{
	"id": "3d83a537-7b88-4cad-bda6-2e314f8b9a2c",
	"created_at": "2026-04-06T00:12:12.27551Z",
	"updated_at": "2026-04-10T03:23:51.059008Z",
	"deleted_at": null,
	"sha1_hash": "bb0254ff1c390224aa301014a0fbdbe3b7dc3958",
	"title": "Disarming DarkGate: A Deep Dive into Thwarting the Latest DarkGate Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1236577,
	"plain_text": "Disarming DarkGate: A Deep Dive into Thwarting the Latest\r\nDarkGate Variant\r\nPublished: 2024-07-12 · Archived: 2026-04-05 19:12:23 UTC\r\nThe SonicWall RTDMI ™ engine has recently protected users against the distribution of the “6.6” variant of\r\nDarkGate malware by a phishing email campaign containing PDF files as an attachment. DarkGate is an advanced\r\nRemote Access Trojan that has been widely active since 2018. The RAT has been marketed as Malware-as-a-Service in underground forums, and threat actors are actively updating its code. The malware supports a wide\r\nrange of features, including (Anti-VM Anti-AV Delay Execution multi-variant support and process hollowing,\r\netc.), which are controlled by flags in the configuration data. This variant of DarkGate RAT supports more than 65\r\ncommands from the Command-and-Control server. The SonicWall threat research team has observed a spike in\r\nPDF file attachments that lead to the execution of DarkGate malware on the victim’s machine.\r\nPDF\r\nThe PDF file disguises itself as an invoice file dated “26 Jun2024” and contains a download button that redirects\r\nto a compromised website to download a malicious VBScript file.\r\nFigure 1: PDF file containing download link\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 1 of 22\n\nVBScript\r\nFunction names and variable names in VBScript code are obfuscated, and large comments are added to harden the\r\nreadability of the code. The malware keeps the malicious compressed data in the comments at the end of the\r\nVBScript code. The malware retrieves the compressed data using the regular expression “'\\s(+)(\\r?\\n|$)” and\r\nextracts files into “C:\\Default\\Autoit3.exe” and “C:\\Default\\script.a3x.” The malware executes the compiled\r\nAutoIt3 (AU3) script file using the WMIC command “wmic process call create \"cmd /c C:\\Default\\Autoit3.exe\r\nC:\\Default\\script.a3x\"” which further continues the execution of the malware.\r\nFigure 2: Obfuscated VBScript code\r\nAU3 Script\r\nAfter decompiling the script file “script.a3x,” we get the legible AU3 script. It concatenates hexadecimal encoded\r\nstrings of shellcode bytes, which are followed by the DarkGate loader binary bytes.\r\nFigure 3: AU3 script decryption logic and shellcode\r\nThe AU3 script contains encrypted instructions, which are decrypted using a byte XOR operation, and the\r\nequivalent C representation of the algorithm is shown below.\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 2 of 22\n\nFigure 4: C code for AU3 decryption logic\r\nFigure 5: Encrypted command in the AU3 script\r\nAfter decryption, the below instructions are executed by the AU3 script to transfer control to the shellcode bytes\r\nby registering a callback using API EnumWindows.\r\nDllStructCreate(\"byte\") DllCall(\"kernel32.dll\", \"BOOL\", \"VirtualProtect\", \"ptr\", DllStructGetPtr($pt), \"int\",\r\n75613, \"dword\", 0x40, \"dword*\", \"null) DllStructSetData($pt, 1, $data) DllCall(\"user32.dll\", \"int\",\r\n\"EnumWindows\", \"ptr\", DllStructGetPtr($pt), \"lparam\", 0)\r\nShellcode\r\nThe shellcode does PEB traversal to resolve API addresses using API names hashing. The shellcode enumerates\r\nPE headers of the DarkGate loader binary, which is followed by the shellcode bytes to get the address of the entry\r\npoint. Execution is now transferred to the DarkGate loader entry point, and the 0x20th byte in the DOS header of\r\nthe loader binary is updated to the value “2” to prevent re-execution of the loader binary in the next callback to the\r\nshellcode. The shellcode is registered as a callback function, and the updated value of the 0x20th byte in the DOS\r\nheader helps to prevent multi-instances execution for the DarkGate loader.