoding to store\r\nimportant strings. From here, DarkVision RAT starts to parse the command-line arguments.\r\nCommand-line parsing in DarkVision RAT\r\nAfter decoding the necessary strings, DarkVision RAT starts to parse any command-line arguments. The\r\ncommand-line arguments used by the DarkVision RAT are Globally Unique Identifiers (GUIDs). These GUIDs\r\nserve as names in various places such as registry keys, folder names, and file names. When investigating other\r\nsamples of DarkVision RAT, we noticed that these GUIDs differ from one sample to another, indicating a level of\r\nrandomness in each instance of the RAT ensuring these cannot be used to create detection logic for DarkVision\r\nRAT.\r\nHere are two GUIDs and how they were used in this sample:\r\n{B8B1DC5F-E2FC-41FF-A2D1-DB3800909230}:\r\nConditions: The action below is carried out if the user is not a local administrator and the Windows version is\r\ngreater or equal to 10.\r\nAction: Under these conditions, DarkVision RAT attempts to gain elevated privileges using a technique called\r\nDLL hijacking. DarkVision targets  WinSAT.exe , a legitimate Windows process, and  DXGI.DLL , a dynamic link\r\nlibrary file to attempt auto elevation.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 3 of 11\n\n{14C43BB8-A5DF-4F5D-A77A-E8BB32DEE41F}:\r\nConditions: The Actions below are carried out if the user is a local administrator and the Windows version is\r\ngreater or equal to 10.\r\nAction: In this scenario, DarkVision RAT adds an exclusion rule to Windows Defender to avoid detection. The\r\nRAT achieves this by running the command  cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath ,\r\nwhich tells Windows Defender to ignore the RAT file path.\r\nAdding DarkVision RAT data to the Windows registry\r\nDarkVision RAT creates a registry key under HKEY_CURRENT_USER\\SOFTWARE\\ and adds three values,\r\neach named using a hardcoded GUID. The values stored are the following:\r\n1. RAT file content: The command opcodes 0x2BD and 0x2BE (discussed later) use this value to write the\r\nRAT file to disk.\r\n2. RAT file path: Based on a flag, the RAT deletes the file stored in this file path. This flag is related to\r\ndeleting artifacts.\r\n3. Current system time stored in a FILETIME structure: This value is stored in\r\na FINGERPRINT_INFO1 struct (discussed later) which is sent to the C2 server.\r\nThe figure below shows the data being added to the Windows registry.\r\nFigure 3: DarkVision RAT data added to the Windows registry.\r\nPersistence mechanisms leveraged by DarkVision RAT\r\nDarkVision RAT employs three different methods to ensure persistence on an infected system. Like most of the\r\nfeatures in DarkVision RAT, there are flags for each persistence technique, which store a boolean value that\r\ndecides which persistence mechanism should be used in the sample. Since these flags are hardcoded into the\r\nbinary, we concluded that they are configurable options available to the attacker when a DarkVision RAT sample\r\nis created using a builder.\r\nThe three persistence methods are as follows:\r\nStartup folder - In this method, DarkVision RAT creates a batch script that contains a command to\r\nexecute the RAT executable. After creating this script, DarkVision RAT then creates a shortcut to the batch\r\nscript and places this shortcut in the Windows startup folder.\r\nAutorun keys - Another method DarkVision RAT leverages is autorun keys. DarkVision RAT adds an\r\nentry that points to its executable file in one of the autorun keys located\r\nat Software\\Microsoft\\Windows\\CurrentVersion\\Run. The exact location of this key can be under\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 4 of 11\n\neither HKEY_CURRENT_USER (for the current user) or HKEY_LOCAL_MACHINE (for the system),\r\ndepending on the flags set within the RAT. \r\nTask Scheduler - DarkVision RAT uses the ITaskService COM interface to schedule a task to execute the\r\nmalware.\r\nAfter setting up persistence mechanisms, DarkVision RAT checks if it is currently running from a specific\r\nlocation, namely  %APPDATA%\\photos\\System.exe (we refer to  %APPDATA%\\photos as the RAT folder and the full\r\npath as the RAT file path moving forward as this path varies across samples).\r\nIf DarkVision RAT is not running from this designated folder, it copies itself to this path and then uses the newly\r\ncopied file to create a child process. This ensures that the RAT is running from a consistent and expected location.\r\nNext, the RAT creates a new folder in  C:\\ProgramData , which we refer to as the plugin parent folder. This folder\r\nis used to store additional encrypted plugins in its subdirectories (discussed later).