{
	"id": "23ed061e-40ce-41a9-95da-72a3f2cba1e9",
	"created_at": "2026-04-06T00:14:35.596734Z",
	"updated_at": "2026-04-10T13:12:58.139379Z",
	"deleted_at": null,
	"sha1_hash": "9870da6640d78ea9e920de03f8c530e47cc52e0c",
	"title": "DarkWatchMan RAT Spreads Via Phishing Sites",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1482068,
	"plain_text": "DarkWatchMan RAT Spreads Via Phishing Sites\r\nPublished: 2023-05-05 · Archived: 2026-04-05 16:52:27 UTC\r\nCyble Research \u0026 Intelligence Labs analyzes DarkWatchman, a Remote Access Trojan that has been spreading via\r\nPhishing sites.\r\nMalware Evades Detection by Lurking in Windows Registry\r\nPhishing attacks pose an ongoing and widespread danger to both individuals and organizations. To trick users into\r\ndivulging sensitive information like passwords and credit card details, Threat Actors (TAs) employ various tactics,\r\nincluding phishing websites. Attackers often use these fraudulent websites to distribute their malicious software, taking\r\nadvantage of users’ trust in legitimate-looking sites.\r\nRecently, Cyble Research and Intelligence Labs (CRIL) have identified a phishing website that imitated a renowned\r\nRussian website, CryptoPro CSP. TAs were using this website to distribute DarkWatchman malware.\r\nWorld's Best AI-Native Threat Intelligence\r\nDarkWatchman was first detected in 2021, with the primary targets being Russian users. DarkWatchman is a Remote\r\nAccess Trojan (RAT) type that enables attackers to gain remote control over compromised systems and extract sensitive\r\ndata. Its malicious capabilities include capturing keystrokes, clipboard data, and system information. Notably,\r\nDarkWatchman avoids writing the captured data to disk and instead stores it in the registry, thereby minimizing the risk\r\nof detection.\r\nOn the phishing website hxxps[:]//cryptopro-download[.]one, users are presented with the option to download a\r\nmalicious file called “CSPSetup.rar.” To access the contents of this file, a password is provided for extraction.\r\nThe figure displayed below depicts the phishing website.\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 1 of 13\n\nFigure 1 – Phishing Site\r\nUpon extraction, the malicious archive includes two files, CSPSetup.exe, and readme.txt. If executed, CSPSetup.exe\r\ninstalls the DarkWatchman malware. The readme.txt file, which is written in Russian and included in the archive,\r\nimplies that the malware specifically targets users in Russia.\r\nThe figure below shows the files inside the “CSPSetup.rar” archive.\r\nFigure 2 – Extracted Files from the RAR archive\r\nTechnical Analysis\r\nThe file “CSPSetup.exe” (SHA 256: d439a3ce7353ef96cf3556abba1e5da77eac21fdba09d6a4aad42d1fc88c1e3c) is an\r\nSFX archive file.\r\nMore information about this file can be seen in the figure below.\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 2 of 13\n\nFigure 3 – Static File details\r\nUpon execution of CSPSetup.exe, the executable drops the DarkWatchman RAT in %temp% location named\r\n“144039266“, which is a JavaScript file. Subsequently, it runs the JavaScript file with the following two commands in\r\nsequence via the command prompt.\r\nC:\\Windows\\System32\\cmd.exe” /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath “C:”) \u0026 (start /MIN wscript.exe /E:jscript 144039266 131 “C:\\Users\\User\r\nProfile\\Desktop\\CSP\\CSPSetup.exe”\r\nThe initial command initiates PowerShell to include the “C:\\” drive as a path to exclusion for Windows Defender.\r\nThe second command uses Windows Script Host (wscript.exe) to execute the JavaScript file named “144039266”,\r\nwhich uses two parameters, numeric value and path of the “CSPSetup.exe.”\r\nIn addition, the CSPSetup.exe program drops a file called “291529489” in the same folder, which serves as an\r\nencrypted keylogger.\r\nEntry Point\r\nOnce the JavaScript is launched successfully, the execution flow starts from this function, which is responsible for\r\ninitializing global variables, installing a keylogger, and configuring the RAT.\r\nThe entry point function is depicted in the figure below.\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 3 of 13\n\nFigure 4 – entry_point() function with 3 conditions to execute\r\nThe entry_point() function triggers three other functions such as init_globals(),start_instance(), and install().\r\ninit_globals() – Initializes Global Variables\r\ninstall() – Responsible for deploying the RAT, keylogger, and wrapper file in the victim’s machine.\r\nstart_instance() – This is the main function of DarkWatchman RAT, which is responsible for executing various\r\nmalicious activities, including keylogging and sending the user’s data to the C\u0026C server.