{
	"id": "4beae896-927c-4e86-8f01-53bb5c5de4be",
	"created_at": "2026-04-06T00:22:12.273716Z",
	"updated_at": "2026-04-10T13:12:03.863495Z",
	"deleted_at": null,
	"sha1_hash": "e1a281f2700f588511f3d3d5274ae795350cdad8",
	"title": "DarkRAT Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3807625,
	"plain_text": "DarkRAT Malware\r\nBy Tomas Meskauskas\r\nPublished: 2025-06-06 · Archived: 2026-04-05 13:49:06 UTC\r\nWhat is DarkRAT?\r\nDarkRAT is one of many remote access tools (RATs) used to control connected computers remotely.\r\nUnfortunately, in many cases, cyber criminals trick people into installing RATs onto their systems and then use\r\nthem to steal personal details, infect systems with malware, and cause other damage.\r\nIf your system is infected with this RAT, we strongly recommend that you uninstall it immediately.\r\nOne DarkRAT feature prevents users from killing its process. Therefore, it cannot be disabled and will run in the\r\nsystem background. Cyber criminals can then use its features when they wish. Additionally, it can prevent victims\r\nfrom removing it from the list of startup items. I.e., it can then launch itself at each startup automatically.\r\nFurthermore, DarkRAT can be used to download and execute various files onto the victim's computer. Typically,\r\ncyber criminals download and execute malicious files that infect the system with malware. For example,\r\nransomware, which encrypts files and prevents victims from accessing them.\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 1 of 16\n\nTypically, the only way to decrypt data is to purchase decryption software and/or keys from the cyber criminals\r\nwho designed the ransomware. Note that ransomware is not the only malware that can be installed through\r\nDarkRAT. This remote access tool is also capable of updating itself.\r\nAs soon as a newer version is released, it starts to update itself. Furthermore, cyber criminals can remotely load\r\ncustom DLL files onto the victim's computer and affect behaviour of the operating system or installed programs.\r\nThey can also use it to check which anti-virus software is installed on the operating system and then avoid\r\ndetection.\r\nThreat Summary:\r\nName DarkRAT remote access trojan\r\nThreat Type Remote Access Trojan.\r\nDetection\r\nNames\r\nAvast (Win32:Trojan-gen), BitDefender (Gen:Trojan.Heur.RP.zuW@ai1tMtli), ESET-NOD32 (A Variant Of Win32/DarkRAT.A), McAfee (RDN/Generic.grp), Full List\r\n(VirusTotal)\r\nMalicious\r\nProcess Name(s)\r\nfZYeMMBDUj.exe (it can also run a malicious process under a different name).\r\nPayload DarkRAT can be used to download and install various malware, including ransomware.\r\nSymptoms\r\nTrojans are designed to stealthily infiltrate the victim's computer and remain silent, and\r\nthus no particular symptoms are clearly visible on an infected machine.\r\nDistribution\r\nmethods\r\nInfected email attachments, malicious online advertisements, social engineering,\r\nsoftware 'cracks'.\r\nDamage\r\nStolen banking information, passwords, identity theft, victim's computer added to a\r\nbotnet.\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 2 of 16\n\nMalware\r\nRemoval\r\n(Windows)\r\nTo eliminate possible malware infections, scan your computer with legitimate antivirus\r\nsoftware. Our security researchers recommend using Combo Cleaner.\r\n Download Combo Cleaner\r\nTo use full-featured product, you have to purchase a license for Combo Cleaner. 7 days\r\nfree trial available. Combo Cleaner is owned and operated by RCS LT, the parent\r\ncompany of PCRisk.com.\r\nWSH, InnfiRAT, and Gh0st are just a number examples of other RATs that cyber criminals use to control users'\r\ncomputers remotely. Their aim is to steal personal details (logins, passwords of various accounts), install\r\nadditional malware, and perform other actions. Being tricked into installing software of this type can lead to\r\nserious problems.\r\nHow did DarkRAT infiltrate my computer?\r\nCriminals use various ways to trick people into installing RATs, malware, and other unwanted software. They send\r\nemails that contain malicious attachments including Microsoft Office documents, PDFs, executables such as .exe,\r\narchives (ZIP, RAR, and other files), JavaScript, and other files that, if opened, cause installation of malicious\r\nsoftware.\r\nAnother way to achieve this is by first infecting computers with Trojans. Once installed, they cause chain\r\ninfections and install additional malware. Furthermore, fake software updaters can lead to unwanted downloads\r\nand installations. If used, they can install malicious software rather than updating installed programs, or they\r\nexploit bugs/flaws of outdated programs.\r\nUntrustworthy software download sources such as freeware download websites, free file hosting websites, Peer-to-Peer networks (torrents, eMule etc.), and various third party downloaders, are used to disguise malicious files\r\nas legitimate. When people open files downloaded from these sources, they often install malware inadvertently.\r\nMalware is also spread through unofficial software activation tools. These programs supposedly activate licensed\r\n(paid) software free of charge, however, the tools are often designed to proliferate malicious programs (people\r\nwho use them risk installation of malware).\r\nHow to avoid installation of malware\r\nDo not open web links or files that are attached to irrelevant emails, especially if the emails are received from\r\nunknown, suspicious addresses. If there is reason to believe that an email is suspicious, the best option is to leave\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 3 of 16\n\nincluded links or files unopened.\r\nFurthermore, download software from official, trustworthy sources websites. All channels mentioned above\r\nshould not be trusted. All installed software must be updated through tools or implemented functions that are\r\nprovided by official developers. Licensed/paid programs should not be activated using unofficial ('cracking') tools.