\r\nDarkGate Loader\r\nThe loader reads the script file and retrieves the encrypted DarkGate bytes using the marker value “GDrdcpJy.”\r\nThe malware decrypts the DarkGate binary with the key “GDrdcpJy” using the EncryptDecrypt algorithm, which\r\nis explained in the malware initialization section. The malware now loads the DarkGate binary in memory and\r\ntransfers execution control to it.\r\nDarkGate\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 3 of 22\n\nMalware execution starts with initializing the version value “6.6” for the DarkGate variant. It loads the required\r\nDLLs and resolves APIs addresses dynamically at runtime in later stages to harden the analysis. Below is the list\r\nof loaded DLLs by the malware.\r\nUrlmon.dll\r\nuser32.dll\r\nAdvapi32.dll\r\nShell32.dll\r\nntdll.dll\r\nThe malware invokes a module which is responsible for the initialization of the key value. This key is used by the\r\nmalware to encrypt and decrypt data.\r\nFigure 6: DarkGate version initialization\r\nKey Initialization\r\nGets value for “ProductID” from registry entry HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion.\r\nGets value for “ProcessorNameString” from registry entry\r\nHKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor.\r\nGets hexadecimal encoded Unicode computer name using the API GetComputerNameW.\r\nConcatenates values (string “4” + ProductID + ProcessorInfo + ComputerName).\r\nGenerates a customized MD5 value from the concatenated string.\r\nComputes MD5 from the customized MD5 value and performs substitute cipher encoding using the cipher\r\ntable “abcdefKhABCDEFGH” to get the encoded string.\r\nTakes the initial 7 bytes “hbKEHBK” from the encoded string to create a file in %appdata%. If the\r\n%appdata% directory is not present on the machine, then the malware creates a file in the “c:\\temp”\r\ndirectory.\r\nGenerates a random string of length 0x14 and computes its MD5 and performs substitute cipher encoding\r\nto get the encoded string.\r\nThe encoded string “GehdKEDaHaDcEbEeDHKAdeKFGDDdAhAd” is written into the file “%appdata%\\\r\nhbKEHBK.” The value is read from the file in every next execution of the malware on the same machine to\r\ncompute the key value, which is used to encrypt and decrypt data.\r\nReads file content from “%appdata%\\ hbKEHBK” and generates a customized MD5 value, then gets the\r\nkey value by computing MD5 and encoding using the substitute cipher method from the customized MD5\r\nvalue.\r\nSaves the key value “fHFeFhhCEhbBKBcfKEAbCBeHFCHFEhFK” into memory.\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 4 of 22\n\nFigure 7: Key generation process\r\nWhenever we refer to the key to encrypt and decrypt data, we will be referring to this key value saved in the\r\nmemory. Values mentioned above are specific to the infected system and vary on different systems. These values\r\nare mentioned for better understanding and referencing purposes.\r\nFigure 8: Code snippet to get the initial 7 characters for the appdata file name\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 5 of 22\n\nTest Environment Settings\r\nThe malware author has implemented a file-based detection method to detect a testing environment to avoid\r\ndebugging and modification of the code while testing the malware execution. Malware execution can be disabled\r\nby creating a file “c:\\temp\\test.txt” which forces the malware to terminate after creating a file “c:\\temp\\test_ok.”\r\nThe presence of “c:\\temp\\test.txt” on the machine can also save users from DarkGate infection.