\r\nTo proceed with the RAT installation, the entry_point() function evaluates three conditions:\r\nFirst, the JavaScript verifies that the command-line argument has a non-zero length and terminates if it is found\r\nto be empty. Otherwise, it will continue execution.\r\nNext, it checks whether the first parameter is a numeric value (in this case, it is “131”).\r\nFinally, the script checks if the registry value “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\DWM\\\u003c\r\nuid + 0 \u003e” exists. If the key does not exist, it calls the install() function to launch the RAT, or the\r\nstart_instance() function is executed.\r\nThe malware saves all its configuration and the keylogger file content in the above-mentioned registry key.\r\nInit Global\r\nThis code block initializes a set of global variables that will be utilized throughout the entire execution of the RAT.\r\nThese variables involve creating objects for performing operations on the Windows Shell, File System, Registry, WMI,\r\nand more, which can be shown in the figure below.\r\nFigure 5 – JavaScript code for initializing global variables\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 4 of 13\n\nThe init_globals() function comprises two sub-functions, namely get_uid() and is_admin(), which are extensively used\r\nin other parts of JavaScript.\r\nget_uid()\r\nThe purpose of the function called get_uid() is to obtain a unique identifier (UID) for the system currently in use. It does\r\nso by accessing a specific registry value:\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid”.\r\nIt retrieves data from the registry value and returns the first eight characters in lowercase as the UID.\r\nThis UID with several alphanumeric combinations will be used as the registry value for the RAT operations. For\r\nexample, the table below contains a few UIDs with their corresponding purpose.\r\nUID Purpose\r\nuid+0 Installation\r\nuid+h Clear browser history\r\nuid+1 Compiling keylogger\r\nuid+z Stop rat\r\nuid+c C\u0026C server\r\nIs_admin()\r\nThis function determines whether the user has administrative privileges on the system by creating a registry value\r\n“HKEY_CLASSES_ROOT\\WinNT\\test” and writing a value of 1 to it using the RegWrite method. It then checks if the\r\nvalue can be read using the RegRead method. If it is 1, it indicates that the user has written permissions and therefore\r\nconfirms the administrative privileges.\r\nIf the value cannot be read or is not 1, the function returns false, indicating that the user does not have administrative\r\nprivileges. The function ends by deleting the registry value using the RegDelete method.\r\nThe below figure shows the function code of is_admin().\r\nFigure 6 – Function to check if the user has administrative privileges\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 5 of 13\n\nAfter obtaining the necessary global variables and user permission information, the script proceeds to initiate the\r\ninstallation process of RAT on the victims’ system.\r\nInstall\r\nThe function is responsible for deploying the DarkWatchman RAT and the keylogger on the system. The below figure\r\nshows the beginning code snippet of the Install() function.\r\nFigure 7 – The beginning of the install() function\r\nThe first step of the function involves verifying whether the command line contains more than one parameter. If\r\nthe condition is satisfied, the function then tries to remove the “CSPSetup.exe” file from the system.\r\nAfterward, the script verifies if the user has administrative privileges. If so, it runs a PowerShell command to add\r\nan exclusion path for Windows Defender, specifically excluding the \\appdata\\local folder from being scanned.\r\npowershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath “‘ + f.Self.Path + ‘”‘,\r\n0, false\r\nNext, the JavaScript file generates a filename by combining the unique identifier “uid” with the string “0.js” and\r\ncreates a copy of itself in the below location.\r\n“C:\\\\Users\\\\User Profile\\\\AppData\\\\Local\\\\5d202e6e0.js”\r\nIf the copying of the file is successful, the script then proceeds to create a task scheduler entry in the system that\r\nwill run the copied script every time the system starts up.\r\nThe figure below shows the Task Scheduler entry created by the DarkWatchman RAT.\r\nFigure 8 – Establishing Persistence Using Task Scheduler\r\nThe remaining code within the install() function is shown in the figure below.\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 6 of 13\n\nFigure 9 – Remaining Code of the install() function\r\nThe following section of the function checks for the existence of an encoded keylogger file called “291529489”\r\nin the %temp% directory. If the file exists, the function reads its contents and removes the file from the disk as\r\nshown in the figure below.