{ "id": "c9ecebca-b7f3-40af-9c8c-4bf5a8eee0b3", "created_at": "2026-04-06T00:22:31.100307Z", "updated_at": "2026-04-10T03:24:29.467462Z", "deleted_at": null, "sha1_hash": "e6823e65a8c3259b765b9faa581e6110d83dab4a", "title": "Dark Comet 2: Electric Boogaloo | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 756362, "plain_text": "Dark Comet 2: Electric Boogaloo | Malwarebytes Labs\r\nBy Adam Kujawa\r\nPublished: 2012-10-04 · Archived: 2026-04-05 16:33:35 UTC\r\nOver the past few weeks Jean-Piere Lesueur, A.K.A. DarkCoderSc, has been developing a new version of the\r\nDark Comet Remote Administration Tool which he is calling “Dark Comet Legacy.” This newer version of the\r\ntool includes numerous features that make the tool more user-friendly and appear more legitimate.  In addition,\r\nDarkCoderSc continues to include notices and required agreements that advise against using his tool for malicious\r\npurposes. He also mentions that if it IS used for evil, that he is not liable for any damages done.  In this blog we\r\nwill look at this new version of DC as well as look at how earlier versions used in the past, and whether you\r\nshould be concerned by this new version.\r\nDark Comet’s Past\r\nIf you have kept up with my blogs, you know that I have mentioned Dark Comet numerous times.  These blog\r\nposts talk about the previous version of Dark Comet that included a server binary creator that could be used to\r\ninfect a system without the user ever knowing about it.  Other blogs mentioned how it was used in such ways as\r\nan espionage tool in the conflicts in Syria and a mention about how DarkCoderSc announced the retirement of\r\nDark Comet because of its use as a malicious tool.\r\nYou Dirty RAT! Part 1 – DarkComet\r\nBlackShades in Syria\r\nBlackShades Co-Creator Arrested!\r\nIn addition to its political past, Dark Comet was most used to steal information and spy on unsuspecting users by\r\nboth amateur and professional cyber criminals.  Although, throughout its entire past, DarkCoderSc continued to\r\ndiscourage malicious use of his tool that he provided free.\r\nDark Comet Legacy\r\nAs mentioned in the introduction, DarkCoderSc has released a new version of Dark Comet known as Dark Comet:\r\nLegacy.  This new version is designed much more like legitimate software to be used by the average computer\r\nuser.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/\r\nPage 1 of 5\n\nThe Dark Comet Legacy Viewer Interface\r\nOne of the more user-friendly features is the brand new installers included with both the RAT controller/client and\r\nthe server module.  This makes it more user-friendly because the average user can just double click the installers,\r\ninstall the software and even be able to find the controller application in the Start Menu. As far as the module\r\ngoes, using the traditional approach by using an installer application makes it difficult for the novice attacker to\r\ntry to hide the installation of the application as with the previous version of Dark Comet that could be installed by\r\nonly executing the binary.\r\nDark Comet Legacy Module Installer Screen\r\nIn addition, the server module includes a GUI that makes it easy for the user to configure a callback address on the\r\nfly rather than needing to recreate another binary with new instructions.  The use of the GUI also makes it more\r\ndifficult to hide the use of the server module from an unsuspecting user who might have had their system\r\ncompromised via physical means or otherwise.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/\r\nPage 2 of 5\n\nDark Comet Legacy Server Module GUI\r\nDark Comet Legacy includes all the same functionality of the original Dark Comet, with the exception of the “Fun\r\nFunctions” making it less of a tool to pull pranks on people with and more a legitimate system-monitoring tool.\r\nYou could compare Dark Comet Legacy to some of the other legitimate system monitoring tools like TeamViewer;\r\nin addition, it has numerous purposes to keep your information and your family safe.\r\nIt might be used to:\r\nKeep an eye on your kids\r\nAccess your system remotely in case of being locked out\r\nRemotely control systems on a private network\r\nHave access to key-logging and webcam monitoring to know who might be using your system if it is\r\nstolen.\r\nIs it still a threat?\r\nWhile there are numerous purposes for Dark Comet Legacy to be used as a legitimate system-monitoring tool, it is\r\nin no way considered “Not a threat.”  