{
	"id": "23e9d967-292a-46ea-ba12-5210ee45deaf",
	"created_at": "2026-04-06T00:21:41.472744Z",
	"updated_at": "2026-04-10T13:12:28.428105Z",
	"deleted_at": null,
	"sha1_hash": "cdfcc88b1d13f5e11927f1f3f5e15956e515426b",
	"title": "Title: DarkGate Loader delivered via Teams - Truesec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 93351,
	"plain_text": "Title: DarkGate Loader delivered via Teams - Truesec\r\nBy siteadmin\r\nPublished: 2023-09-06 · Archived: 2026-04-05 14:53:17 UTC\r\nDarkGate Loader Malware Delivered via Microsoft Teams\r\nMalspam campaigns involving DarkGate Loader have been on the rise since its author started advertising it as a Malware-as-a-Service offering on popular cybercrime forums in June 2023. Until now DarkGate Loader was seen delivered via\r\ntraditional email malspam campaigns similar to those of Emotet. In August an operator started using Microsoft Teams to\r\ndeliver the malware via HR-themed social engineering chat messages.\r\nInvestigating the Senders\r\nUsing Microsoft Purview’s eDiscovery tool we searched for the senders (participants) in Microsoft Teams.\r\nThe senders of the external Microsoft Teams chat messages were identified as “Akkaravit Tattamanas”\r\n(63090101@my.buu.ac.th) and “ABNER DAVID RIVERA ROJAS” (adriverar@unadvirtual.edu.co). Truesec Threat\r\nIntelligence confirmed the accounts were compromised via an unknown malware and put up for sale on the Dark Web in\r\nAugust 2023.\r\nUsing AADInternal’s OSINT tool, we could gather more information on the O365 tenant to which the accounts belong and\r\nuse the listed domains to search for additional messages.\r\nFigure 1: Screenshot from AADInternal’s OSINT tool with the sender’s O356 tenant details.\r\nHR-Themed Social Engineering Lure\r\nBoth senders had an identical-sounding message with a link to an externally hosted file, “Changes to the vacation\r\nschedule.zip” (hosted on the senders SharePoint sites).\r\nFigure 2: Screenshot of one of the MS Teams chat messages.\r\nThe SharePoint URLs hosting the remote attachment can be seen in the figure below.\r\nFigure 3: URLs to the SharePoint sites hosting the remote ZIP file.\r\nDownloading the Malware\r\nhttps://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams\r\nPage 1 of 4\n\nClicking the URL would take the victim to the SharePoint sites where the file “Changes to the vacation schedule.zip” could\r\nbe downloaded.\r\nFigure 4: Screenshot of a SharePoint site hosting the file “Changes to the vacation schedule.zip.”\r\nThe file was later identified by Microsoft Defender as malware “BAT/Tisifi.A#”.\r\nFigure 5: Screenshot of MS Defender detecting the file as malicious.\r\nAnalyzing the Malicious Files\r\nUsing a combination of static and dynamic malware analysis our goal was to identify the final payload delivered in the\r\ncampaign.\r\nThe ZIP file contains a malicious LNK file (shortcut) posing as a PDF document: “Changes to the vacation\r\nschedule.pdf.lnk.”\r\nFigure 6: Screenshot of the extracted LNK file as shown in File Explorer.\r\nUsing Eric Zimmerman’s “LECmd.exe” to analyze the malicious LNK file, we can extract the command line it would\r\nexecute upon opening.\r\nFigure 7: Screenshot of the command executed after opening the LNK file.\r\nThe execution of the VBScript file in C:tgphasrxmp.vbs triggers the download and execution of the file hXXp://\r\n5[.]188[.]87[.]58:2351/wbzadczl\r\nFigure 8: Wireshark trace of the VBScript file download.\r\nThe commands make use of a Windows version of cURL (renamed to wbza) to download and execute Autoit3.exe and the\r\nbundled script eszexz.au3. The pre-compiled AutoIT script hides the code in the middle of the file by looking for the magic\r\nbytes 0x4155332145413036 (AU3!EA06).\r\nFigure 9: Screenshot of the bundled AutoIT script file.\r\nUpon executing the script, AutoIT drops a new file that contains shellcode, and before execution, it makes a check to see if\r\nSophos antivirus is installed.\r\nFigure 10: The deobfuscated AutoIT script showing a check for Sophos antivirus.