\r\nFigure 10 – Function Removes Keylogger file and saves the content into Registry\r\nAfter deleting the file “291529489”, The JavaScript file proceeds to write the content of the encrypted file to the\r\nregistry as Base64 encoded data. To accomplish this, the script extracts a 4-byte key from the first 8 characters of\r\nthe input string and XORs the remaining characters of the string with the key to obtain the data.\r\nFinally, the decrypted Base64 encoded data is saved to the registry with the registry value of “uid+1”, as shown in the\r\nbelow figure.\r\nFigure 11 – RAT decrypts the keylogger code and stores it in the registry\r\nThen, the RAT proceeds to execute the newly copied JS file by passing the below command-line argument\r\nthrough the Windows Management Instrumentation (WMI) service.\r\n“C:\\\\Windows\\\\SysWOW64\\\\wscript.exe \\”C:\\\\Users\\\\User Profile\\\\AppData\\\\Local\\\\5d202e6e0.js\\” 131″\r\nNext, the function registers the “dynwrapx.dll” library by copying it to the %temp% directory and running the\r\n“regsvr32.exe” command with the “/i” and “/s” flags to install the library silently.\r\nThe image below shows the code for launching the wrapper file.\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 7 of 13\n\nFigure 12 – Launching wrapper file\r\nFurthermore, the RAT executes a system command to delete all the restore points on the computer silently using\r\nthe “vssadmin.exe”:\r\nwscript_shell.Run(‘vssadmin.exe Delete Shadows /All /Quiet’, 2, false);\r\nThe final step is a popup message box with the text “Unexpected end of the file.” The popup will be displayed\r\nfor 30 seconds with the title “Error”.\r\nStart Instance\r\nThe start_instance() function is an essential part of the DarkWatchman RAT script, as it performs a set of standard\r\noperations every time the RAT runs.\r\nThe figure below shows the code snippet of the start_instance() function.\r\nFigure 13 – start_instance() function\r\nThe script performs the following actions:\r\nThe RAT checks whether an autostart JavaScript file exists in the system registry and executes it if found.\r\nThen, it retrieves the converted keylogger code stored in the registry and passes it to PowerShell via the\r\n“StartProcessViaWMI” function to execute. The command line is as follows:\r\n‘powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc ‘ + Base64 Encode data (stored in the\r\nregistry)\r\nThe keylogger records keystrokes, clipboard data, and smart card information in the registry to minimize the risk of\r\ndetection. The keylogger in DarkWatchman does not have any direct communication with the Command-and-Control\r\n(C\u0026C) server or write any data to the disk. Instead, it stores its captured data in the registry value that is used as a\r\nbuffer.\r\nThe RAT regularly retrieves and clears the buffer before transmitting the collected keystrokes to the C\u0026C server.\r\nThe figure below shows the captured clipboard content stored in the registry.\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 8 of 13\n\nFigure 14 – Captured clipboard content stored in the registry\r\nNext, the function attempts to connect to a C\u0026C URL retrieved from the registry key uid + ‘c’.\r\nThe below figure shows the registry value containing the URL.\r\nFigure 15 – Retrieving C\u0026C url from the registry\r\nIf the C\u0026C connection fails, it generates a new URL using the hardcoded domains, salt value, and zones that are present\r\nin the JavaScript file. The below image shows the list of seeded domains, salt values, and zones used by DarkWatchman\r\nRAT.\r\nFigure 16 – C\u0026C Server List\r\nAfter that, the RAT collects the victim’s system information, such as operating system version, locale, computer\r\nname, username, domain role, and antivirus software. It then formats this information into a string and sends it to\r\nthe C\u0026C server. Then it goes into sleep mode for 60 seconds.\r\nThe below figure shows the data to be captured in the victim’s machine\r\nFigure 17 – Data Exfiltration\r\nThe following are descriptions of the remaining the start_instance() function:\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 9 of 13\n\nFigure 18 – Remaining code snippet of the start_instance() function\r\nThe RAT checks if the registry value with the name “uid + ‘h’ exists and if the system uptime is less than 600\r\nseconds. If not, it terminates processes and deletes browsing history for web browsers such as Internet Explorer,\r\nFirefox, Chrome, and Yandex.