\r\nFigure 9: Checks for testing environment\r\nAntiVirus Detection\r\nThe malware enumerates the processes and saves the list of process names separated by “|.” It detects the security\r\nsoftware based on either the presence of the installation directory or by the presence of the process name related to\r\nthe security software. If security software is detected, the malware sets the corresponding flag and initializes the\r\nname string for that security software. If the malware does not find any security software, then it considers the\r\npresence of Windows Defender and initializes the flag and name values accordingly. Flag values are used to alter\r\nmalware behavior based on the presence of particular security software. A list of security software and their\r\ndetection methods are mentioned in the below table.\r\nSecurity Software Detection Methods\r\nBitdefender Presence of directories: C:\\ProgramData\\Bitdefender, C:\\Program Files\\Bitdefender\r\nSentinelOne (EDR) Presence of directory: C:\\Program Files\\SentinelOne\r\nAvast Presence of directories: C:\\ProgramData\\AVAST, C:\\Program Files\\AVAST Software\r\nAVG Presence of directories: C:\\ProgramData\\AVG, C:\\Program Files\\AVG\r\nKaspersky\r\nPresence of directories: C:\\ProgramData\\Kaspersky Lab, C:\\Program Files\r\n(x86)\\Kaspersky Lab\r\nNod32\r\nPresence of process: |egui\r\nPresence of directory: C:\\ProgramData\\ESET\r\nAvira Presence of directory: C:\\Program Files (x86)\\Avira\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 6 of 22\n\nNorton Presence of processes:|ns.exe, |nis.exe, nortonsecurity.exe\r\nSymantec Presence of process: |smc.exe\r\nTrend Micro Presence of process:  uiseagnt.exe\r\nMcAfee Presence of processes: mcshield.exe, mcuicnt.exe\r\nSUPER\r\nAntiSpyware\r\nPresence of process: superantispyware.exe\r\nMalwareBytes\r\nPresence of process: |mbam.exe\r\nPresence of directory: C:\\Program Files\\Malwarebytes\r\nComodo Presence of processes: vkise.exe, |cis.exe\r\nByteFence Presence of process: bytefence.exe\r\nSearch \u0026 Destroy Presence of process: sdscan.exe\r\n360 Total Security Presence of process: qhsafetray.exe\r\nTotal AV Presence of process: totalav.exe\r\nIObit Malware\r\nFighter\r\nPresence of directory: C:\\Program Files (x86)\\IObit\r\nPanda Security Presence of process: psuaservice.exe\r\nEmsisoft Presence of directory: C:\\ProgramData\\Emsisoft\r\nQuick Heal Presence of directory: C:\\Program Files\\Quick Heal\r\nF-Secure Presence of directory: C:\\Program Files (x86)\\F-Secure\r\nSophos Presence of directory: C:\\ProgramData\\Sophos\r\nG DATA Presence of directory: C:\\ProgramData\\G DATA\r\nWindows Defender Absence of any other security software\r\nTo prevent false detection of security processes for smaller process names, the malware uses “|” with the process\r\nname while searching in the list of running processes. As “|” is used as a separator in the running process names\r\nlist, it will avoid any match from the middle of the running process name.\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 7 of 22\n\nFigure 11: Code snippet comparing installation directory for security software\r\nMalware Initialization\r\nThe malware decrypts the configuration data from memory with the key “ckcilIcconnh” using an XOR-based\r\nalgorithm. The malware uses the same algorithm to encrypt and decrypt data but with a different key. We will be\r\nreferring to this algorithm as the EncryptDecrypt algorithm in further discussion.\r\nFigure 12: EncryptDecrypt algorithm\r\nThe decrypted data is a representation of key-value pairs, where keys are integer indexes and values are either\r\n“Yes” or “No” flags or can be data used by the malware.\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 8 of 22\n\nFigure 13: Decrypted configuration data\r\nThe malware generates hash-encrypted folder names from corresponding plain text folder names.