In fact, if you were to find the server module running on your system, you\r\nshould consider yourself compromised. Numerous Anti-Malware and antivirus products will agree that Dark\r\nComet Legacy can still be used for malicious purposes, if not for its functionality than for the ability to undermine\r\nDarkCoderSc’s good intentions. I will go over a few of ways in which DC Legacy can be used in the same fashion\r\nas the original DC a little later and prove why it is necessary (at least for now) to detect this tool as malware.\r\nDarkCoderSC and his company Phrozensoft acknowledge this fact and advise disabling Anti-Malware/antivirus\r\napplications when using DC Legacy.\r\nPossible Infection Scenarios\r\nNow that we have described what Dark Comet Legacy is capable of and how it can be used legitimately as well as\r\nthe reasons why it would be difficult for amateur cyber criminals to use it to steal personal information or more,\r\nwe will look into how this tool can be used maliciously just as the original Dark Comet was.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/\r\nPage 3 of 5\n\nMasked as a legitimate application\r\nThis method is commonly associated with Rogue AV products that claim to detect malicious software on an\r\notherwise clean system and when installed, infects the system with subsequent malware.  An attacker might target\r\nnovice computer users, informing them that DC Legacy is actually a tool that can help the user to remove malware\r\nor make their systems run faster.  This method requires a high amount of social engineering to accomplish and\r\nbeing able to convince a novice to install malware themselves.\r\nInstalled along with other software\r\nThis method is often found within download site installers that are included along with legitimate software from\r\nshady websites.  Usually, these installers will add toolbars or spyware to the system executing it.  In this case, it\r\ncould easily begin the installation process for DC Legacy by explaining it as a necessary tool to make the intended\r\napplication work correctly.\r\nCould be manually installed by other malware\r\nThe installation of malware by other malware is not a new thing, however it is possible for one malware to\r\nmanually install DC Legacy by modifying the registry settings, saving the files and doing everything else the\r\ninstaller does for the user, automatically using the malware.  I can personally see this method as being used\r\nfrequently by cyber-criminals attempting to spread malware.\r\nConclusion\r\nDarkCoderSc created the original Dark Comet with good intentions although it was abused by cyber-criminals in\r\norder to steal personal information, spy on unsuspecting users and use it for their own nefarious purposes without\r\nthe user ever knowing.  Dark Comet Legacy may follow the same path as its predecessor, created with even more\r\nof a legitimate purpose in mind however easily modified and molded to be used for malicious purposes. Check out\r\nthe reasons behind the re-birth of Dark Comet on the Phrozensoft blog:\r\nDarkComet RAT Legacy\r\nThe DC family is not the only set of tools created for legitimate purposes then abused by cyber criminals; tools\r\nlike Netcat, NetBus and even a tool like a telnet terminal can be used for malicious purposes easily and therefore\r\nare often grouped into the malware or hacker tool category.  The tool itself, outside of full-blown malware, is often\r\ndeveloped to make things easier or give the user more power and control than they had before, some are created\r\nfor educational purposes and some are created for administration.  However, at the end of the day, it is in the\r\nintention of the tools user that determines whether it is used for evil and if the possibility exists that a tool might\r\nbe abused to cause harm to other users, companies like Malwarebytes and others have no choice other than to\r\nprotect their customers from harm.\r\nAbout the author\r\nOver 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/\r\nPage 4 of 5\n\nSource: https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/" ], "report_names": [ "dark-comet-2-electric-boogaloo" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434951, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6823e65a8c3259b765b9faa581e6110d83dab4a.pdf", "text": "https://archive.orkl.eu/e6823e65a8c3259b765b9faa581e6110d83dab4a.txt", "img": "https://archive.orkl.eu/e6823e65a8c3259b765b9faa581e6110d83dab4a.jpg" } }