\r\nThis is illegal and often leads to installation of malware. Keep computers safe by having reputable anti-spyware or\r\nanti-virus software installed. Scan systems regularly. If you believe that your computer is already infected, we\r\nrecommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated\r\nmalware.\r\nDarkRAT administration panel:\r\n \r\nMalicious DarkRAT process in Task Manager (\"fZYeMMBDUj.exe\"):\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 4 of 16\n\nInstant automatic malware removal:\r\nManual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo\r\nCleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it\r\nby clicking the button below:\r\n DOWNLOAD Combo Cleaner\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 5 of 16\n\nBy downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use\r\nfull-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo\r\nCleaner is owned and operated by RCS LT, the parent company of PCRisk.com.\r\nQuick menu:\r\nWhat is DarkRAT?\r\nSTEP 1. Manual removal of DarkRAT malware.\r\nSTEP 2. Check if your computer is clean.\r\nHow to remove malware manually?\r\nManual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to\r\ndo this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.\r\nIf you wish to remove malware manually, the first step is to identify the name of the malware that you are trying\r\nto remove. Here is an example of a suspicious program running on a user's computer:\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 6 of 16\n\nIf you checked the list of programs running on your computer, for example, using task manager, and identified a\r\nprogram that looks suspicious, you should continue with these steps:\r\nDownload a program called Autoruns. This program shows auto-start applications, Registry, and file\r\nsystem locations:\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 7 of 16\n\nRestart your computer into Safe Mode:\r\nWindows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click\r\nRestart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you\r\nsee the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 8 of 16\n\nVideo showing how to start Windows 7 in \"Safe Mode with Networking\":\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWindows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type\r\nAdvanced, in the search results select Settings. Click Advanced startup options, in the opened \"General PC\r\nSettings\" window, select Advanced startup.\r\nClick the \"Restart now\" button. Your computer will now restart into the \"Advanced Startup options menu\". Click\r\nthe \"Troubleshoot\" button, and then click the \"Advanced options\" button. In the advanced option screen, click\r\n\"Startup settings\".\r\nClick the \"Restart\" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode\r\nwith Networking.\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 9 of 16\n\nVideo showing how to start Windows 8 in \"Safe Mode with Networking\":\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 10 of 16\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWindows 10 users: Click the Windows logo and select the Power icon. In the opened menu click \"Restart\" while\r\nholding \"Shift\" button on your keyboard. In the \"choose an option\" window click on the \"Troubleshoot\", next\r\nselect \"Advanced options\".\r\nIn the advanced options menu select \"Startup Settings\" and click on the \"Restart\" button. In the following window\r\nyou should click the \"F5\" button on your keyboard. This will restart your operating system in safe mode with\r\nnetworking.\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 11 of 16\n\nVideo showing how to start Windows 10 in \"Safe Mode with Networking\":\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 12 of 16\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nExtract the downloaded archive and run the Autoruns.exe file.\r\nIn the Autoruns application, click \"Options\" at the top and uncheck \"Hide Empty Locations\" and \"Hide\r\nWindows Entries\" options. After this procedure, click the \"Refresh\" icon.\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 13 of 16\n\nCheck the list provided by the Autoruns application and locate the malware file that you want to\r\neliminate.\r\nYou should write down its full path and name. Note that some malware hides process names under legitimate\r\nWindows process names. At this stage, it is very important to avoid removing system files. After you locate the\r\nsuspicious program you wish to remove, right click your mouse over its name and choose \"Delete\".\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 14 of 16\n\nAfter removing the malware through the Autoruns application (this ensures that the malware will not run\r\nautomatically on the next system startup), you should search for the malware name on your computer. Be sure to\r\nenable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 15 of 16\n\nReboot your computer in normal mode. Following these steps should remove any malware from your computer.\r\nNote that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware\r\nremoval to antivirus and anti-malware programs.\r\nThese steps might not work with advanced malware infections. As always it is best to prevent infection than try to\r\nremove malware later. To keep your computer safe, install the latest operating system updates and use antivirus\r\nsoftware. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner\r\nAntivirus for Windows.\r\nSource: https://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nhttps://www.pcrisk.com/removal-guides/15893-darkrat-malware\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.pcrisk.com/removal-guides/15893-darkrat-malware"
	],
	"report_names": [
		"15893-darkrat-malware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434932,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e1a281f2700f588511f3d3d5274ae795350cdad8.pdf",
		"text": "https://archive.orkl.eu/e1a281f2700f588511f3d3d5274ae795350cdad8.txt",
		"img": "https://archive.orkl.eu/e1a281f2700f588511f3d3d5274ae795350cdad8.jpg"
	}
}