\r\nPlain text folder name Hashed folder name\r\nMainfolder Dehffdh\r\nLogsfolder Chhdddd\r\nSettings Ddahcgk\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 9 of 22\n\nDomain Kkgfbgh\r\nFigure 14: Hash-based folder names\r\nThe malware creates the hash-encrypted named mainfolder “dehffdh” in “C:\\ProgramData.” Instead of\r\n“C:\\ProgramData,” the malware uses the directory “C:\\” if any of the Avast or AVG security software is present on\r\nthe victim’s machine. The malware creates other folders and files in the mainfolder.\r\nC:\\ProgramData\\dehffdh\\\r\nC:\\ProgramData\\dehffdh\\chhdddd\\\r\nC:\\ProgramData\\dehffdh\\ddahcgk\r\nC:\\ProgramData\\dehffdh\\kkgfbgh\r\nFigure 15: Code gets hash-based names from plain folder and file names\r\nThe code appends “Domain=\u003chost IP\u003e” and “EPOCH=\u003ccurrent timestamp\u003e” to the configuration data, encrypts it\r\nusing a stored key with the EncryptDecrypt algorithm, and writes the encrypted data into the settings file located\r\nat “C:\\ProgramData\\dehffdh\\ddahcgk.” Additionally, it captures domain information using the command “cmd.exe\r\n/cz wmic ComputerSystem get domain” and stores it in the domain file “C:\\ProgramData\\dehffdh\\kkgfbgh.” The\r\ncode also conceals the main folder if Avast or AVG security software is detected on the machine.\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 10 of 22\n\nFigure 16: Gets domain information.\r\nDebug Mode Network Communication \r\nIf the malware finds the string “optpad” in the encrypted configuration data, it considers the execution in a debug\r\nenvironment and uses localhost (127.0.0.1) instead of the actual Command and Control (C2) host. This might be\r\ndone by the malware author to investigate the proper working of the network communication with the malware.\r\nThe malware also checks for the presence of the directory “c:\\debug” to display a debug message with the\r\nDarkGate version number.\r\nFigure 17: Debug message with DarkGate version\r\nConfiguration Data \r\nThe table shows the key-value pairs of configuration data and its interpretation in the malware code.\r\nKey Type Value Description\r\n0 data 91.222.173.170| C2 host domain\r\n8 flag No Enables display of message box\r\n11 data DarkGate Caption string for message box\r\n12 data R0ijS0qCVITtS0e6xeZ\r\nCustom base64 encoded \"Hello World!\" text for\r\nmessage box\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 11 of 22\n\n13 data 6 Unreferenced in this variant\r\n14 flag Yes Unreferenced in this variant\r\n15 data 80 C2 port number\r\n1 flag Yes\r\nEnables process hollowing, persistence and\r\ninstallation of malware\r\n32 flag No Enables process hollowing depends on flag 1\r\n3 flag Yes Enables anti-VM on display device name\r\n4 flag No Enables anti-VM on hard disk size\r\n18 data 100 Minimum hard disk size\r\n6 flag Yes Enables anti-VM on display device name\r\n7 flag No Enables anti-VM on minimum RAM size\r\n19 data 4095 Minimum RAM size\r\n5 flag No Enables anti-VM check for Xeon processor\r\n21 flag No Unreferenced in this variant\r\n22 flag No Is DLL variant\r\n23 flag Yes Is AU3 variant\r\n31 flag No Is AHK variant\r\n24 data 26sp Unreferenced in this variant\r\n25 data trafikk897612561\r\nUnreferenced in this variant should be campaign\r\nID\r\n26 flag No Unreferenced in this variant\r\n27 data GDrdcpJy\r\nMarker and key to decrypt DarkGate binary\r\nfrom script file\r\n28 flag No Unreferenced in this variant\r\n29 data 2\r\nUsed in DLL variant for GUP.exe + libcurl.dll\r\nif value is \"7\" KeyScramblerLogon.exe +\r\nKeyScramblerIE.dll\r\n34 flag No Is C2 communication HTTPS\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 12 of 22\n\n35 flag No Enables keylogging\r\nTable data\r\n(.w]IqBUhsgZ\r\nLVbE)xH58FRASkj2K6W\u0026...\r\nUnreferenced in this variant\r\nFigure 18: Table contains configuration data as key-value pairs\r\nAnti-VM\r\n1. If flag 5 is \"Yes,\" the malware gets the value for \"ProcessorNameString\" from registry entry\r\nHKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor and checks for the string \"xeon\" to\r\nterminate malware execution.