\r\nIf Sophos is not installed, additional code in the AutoIT script is deobfuscated to launch the shellcode.\r\nFigure 11: Screenshot of AutoIT shellcode execution.\r\nWhen the shellcode is run, the first thing it does is load “byte by byte.” This technique is called stacked strings, to create a\r\nnew file. It can be seen in the figure below that the first bytes of the created file are 0x4d and 0x5a, which indicates a\r\nWindows executable.\r\nFigure 12: Screenshot from Ghidra showing the shellcode’s use of stack strings to load a new Windows\r\nexecutable.\r\nThe payload could then be extracted from memory and analyzed with PE Studio from www.winitor.com:\r\nFigure 13: Screenshot from PE Studio showing technical details about the payload.\r\nThe payload was identified as “DarkGateLoader” on VirusTotal. After the identification of the malware, we found an\r\nexcellent writeup from Deutsche Telekom CERT and used their config extractor on the AutoIT script file “eszexz.au3” to\r\nextract the DarkGate malware’s configuration:\r\nhttps://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams\r\nPage 2 of 4\n\nFigure 14: Configuration extracted from the DarkGate malware.\r\nFurther reading on the DarkGate Loader and DarkGate malware capabilities:\r\nhttps://github.security.telekom.com/2023/08/darkgate-loader.html\r\nhttps://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/\r\nRecommendations\r\nThis attack was detected due to the security awareness training of the recipients. Unfortunately, current Microsoft Teams\r\nsecurity features such as Safe Attachments or Safe Links was not able to detect or block this attack. Right now, the only way\r\nto prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external\r\ndomains, albeit it might have business implications since all trusted external domains need to be whitelisted by an IT\r\nadministrator.\r\nMore on how these settings can be activated and used can be found here:\r\nhttps://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings\r\nIndicators of Compromise\r\nFilename SHA256 Hash\r\nChanges to the vacation schedule.zip 0c59f568da43731e3212b6461978e960644be386212cc448a715dbf3f489d758\r\nChanges to the vacation\r\nschedule.pdf.lnk\r\nbcd449470626f4f34a15be00812f850c5e032723e35776fb4b9be6c7be6c8913\r\nc:tgphasrxpm.vbs 4c21711de81bb5584d35e744394eed2f36fef0d93474dfc5685665a9e159eef1\r\nc:wbzaeszexz.au3 1bcde4d4613f046b63e970aa10ea2662d8aa7d326857128b59cb88484cce9a2d\r\nA similar file with the same filename, “Changes to the vacation schedule.zip,” and behavior (but with a different hash) is\r\navailable on VirusTotal:\r\nhttps://www.virustotal.com/gui/file/09904d65e59f3fbbbf38932ae7bff9681ac73b0e30b8651ec567f7032a94234f.\r\nURLs\r\nhXXps://burapha-my[.]sharepoint[.]com/:u:/g/personal/63090101_my_buu_ac_th/EWkB0l3nR4dCjDmwAe7jb7kBWPPkDObt8wVbmB1O6UztmA\r\nhXXps://unadvirtualedu-my[.]sharepoint[.]com/personal/adriverar_unadvirtual_edu_co/Documents/Microsoft%20Teams%20Chat%20Files/Changes%20to%20the%20vacati\r\nhXXp://5[.]188[.]87[.]58:2351/wbzadczl\r\nhXXp:// 5[.]188[.]87[.]58:2351/msiwbzadczl\r\nCommand \u0026 Control Server\r\nhXXp://5[.]188[.]87[.]58:2351\r\nhttps://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams\r\nPage 3 of 4\n\nCompromised Email Addresses\r\n63090101@my.buu.ac.th\r\nadriverar@unadvirtual.edu.co\r\nStay ahead with cyber insights\r\nNewsletter\r\nStay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news\r\ndirectly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and\r\nexclusive updates from Truesec.\r\nSource: https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams\r\nhttps://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams"
	],
	"report_names": [
		"darkgate-loader-delivered-via-teams"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434901,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cdfcc88b1d13f5e11927f1f3f5e15956e515426b.pdf",
		"text": "https://archive.orkl.eu/cdfcc88b1d13f5e11927f1f3f5e15956e515426b.txt",
		"img": "https://archive.orkl.eu/cdfcc88b1d13f5e11927f1f3f5e15956e515426b.jpg"
	}
}