\r\nProcess injection techniques employed by DarkVision RAT\r\nDarkVision RAT uses the  NtCreateSection and  NtMapViewOfSection APIs to perform process injection, which\r\nis used in multiple places to perform RAT functionalities. DarkVision RAT creates a remote process in a\r\nsuspended state. The RAT then creates a new memory section, mapping one view of this section to the local\r\nprocess and another view to the remote target process. The view mapped in the local process is populated with a\r\nfunction that the RAT needs to execute. This process is repeated to fill the structure used by the function in another\r\nmapped view. The thread context of the remote process is then modified: the Instruction Pointer (RIP/EIP) is set to\r\nthe function's address, and the first parameter (RCX/ESP+4) is set to the address of the structure. Finally, the\r\nthread is resumed, leading to the execution of the function.\r\nDarkVision RAT communication protocol\r\nOnce executed, DarkVision RAT needs to connect to the C2 server to receive instructions and respond with\r\ninformation. The C2 communications use a custom binary protocol. Based on the flags set, the C2 address is\r\nparsed in one of two different ways:\r\nRetrieve the C2 information: The RAT utilizes WinHTTP libraries to connect to a URL stored in plain\r\ntext. The returned data contains the C2 information in the format  c2address:port .\r\nHardcoded C2 Information: The C2 address and port are stored in plain text within the binary. For\r\nexample, the C2 address embedded in the binary analyzed by ThreatLabz\r\nwas  severdops.ddns[.]net:8120 .\r\nRegistration\r\nThe first action DarkVision RAT takes is to register itself with the C2 server by sending a unique Bot ID. To create\r\nthis Bot ID, the RAT generates a random GUID and combines it with an MD5 hash of the Unicode\r\nstring  \"P@55w0rd!\" . This string,  \"P@55w0rd!\", is stored in plain text within the RAT’s code and varies across\r\ndifferent samples.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 5 of 11\n\nReceiving the acknowledgment (ACK) packet \r\nAfter sending its unique ID, DarkVision RAT waits for a response from the C2 server. The server replies with a\r\nspecific data packet  { 01 00 00 00 } . The received data is compared to the value  1 , and the RAT will only\r\nproceed with sending the next data if this comparison is successful. This packet functions similarly to an ACK\r\npacket in the TCP protocol, so we will refer to it as an “ACK packet” moving forward. The RAT client then sends\r\nthe data  { 00 00 00 00 } , to which the server responds with an ACK packet. \r\nThe figure below shows the network communication between a system infected with DarkVision RAT and the C2\r\nserver.\r\nFigure 4: Network communication between a system infected with DarkVision RAT and the C2 server.\r\nDevice fingerprinting\r\nThe RAT client then performs device fingerprinting and collects system information. This information is sent in\r\ntwo packets. Before each packet, the size of the structure is sent, followed by the structure containing the system\r\ninformation. After receiving the first structure, the server sends an ACK packet. Upon receiving the second\r\nstructure, the C2 server sends two ACK packets. The two structures sent are shown below.\r\nstruct FINGERPRINT_INFO1{\r\n uint32_t hardcoded_value; // set to 0x10017\r\n wchar_t botnet_name[40]; // set to AppleX\r\n int32_t is_localadmin; // TRUE = 1 , FALSE = 0\r\n wchar_t pname_followedby_pid[260]; // RAT process name followed by pid %s [%d]\r\n uint32_t hardcoded_value2; // set to 0x40\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 6 of 11\n\nFILETIME system_time; // current system time\r\n};\r\nstruct FINGERPRINT_INFO2{\r\n uint32_t geocode; // geocode of the victim country\r\n wchar_t computer_name[16]; // victim computer name\r\n wchar_t user_name[258]; // victim username\r\n uint32_t system_ip[54]; // victim h_addr_list in network byte order\r\n int64_t system_uptime; // victim system uptime in milliseconds\r\n ULONG os_info[4]; // victim os info\r\n};\r\nDarkVision RAT then creates a new socket and sends its unique bot ID to the server. The server responds with an\r\nACK packet. The client then sends an ACK packet in return, and the server replies with another ACK packet.\r\nAfter this exchange, the RAT client waits for commands from the C2 server.\r\nCommands supported by DarkVision RAT\r\nThe command's opcode, function address, and other related data are stored as an array of 12 elements (12\r\ncommands). Each element is a struct of size 0x28, which we will refer to as a COMMAND_STRUCT. If the\r\nopcode matches the data received from the server, the corresponding func_address is executed by creating a\r\nthread. The COMMAND_STRUCT is shown below.\r\nstruct COMMAND_STRUCT{\r\n uint64_t opcode; // opcode of the command\r\n uint64_t event_handle; // handle of event created when the command is run\r\n uint64_t thread_handle; // handle of thread created which executes func_address\r\n void *func_address; // address of the function to be executed\r\n uint64_t socket; // socket descriptor of the socket\r\n};\r\nThe table below lists the commands supported by DarkVision RAT.\r\nOpcode Description\r\n0x2BD Writes the RAT file content stored in the Windows registry to the RAT's file path.\r\n0x2BE Writes the RAT file content stored in the Windows registry to the RAT's file path and executes it.