{
	"id": "b01b5ba9-cacd-4af5-b6c6-6dabcf57f8a8",
	"created_at": "2026-04-06T00:18:52.675382Z",
	"updated_at": "2026-04-10T13:12:42.93764Z",
	"deleted_at": null,
	"sha1_hash": "c15024d0f774840f819998f9002e464b77d74b05",
	"title": "DarkGate: From AutoIT to Shellcode Execution",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 400311,
	"plain_text": "DarkGate: From AutoIT to Shellcode Execution\r\nBy VMRay Labs\r\nPublished: 2024-01-05 · Archived: 2026-04-05 23:18:56 UTC\r\nOverview\r\nThe DarkGate malware family is known for its variety of features including the download and execution of\r\nmalicious payloads, information stealing and keylogging abilities, as well as employing multiple evasion\r\ntechniques. It is being sold as a service to cybercriminals and has been active since at least 2018, but only recently\r\ngained in popularity after the Qakbot infrastructure was taken down by law enforcement. What stands out is its\r\nrather complex delivery methods and multitude of evasion tactics to avoid detection, one of which is the abuse if\r\nAutoIt scripts to execute native code and not just commands.\r\nAutoIt, commonly used to automate tasks within the Windows environment, such as simulating mouse clicks or\r\nkeystrokes on the GUI, is abused to execute a malicious shellcode in DarkGate’s hands. This technique attempts to\r\nlet the malware operate under the radar by betting on static analysis tools inability to parse compiled and\r\nobfuscated AutoIt scripts.\r\nRecently, we have taken an in-depth look into the DarkGate malware family to gain insights into the inner\r\nworkings of this malware family as well as to improve detection and configuration extraction. In this blog post,\r\nwe want to specifically highlight the interesting way by which DarkGate accomplishes executing malicious native\r\ncode via AutoIt scripts.\r\nInfection chain of DarkGate\r\nhttps://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/\r\nPage 1 of 8\n\nDarkGate’s infection chain can start with multitude of file types, including DLLs, JScript, VBScript, EXE and\r\nMSI files (see Figure 1 for a common delivery chain).\r\nThis visualization highlights the journey from the initial delivery file to the subsequent stages. It progresses\r\nthrough the AutoIt interpreter to the execution of shellcode, ending in the execution of the actual DarkGate\r\nLoader.\r\nDarkGate Using AutoIt Scripts\r\nThe choice of AutoIt by DarkGate’s developers is strategic: Our investigations reveal that the malware often\r\nemploys compiled and protected AutoIt scripts, which are additionally obfuscated to further cloak their malicious\r\nintent. This level of protection makes it challenging to dissect and understand the malware’s inner workings for\r\nresearchers and static analysis tools alike.\r\nBy utilizing tools such as myAut2Exe or Binary Refinery, we can extract the original source code from these\r\nobfuscated scripts. This process, albeit requiring some clean-up, does produce a readable source code for our\r\nmanual reverse engineering purposes. The deobfuscated code in Figure 3 provides us with a pivotal insight into\r\nDarkGate’s operation: The malware utilizes specific Windows API functions, notably EnumWindows, but in other\r\nsamples we have also seen a call to CallWindowProc.\r\nhttps://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/\r\nPage 2 of 8\n\nDarkGate’s Shellcode Execution\r\nThe aforementioned API functions, while typically used for legitimate purposes, are repurposed by DarkGate to\r\nexecute its malicious payload.\r\nCallWindowProc is typically used for customizing actions in a Windows GUI, like modifying button functionality.\r\nHowever, DarkGate calls this function while pointing the first parameter, lpPrevWndFunc, to its shellcode. In\r\neffect, Windows then executes the malicious shellcode as if it were a window procedure. This seems to be a\r\nknown workaround to execute native code via AutoIt scripts at least since 2008.\r\nIn some variants of DarkGate, EnumWindows is abused instead, which is a legitimate API for enumerating top-level windows. This function is designed to execute a specified callback function for each window, but DarkGate\r\nsets the callback function address to it’s shellcode location. Given that there’s almost always at least one open\r\nwindow, this ensures the execution of the malicious shellcode at least once.\r\nAny callback-based Windows API function could potentially be abused in a similar way, but specifically executing\r\nnative code via EnumWindows in AutoIt seems to be new and unique to DarkGate as far as we are aware. While\r\nall of this may be hard for static analysis tools to extract, behavior-based analysis allows one to capture this in\r\naction. Our execution logs (see Figure 4) clearly show the runtime execution of EnumWindows and the following\r\ncall to LoadLibraryA executed by the shellcode.\r\nVariants of DarkGate\r\nTo investigate this further, we have manually selected multiple DarkGate samples dating back to it’s initial version\r\nin 2018. Through manual clustering based on code similarities, we’ve identified four distinct variants:\r\n1. First Variant: This variant embeds the payload within the compiled AutoIt script, encrypted using XOR\r\nand surrounded by the “padoru” keyword. It specifically checks for the presence of Sophos antivirus\r\nhttps://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/\r\nPage 3 of 8\n\nsoftware and leverages the VirtualProtect call to make the shellcode memory region executable and uses\r\nthe CallWindowProc API to execute the shellcode.