\r\n2. If flag 3 is \"Yes\" or flag 6 is \"Yes,\" the malware checks for the following strings in the display device name\r\nto terminate malware execution:\r\nmicrosoft hyper-v video\r\nvirtual\r\nvmware\r\nstandard vga graphics adapter\r\nmicrosoft basic display adapter\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 13 of 22\n\nFigure 19: Compares display device name\r\n3. If flag 7 is \"Yes,\" the malware retrieves the minimum RAM size value \"4095\" from field data 19, and if the\r\nsystem RAM size in MB is less than the minimum RAM size required, the malware terminates its\r\nexecution.\r\n4. If flag 4 is \"Yes,\" the malware retrieves the minimum hard disk size value \"100\" from data 18, and if the\r\nsystem hard disk size in GB is less than the minimum hard disk size required, the malware terminates its\r\nexecution.\r\nMulti Variant Support\r\nThe malware code is written to support three types of variants listed below and behaves accordingly:\r\nAutoHotkey variant (flag 31)\r\nAutoIt v3 variant (flag 23)\r\nDLL variant (flag 22)\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 14 of 22\n\nThis malware variant is an AutoIt V3 (AU3) variant, which is identified by the value \"Yes\" for flag 31.\r\nActions Based on Installed AV\r\nIf any security software from nod32 (ESET), Avast, or AVG is present on the victim's machine, the\r\nmalware sets the value for flag 1 and flag 32 to \"Yes,\" enabling the execution of the malware using process\r\nhollowing.\r\nIf ESET is present, the malware checks for the username \"abby\" to terminate the malware execution.\r\nIf SentinalOne or Bitdefender is present, the malware displays a message box containing random text of\r\nlength 6 using API MessageBoxTimeoutA. However, the message cannot be seen by the user as it has a\r\ntimeout value of only 2 milliseconds and disappears immediately.\r\nDelay Execution\r\nMalware delays execution for some time if the user is focused on the Process Hacker or Process Monitor window,\r\nto avoid malicious activity observation from the user. The malware runs in a 100 milliseconds sleep loop for 40\r\ntimes in which foreground window text is checked for strings \"process hacker\" or \"process explorer,\" and if it\r\ndoes not match, the malware exits from the loop.\r\nHello Message\r\nIf the value of flag 8 is \"Yes,\" the malware takes the value \"DarkGate\" from field data 8 as caption and decrypts\r\nthe value from field data 12 using custom Base64 decoding to use as text for displaying in the message box with a\r\ntimeout value of 1770 milliseconds.\r\nFigure 20: DarkGate says Hello World!\r\nMalware Installation\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 15 of 22\n\nIf the value of flag 1 is \"yes,\" the malware retrieves the running executable path and script path from the process\r\narguments to copy them into Autoit3.exe and AU3 script respectively into the main folder in \"c:\\ProgramData\".\r\nThe malware decrypts the DarkGate binary with the key value \"GDrdcpJy\" from field data 27 using the\r\nEncryptDecrypt algorithm. The key value also works as a marker to retrieve the encrypted DarkGate bytes from\r\nthe AU3 script file.\r\nProcess Hollowing\r\nIf the value of flag 1 and flag 32 is \"Yes,\" the malware invokes the process hollowing code. If Norton security\r\nsoftware is found, the malware finds the process name \"Norton.exe\" in running processes to load and inject the\r\nDarkGate binary. If SentinalOne is present on the victim's machine, the malware skips process hollowing. If\r\nSentinalOne is not present, the malware targets the following files sequentially for process hollowing:\r\nC:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\substring\u003cupdatecore.exe\u003e\r\nC:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\r\nC:\\Program Files (x86)\\Google\\Update\\substring\u003cupdatecore.exe\u003e\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe\r\nIf the value of flag 1 is \"Yes\" and the value of flag 32 is \"No,\" the malware skips process hollowing and creates a\r\npersistence entry by dropping a Windows Shortcut (LNK) file into \"%appdata%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\". The LNK file launches the AU3 script using Autoit3.exe on Windows startup, which\r\nfurther executes the DarkGate malware from the script file. The malware spawns a thread that keeps looking for\r\nforeground windows text and deletes the dropped LNK file if it finds one of the following strings:\r\nprocess hacker\r\nprocess explorer\r\nccleaner\r\nsystem config\r\nmalwarebytes\r\nfarbar recovery\r\navast\r\nstartup\r\nrootkit\r\nautoruns\r\neditor de registro\r\neditor del registro\r\nregistry editor\r\ngerenciador de tarefas\r\nzhpcleaner\r\ntask manager\r\njunkware removal\r\nadministrador de tareas\r\nhijackthis\r\ntcpview\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 16 of 22\n\nprocess monitor\r\nwireshark\r\ntaskmanager\r\nPrevent Sleeps\r\nBefore starting communication with the C2 server, the malware calls API SetThreadExecutionState to prevent the\r\nsystem from sleeping.\r\nNetwork Communication\r\nThe malware collects the following information from the victim's machine and concatenates them using separator\r\n\"|\":\r\nHexadecimal encoded Unicode text from active window\r\nLast input time\r\nTime in seconds from system start\r\nIs user admin\r\nDarkGate version\r\nFigure 21: Information sent to C2 in plain text\r\nThe data is concatenated with the value \"1000\" and then encrypted using the EncryptDecrypt algorithm mentioned\r\nearlier with the key saved in memory. The malware concatenates the key and encrypted data and encodes using\r\ncustom Base64 encoding. The malware sends the encoded data to the C2 server \"91.222.173.170\". If the value of\r\nflag 34 is \"Yes,\" the malware communicates over HTTPS; otherwise, it communicates over HTTP.\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 17 of 22\n\nFigure 22: Encrypted and encoded information sent to C2\r\nThe malware receives the encrypted and custom Base64 encoded data from the C2 server, which can be decoded\r\nusing custom Base64 and decrypted using the EncryptDecrypt algorithm with the saved key in memory. At the\r\ntime of analysis, the malware receives response data \"1000|2000,\" in which \"1000\" is the command to perform\r\naction and \"2000\" is the additional data used in performing the action which varies based on the command value.\r\nFigure 23: C2 Communication\r\nThe malware performs various actions based on the command received from the C2 server. In this variant, the\r\nmalware supports more than 65 commands, and a few of them are mentioned below.\r\nThe malware performs various actions based on the command received from the C2 server. In this variant, the\r\nmalware supports more than 65 commands, and a few of them are mentioned below.\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 18 of 22\n\nCommand: 1000 (Continue)\r\nSleeps based on the value from additional data separated by \"|\" and sends the machine information again to C2.\r\nCommand: 1111 (Ransomware)\r\nThe malware retrieves the ransom note and ransomware payload bytes from additional data, which are separated\r\nby \"||--|--||\". The malware drops the ransom note into the directory \"C:\\temp\" and executes the ransomware binary.\r\nCommand: 1065 (WebBrowserPassView)\r\nAlong with the command, response data contains multiple binary file bytes, separated by \"resourcesplit,\" which\r\nare written into the following files:\r\nc:\\temp\\freebl3.dll\r\nc:\\temp\\mozglue.dll\r\nc:\\temp\\nss3.dll\r\nc:\\temp\\softokn3.dll\r\nWebBrowserPassView\r\nThe malware executes the WebBrowserPassView to steal and send credentials to the C2 server and then deletes\r\nthe created files.