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 7 of 11\n\nOpcode Description\r\n0x2BF\r\nReceives a file from the C2 server via socket, writes it to disk, executes it, and then deletes all\r\nRAT artifacts, including persistence entries from the registry and file system.\r\n0x2C0 Deletes all RAT artifacts, including persistence entries from the registry and files from the disk.\r\n0x2C1\r\nRuns the RAT executable as an administrator using the  runas verb. If this attempt fails, create a\r\nRAT process that does not require administrator permissions.\r\n0x2C2 Performs DLL hijacking via  WinSAT.exe and  DXGI.DLL to achieve auto-elevation.\r\n0x2C3\r\nReceives a URL and user agent from the C2 server via socket. Downloads the file from the URL\r\nusing the user agent provided, writes the file to disk, executes it, and then deletes all RAT artifacts.\r\n0x519\r\nReceives a compressed plugin from the C2 server, decompresses it using LZNT1, and loads it into\r\nmemory. Encrypts the plugin with Salsa20 (the key and nonce are hardcoded) and writes it to disk.\r\nThe C2 server sends data in the following order: plugin ID, plugin compressed size, and plugin\r\ndata in compressed form.\r\n0x51A\r\nUnloads the specified plugin ID. The plugin ID follows the data received from the C2 server after\r\nthe opcode.\r\n0x51B Retrieves the status of all plugins (whether loaded or not).\r\n0x51C\r\nDeletes the encrypted plugin from the disk and registry based on the data received from the C2\r\nserver. If the data received is the value  1 , deletes all plugins. Otherwise, the RAT deletes the\r\nspecified plugin ID received from the C2 server.\r\n0x51D\r\nReceives the specified plugin ID from the C2 server. Encrypts it using Salsa20 (using the same\r\nhardcoded key and nonce used in opcode 0x519), then writes it to both the registry and the disk.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 8 of 11\n\nTable 1: Commands implemented by DarkVision RAT.\r\nThere is another set of commands used to execute plugin ordinals. For all previously mentioned commands, the\r\nupper 16 bits are set to  0 , and the lower 16 bits contain the opcode ID of the command to be executed. In the\r\nnext set of commands, the upper 16 bits contain the plugin ID to be executed, while the lower 16 bits contain the\r\nordinal number to be executed.\r\nPlugins available in DarkVision RAT\r\nMost of the DarkVision RAT's features are implemented through plugins. These plugins remain as plain text only\r\nin memory, while they are stored as encrypted data on disk and in the registry. When a plugin is loaded, ordinal\r\n0x65 of the plugin is executed using a thread. The thread takes a struct as an argument, which contains important\r\ninformation about the plugin. Below is the structure used for this purpose.\r\nstruct PLUGIN_STRUCT{\r\n wchar_t plugin_parent_folder[0x8000]; // folder containing all plugin sub folders\r\n wchar_t plugin_filename[0x8000]; // plugin file name\r\n wchar_t plugin_filepath[0x8000]; // plugin file path\r\n void *plugin_base_address; // plugin base address in memory\r\n int32_t plugin_size; // size of plugin\r\n void *rat_folder; // RAT folder\r\n void *plugin_array; // array containing all plugin id's\r\n};\r\nThe plugins are executed in the same manner as the initial set of commands. The table below shows the plugin ID\r\nand its description.\r\nPlugin\r\nID\r\nPlugin Description\r\n0x1 Captures webcam footage.\r\n0x2 Displays messages using MessageBox.\r\n0x3 Retrieves the process list and terminates processes based on PID.\r\n0x4 Edits the registry.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 9 of 11\n\nPlugin\r\nID\r\nPlugin Description\r\n0x5 Provides file system access.\r\n0x6 Views victim screen via screenshots.\r\n0x7 Lists and manages system windows.\r\n0x8 Performs system control activities such as locking the workstation, shutting down, or restarting.\r\n0x9 Retrieves and sets desktop wallpaper.\r\n0xD Establishes a reverse proxy using SOCKS.\r\n0xE Acts as a dropper to download a file from a URL and write it to disk.\r\n0xF Open a remote shell.\r\n0x10 Captures microphone audio.\r\n0x11 Records keystrokes live (live keylogger).\r\n0x12 Steals passwords.\r\n0x13 Provides remote access using VNC.\r\n0x14 Provides remote access using hVNC.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 10 of 11\n\nPlugin\r\nID\r\nPlugin Description\r\n0x15 Records keystrokes offline (offline keylogger).\r\n0x16\r\nLocks the workstation or shut downs the system for protection when the victim is away from the\r\nkeyboard.\r\n0x17 Retrieves the process list and creates a minidump of processes based on PID.\r\nTable 2: Plugins loaded by DarkVision RAT.\r\nSource: https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat"
	],
	"report_names": [
		"technical-analysis-darkvision-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434197,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/87f67d091c77b954b4a86e13a1c0189632f4fd9d.pdf",
		"text": "https://archive.orkl.eu/87f67d091c77b954b4a86e13a1c0189632f4fd9d.txt",
		"img": "https://archive.orkl.eu/87f67d091c77b954b4a86e13a1c0189632f4fd9d.jpg"
	}
}