\r\n2. Second Variant: Here, the payload is scattered throughout the AutoIt source code as hex codes, which is\r\nput together at runtime. This variant switches its strategy to abuse the EnumWindows API instead of\r\nCallWindowProc.\r\n3. Third Variant: This is similar to the others but with a key difference: it checks if it is running with\r\nSYSTEM privileges.\r\n4. Fourth Variant: This one is from 2018, has much less complexity as it contains no obfuscation. It creates\r\na shortcut (LNK) to the AU3 file placed in the startup directory and reads the shellcode from a previously\r\ndropped ‘shell.txt’ file. Like the first variant, it also abuses CallWindowProc.\r\nWe have also noticed that there are differences in how the shellcode was implemented, which we will briefly look\r\ninto next.\r\nPayloads in DarkGate\r\nThe payloads in DarkGate’s various samples typically follow a similar mechanism, primarily focusing on loading\r\nthe next stage of the malware, which is often tasked with downloading the final DarkGate malware.\r\nOne notable technique observed in these payloads is the byte-by-byte construction of the code using the mov\r\ninstruction, a method likely adopted to evade detection by scanning tools before runtime extraction (see Figure 5).\r\nhttps://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/\r\nPage 4 of 8\n\nAdditionally, some payloads exhibit a deliberate pattern of jumping around the code (see Figure 6).\r\nhttps://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/\r\nPage 5 of 8\n\nThis complexity is designed to hinder manual analysis, making it more challenging to dissect and understand the\r\nmalware’s functionality and intent. For dynamic, behavior-based analysis solutions such as VMRay’s Platform,\r\nnone of these obfuscation attempts can hide the malicious actions taken by the sample.\r\nIn particular, while such intricacies in the payloads underscore the stealth and sophistication embedded in\r\nDarkGate’s design, our dynamic approach reveals the executed functions in the function log just the same,\r\nregardless of any obfuscation attempts such as jumping around, calling native functions via AutoIt scripts or\r\nemploying multi-stage payloads spread over different memory regions.\r\nhttps://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/\r\nPage 6 of 8\n\nConclusion\r\nDespite DarkGate’s extensive obfuscation efforts, dynamic, behavior-based analysis proves to be a helpful tool in\r\nidentifying and understanding this malware. By not solely relying on static analysis, it’s possible to trace the entire\r\ncode execution journey – from initial infection, through the AutoIt3 interpreter stage, to the injection, and finally\r\nto the actual DarkGate malware, culminating in the extraction of its configuration.\r\nThis case study highlights the lengths to which attackers will go, continually exploring obscure methods to deliver\r\ntheir malware and challenge existing security solutions.\r\nReferences\r\nhttps://www.autoitscript.com/forum/topic/60890-executing-raw-machine-code/\r\nhttps://github.security.telekom.com/2023/08/darkgate-loader.html\r\nhttps://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/\r\nhttps://lordt.mk/p/darkgate-vbs-autoit/\r\nhttps://www.trellix.com/about/newsroom/stories/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/\r\nhttps://github.security.telekom.com/2023/08/darkgate-loader.html\r\nIOCs\r\nHashes:\r\n754d7afb2c3454d86ded95668c74c119c5ec4465\r\n18f49619d69b057e81163bdf08eab5f355ce662c\r\n5629b3684d406e431c6f41c5df56455c3b944c41\r\n47718e8df5e7a0d0b2c74f10696ca50cf6e1e0b9\r\nbb0f4a60bbd8256e42f57d8b0b1269f2ec855428\r\neabcef1e27b7452c74acfa0f201e9a937b0dee6d\r\nc46e52b896bf3b53a6878d2b2386a9dc40377f19\r\n29b6a8ae869cdc1a95bae83dd97874e5efa79613\r\nd25e55d1eed18e55557ee9da7d195748dd2814f0\r\n2e0d4798c12a7d71ad45a621dddb750bae0cd23b\r\nedc5d0dc190dcd0e031e2c5b43026fd3a61caed0\r\nc90d572f7f160dd8a3ae6e825eeb2a9d6628cef5\r\n0d47cbd6d19a17a57077cbc0d0aa659865458672\r\nf68cc52f19c11d07d72118e71919df20ffabe9f2\r\nURLs:\r\nhxxp://adhufdauifadhj13[.]com:2351\r\nhxxp://sftp.bitepieces[.]com:443\r\nhxxp://sftp.noheroway[.]com:443\r\nhttps://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/\r\nPage 7 of 8\n\nhxxp://saintelzearlava[.]com:80\r\nhxxp://trans1ategooglecom[.]com:80\r\nhxxp://sanibroadbandcommunicton[.]duckdns[.]org:5864\r\nhxxp://faststroygo[.]com\r\nSource: https://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/\r\nhttps://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.vmray.com/cyber-security-blog/darkgate-from-autoit-to-shellcode-execution/"
	],
	"report_names": [
		"darkgate-from-autoit-to-shellcode-execution"
	],
	"threat_actors": [],
	"ts_created_at": 1775434732,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c15024d0f774840f819998f9002e464b77d74b05.pdf",
		"text": "https://archive.orkl.eu/c15024d0f774840f819998f9002e464b77d74b05.txt",
		"img": "https://archive.orkl.eu/c15024d0f774840f819998f9002e464b77d74b05.jpg"
	}
}