\r\nOnce the browser history has been cleared successfully, the uid + ‘h’ registry value is updated to 1 to avoid repeating the\r\nprocess during the same session.\r\nThe following figure displays the updated registry key after clearing the browser history.\r\nFigure 19 – C\u0026C communication\r\nThe loop checks the existence of registry values such as uid + ‘t’ and uid +’z’.\r\nIf the registry key contains uid+’z’, the script will terminate, and the RAT operation will be stopped. If the registry key\r\ncontains uid + ‘t’, it sleeps for 300,000 milliseconds (5 minutes) before reconnecting to the server.\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 10 of 13\n\nAfter gathering the captured stolen information, the RAT sends it to the C\u0026C server.\r\nThe code and the corresponding values sent to the server are displayed in the figure below.\r\nFigure 19 – C\u0026C communication\r\nConclusion\r\nDarkWatchman RAT showcases a new spreading technique through phishing sites, indicating that TAs are constantly\r\ninnovating and using new methods to compromise systems. With the rise in the number of DarkWatchman samples\r\nbeing detected in the wild, the malware may be increasingly used in future cyberattacks.\r\nFurthermore, using the Windows Registry as a storage mechanism for fileless malware is noteworthy, as it can evade\r\ndetection by traditional antivirus software that relies on scanning files. DarkWatchman’s keylogger is an example of\r\nsuch fileless malware to avoid detection.\r\nCyble Research and Intelligence Labs continue to monitor the activity of DarkWatchman RAT and other malware and\r\nwill provide timely updates to our readers.\r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below: \r\nSafety Measures Needed to Prevent Malware Attacks\r\nDo not open suspicious links in emails\r\nDo not download the software from untrusted sources\r\nUse a reputed antivirus and Internet security software package on your connected devices, including PC, laptop,\r\nand mobile \r\nRefrain from opening untrusted links and email attachments without verifying their authenticity\r\nUsers Should Take the Following Steps After the Malware Attack\r\nDetach infected devices on the same network \r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 11 of 13\n\nDisconnect external storage devices if connected \r\nInspect system logs for suspicious events \r\nImpact And Cruciality of Malware\r\nAdditional malware can be dropped into the system\r\nInfected systems could attack other systems\r\nLoss of valuable data \r\nLoss of the organization’s reputation and integrity \r\nLoss of the organization’s sensitive business information \r\nDisruption in organization operation \r\nMonetary loss \r\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Technique Name \r\nInitial Access T1566 Phishing\r\nExecution\r\nT1059\r\nT1204  \r\nT1218\r\nT1059  \r\nCommand and Scripting Interpreter\r\nUser Execution\r\nRegsvr32\r\nPowerShell\r\nDefense Evasion\r\nT1140\r\nT1564\r\nDeobfuscate/Decode Files or Information\r\nHidden Window\r\nPersistence T1053 Scheduled Task/Job\r\nDiscovery\r\nT1012  \r\nT1087  \r\nT1082\r\nQuery Registry  \r\nAccount Discovery  \r\nSystem Information Discovery\r\nInput Capture T1056/001 Input Capture: Keylogging\r\nCommand and Control   T1071  Application Layer Protocol  \r\nIndicators of Compromise (IOCs)\r\nIndicators \r\nIndicator\r\n \r\nType \r\nDescription \r\n4e38b7519bf7b482f10e36fb3e000cc2fcbf058730f6b9598a6a7ba5543766d4\r\nbb91d5234f37905f4830061331beab99e51206e7\r\n2edf05f2130d4e12599dc44ff8bfc892\r\nSha256\r\nSha1\r\nMd5\r\n.rar file\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 12 of 13\n\nd439a3ce7353ef96cf3556abba1e5da77eac21fdba09d6a4aad42d1fc88c1e3c\r\nbe450cd1fab1b708ac1de209224e0d7f7adc0fae\r\n1706c64156d873ebbd0c6ecac95fec39\r\nSha256\r\nSha1\r\nMd5\r\ncspsetup.exe\r\n706eebdf4de19d17f9a753984f7b4cff7f5487c74d7862d21684e754967d8dd4\r\n149ce68540a068cdd204df796f6bff7d70f16473\r\n9afc15393e8bae03ad306ae1c50645e3\r\nSha256\r\nSha1\r\nMd5 \r\nObfuscated JS file\r\n1b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7\r\n1f87eeb37156d64de97d042b9bcfbaf185f8737d\r\nca820517f8fd74d21944d846df6b7c20\r\nSha256\r\nSha1\r\nMd5 \r\n DynamicWrapper\r\ndll\r\nSource: https://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nhttps://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/"
	],
	"report_names": [
		"sophisticated-darkwatchman-rat-spreads-through-phishing-sites"
	],
	"threat_actors": [],
	"ts_created_at": 1775434475,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9870da6640d78ea9e920de03f8c530e47cc52e0c.pdf",
		"text": "https://archive.orkl.eu/9870da6640d78ea9e920de03f8c530e47cc52e0c.txt",
		"img": "https://archive.orkl.eu/9870da6640d78ea9e920de03f8c530e47cc52e0c.jpg"
	}
}