{
	"id": "5485baab-4fab-4964-aa0f-c8d951d9d1bf",
	"created_at": "2026-04-10T03:20:54.647753Z",
	"updated_at": "2026-04-10T03:22:18.642334Z",
	"deleted_at": null,
	"sha1_hash": "98ec31a64c58eaf4fc86232829e26359cbb25801",
	"title": "DCRat backdoor returns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1494318,
	"plain_text": "DCRat backdoor returns\r\nBy AMR\r\nPublished: 2025-03-11 · Archived: 2026-04-10 02:46:38 UTC\r\nSince the beginning of the year, we’ve been tracking in our telemetry a new wave of DCRat distribution, with paid\r\naccess to the backdoor provided under the Malware-as-a-Service (MaaS) model. The cybercriminal group behind\r\nit also offers support for the malware and infrastructure setup for hosting the C2 servers.\r\nDistribution\r\nThe DCRat backdoor is distributed through the YouTube platform. Attackers create fake accounts or use stolen\r\nones, then upload videos advertising cheats, cracks, gaming bots and similar software. In the video description is a\r\ndownload link to the product supposedly being advertised. The link points to a legitimate file-sharing service\r\nwhere a password-protected archive awaits, the password for which is also in the video description.\r\nhttps://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/\r\nPage 1 of 5\n\nYouTube video ad for a cheat and crack\r\nhttps://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/\r\nPage 2 of 5\n\nInstead of gaming software, these archives contain the DCRat Trojan, along with various junk files and folders to\r\ndistract the victim’s attention.\r\nArchives with DCRat disguised as a cheat and crack\r\nBackdoor\r\nThe distributed backdoor belongs to a family of remote access Trojans (RATs) dubbed Dark Crystal RAT (DCRat\r\nfor short), known since 2018. Besides backdoor capability, the Trojan can load extra modules to boost its\r\nfunctionality. Throughout the backdoor’s existence, we have obtained and analyzed 34 different plugins, the most\r\ndangerous functions of which are keystroke logging, webcam access, file grabbing and password exfiltration.\r\nhttps://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/\r\nPage 3 of 5\n\nDCRat builder plugins on the attackers’ site\r\nInfrastructure\r\nTo support the infrastructure, the attackers register second-level domains (most often in the RU zone), which they\r\nuse to create third-level domains for hosting the C2 servers. The group has registered at least 57 new second-level\r\ndomains since the start of the year, five of which already serve more than 40 third-level domains.\r\nA distinctive feature of the campaign is the appearance of certain words in the second-level domains of the\r\nmalicious infrastructure, such as “nyashka”, “nyashkoon”, “nyashtyan”, etc. Users interested in Japanese pop\r\nculture will surely recognize these slang terms. Among anime and manga fans, “nyasha” has come to mean “cute”\r\nor “hon”, and it’s this word that’s most often seen in the second-level domains.\r\nhttps://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/\r\nPage 4 of 5\n\nC2 server addresses with characteristic naming approach\r\nVictims\r\nBased on our telemetry data since the beginning of 2025, 80% of DCRat samples using such domains as C2\r\nservers were downloaded to the devices of users in Russia. The malware also affected a small number of users\r\nfrom Belarus, Kazakhstan and China.\r\nConclusion\r\nKaspersky products detect the above-described samples with the verdict Backdoor.MSIL.DCRat.\r\nNote that we also encounter campaigns distributing other types of malware (stealers, miners, loaders) through\r\npassword-protected archives, so we strongly recommend downloading game-related software only from trusted\r\nsources.\r\nSource: https://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/\r\nhttps://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/"
	],
	"report_names": [
		"115850"
	],
	"threat_actors": [],
	"ts_created_at": 1775791254,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98ec31a64c58eaf4fc86232829e26359cbb25801.pdf",
		"text": "https://archive.orkl.eu/98ec31a64c58eaf4fc86232829e26359cbb25801.txt",
		"img": "https://archive.orkl.eu/98ec31a64c58eaf4fc86232829e26359cbb25801.jpg"
	}
}