\r\nCommand: 1108 (Launch DLL variant)\r\nResponse data contains multiple binary file bytes for the DLL variant of DarkGate, separated by \"||--|--||,\" which\r\nare written and executed from the directory C:\\temp using API ShellExecuteA.\r\nlibcurl.dll\r\ntest.txt\r\nGUP.exe\r\nCommand: 1104 (Launch AHK variant)\r\nResponse data contains multiple binary file bytes for the AutoHotKey variant of DarkGate, separated by \"||--|--||,\"\r\nwhich are written and executed from the directory C:\\temp using API ShellExecuteA.\r\nscript.ahk\r\ntext.txt\r\nAutoHotKey.exe\r\nCommand: 1097 (Launch AU3 variant)\r\nResponse data contains multiple binary file bytes for the AutoHotKey variant of DarkGate, separated by \"||--|--||,\"\r\nwhich are written and executed from the directory C:\\temp using API ShellExecuteA.\r\nscript.a3x\r\nAutoit3.exe\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 19 of 22\n\nCommand: 1084 (Restart)\r\nRestarts the victim's machine immediately after closing running applications using command \"cmd.exe /c\r\nshutdown -f -r -t 0\".\r\nCommand: 1110 (Enumerate Drives)\r\nEnumerates system drives except CD-ROM.\r\nCommand: 1083 (Shutdown)\r\nShuts down the victim's machine immediately after closing running applications using command \"cmd.exe /c\r\nshutdown -f -s -t 0\".\r\nCommand: 1082 (Shutdown Display)\r\nThe malware runs in an infinite loop to keep shutting down the victim's display using API SendMessageA by\r\nbroadcasting message \"WM_SYSCOMMAND\" and setting SC_MONITORPOWER with the value \"2\".\r\nFigure 24: API call to shut down display\r\nCommand: 1081 (BSOD)\r\nThe malware generates a hard error with the value \"0xC0000350\" using API NtRaiseHardError, which displays\r\nthe BSOD (Blue Screen of Death).\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 20 of 22\n\nFigure 25: Blue Screen of Death\r\nCommand: 1071 (FileZilla)\r\nThe malware sends the content of the following files from \"%appdata%\\FileZilla\" to the C2 server:\r\nrecentservers.xml\r\nsitemanager.xml\r\nCommand: 1059 (Terminate Process)\r\nThe malware terminates the process associated with the received process ID.\r\nUnavailability of the PDF file in any of the popular threat intelligence sharing portals like VirusTotal and\r\nReversingLabs at the time of writing this blog indicates its uniqueness and limited distribution.\r\nFigure 26. VT screenshot\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 21 of 22\n\nEvidence of detection by RTDMI can be seen below in the Capture ATP report for this file:\r\nFigure 27: Capture Report\r\nIOCs \r\n0a3764e9972dcdd3819f4728038d094a28a1ccff43d7d9e413eab794c9ecbe05 (PDF)\r\n49a46f2ff414ad11b2b623a7dc811002bf78979b5db1fb6f03334fd1fa20f8a6 (VBScript)\r\n83f1fab236357817270f995a6e3e32f90661dad6d625ad1e1f16b06c248da1d1 (AU3 script)\r\n6c8e82b582f55a03277427e757331e5aa53dcf6656785dcb44f2958ef5516863 (DarkGate)\r\nSource: https://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nhttps://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant\r\nPage 22 of 22\n\nThe data is concatenated earlier with the key with the value \"1000\" saved in memory. The and then encrypted malware concatenates using the key the EncryptDecrypt and encrypted data algorithm mentioned and encodes using\ncustom Base64 encoding. The malware sends the encoded data to the C2 server \"91.222.173.170\". If the value of\nflag 34 is \"Yes,\" the malware communicates over HTTPS; otherwise, it communicates over HTTP.\n  Page 17 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant"
	],
	"report_names": [
		"disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434332,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb0254ff1c390224aa301014a0fbdbe3b7dc3958.pdf",
		"text": "https://archive.orkl.eu/bb0254ff1c390224aa301014a0fbdbe3b7dc3958.txt",
		"img": "https://archive.orkl.eu/bb0254ff1c390224aa301014a0fbdbe3b7dc3958.jpg"
	}
}