{
	"id": "e5f364d0-28d0-4116-80cf-ee2daae7c9ef",
	"created_at": "2026-04-06T00:12:14.86024Z",
	"updated_at": "2026-04-10T13:12:29.266732Z",
	"deleted_at": null,
	"sha1_hash": "e7c37d98a454c78bf8f1bd1757452eed0f526deb",
	"title": "DarkGate switches up its tactics with new payload, email templates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2233416,
	"plain_text": "DarkGate switches up its tactics with new payload, email templates\r\nBy Cisco Talos\r\nPublished: 2024-06-05 · Archived: 2026-04-05 21:28:40 UTC\r\nWednesday, June 5, 2024 08:00\r\nThis post was authored by Kalpesh Mantri. \r\nCisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a\r\nsuspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate\r\nmalware. \r\nThese campaigns, active since the second week of March, leverage tactics, techniques, and procedures\r\n(TTPs) that we have not previously observed in DarkGate attacks. \r\nThese campaigns rely on a technique called “Remote Template Injection” to bypass email security controls\r\nand to deceive the user into downloading and executing malicious code when the Excel document is\r\nopened.  \r\nDarkGate has used AutoIT scripts as part of the infection process for a long time. However, in these\r\ncampaigns, AutoHotKey scripting was used instead of AutoIT.  \r\nThe final DarkGate payload is designed to execute in-memory, without ever being written to disk, running\r\ndirectly from within the AutoHotKey.exe process. \r\nThe DarkGate malware family is distinguished by its covert spreading techniques, ability to steal information,\r\nevasion strategies, and widespread impact on both individuals and organizations. Recently, DarkGate has been\r\nobserved distributing malware through Microsoft Teams and even via malvertising campaigns. Notably, in the\r\nlatest campaign, AutoHotKey scripting was employed instead of AutoIT, indicating the continuous evolution of\r\nDarkGate actors in altering the infection chain to evade detection. \r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 1 of 11\n\nEmail campaigns \r\nThis research began when a considerable number of our clients reported receiving emails, each containing a\r\nMicrosoft Excel file attachment that followed a distinct pattern in its naming convention. \r\nTalos’ intent analysis of these emails revealed that the primary purpose of the emails primarily pertained to\r\nfinancial or official matters, compelling the recipient to take an action by opening the attached document. \r\nThis peculiar trend prompted us to conduct an in-depth investigation into this widespread malspam activity. Our\r\ninitial findings linked the indicators of compromise (IOCs) to the DarkGate malware.  \r\nThe table below includes some of the observed changes in attachment naming convention patterns over time.  \r\nEnd Date  Format  Examples \r\nMarch 12, 2024  March 19, 2024  march-D%-2024.xlsx \r\nmarch-D5676-2024.xlsx \r\nmarch-D3230-2024.xlsx \r\nmarch-D2091-2024.xlsx \r\nMarch 15, 2024  March 20, 2024  ACH-%March.xlsx \r\nACH-5101-15March.xlsx \r\nACH-5392-15March.xlsx \r\nACH-4619-15March.xlsx \r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 2 of 11\n\nMarch 18, 2024  March 19, 2024  attach#%-2024.xlsx \r\nattach#4919-18-03-2024.xlsx \r\nattach#8517-18-03-2024.xlsx \r\nattach#4339-18-03-2024.xlsx \r\nMarch 19, 2024  March 20, 2024  march19-D%-2024.xlsx \r\nmarch19-D3175-2024.xlsx \r\nmarch19-D5648-2024.xlsx \r\nmarch19-D8858-2024.xlsx \r\nMarch 26, 2024  March 26, 2024  re-march-26-2024-%.xls? \r\nre-march-26-2024-4187.xlsx \r\nre-march-26-2024-7964.xlsx \r\nre-march-26-2024-4187.xls \r\nApril 3, 2024  April 5, 2024  april2024-%.xlsx \r\napril2024-2032.xlsx \r\napril2024-3378.xlsx \r\napril2024-4268.xlsx \r\nApril 9, 2024  April 9, 2024  statapril2024-%.xlsx \r\nstatapril2024-9505.xlsx \r\nstatapril2024-9518.xlsx \r\nstatapril2024-9524.xlsx \r\nApril 10, 2024  April 10, 2024  4_10_AC-%.xlsx* \r\n4_10_AC-1177.xlsx \r\n4_10_AC-1288.xlsx \r\n4_10_AC-1301.xlsx \r\n*Variant redirecting to JavaScript file instead of VBS. \r\nVictimology \r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 3 of 11\n\nBased on Cisco Talos telemetry, this campaign targets the U.S. the most often compared to other geographic\r\nregions.\r\nHealthcare technologies and telecommunications were the most-targeted sectors, but campaign activity was\r\nobserved targeting a wide range of industries. \r\nTechnical analysis \r\nOur telemetry indicates that malspam emails were the primary source of delivery for this campaign. It is an active\r\ncampaign using attached Excel documents attempting to lure users to download and execute remote payloads.  \r\nAs shown below, the Excel spreadsheet has an embedded object with an external link to an attacker-controlled\r\nServer Message Block (SMB) file share. \r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 4 of 11\n\nThe overall infection process associated with this campaign is shown below. \r\nThe infection process begins when the malicious Excel document is opened. These files were specially crafted to\r\nutilize a technique, called “Remote Template Injection,” to trigger the automatic download and execution of\r\nmalicious contents hosted on a remote server. \r\nRemote Template Injection is an attack technique that exploits a legitimate Excel functionality wherein templates\r\ncan be imported from external sources to expand a document’s functions and features. By exploiting the inherent\r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 5 of 11\n\ntrust users place in document files, this method skilfully evades security protocols that may not be as stringent for\r\ndocument templates compared to executable files. It represents a refined tactic for attackers to establish a presence\r\nwithin a system, sidestepping the need for conventional executable malware.  \r\nWhen the Excel file is opened, it downloads and executes a VBS file from an attacker-controlled server. \r\nThe VBS file is appended with a command that executes a PowerShell script from the DarkGate command and\r\ncontrol (C2) server. \r\nThis PowerShell script retrieves the next stage’s components and executes them, as shown below. \r\nPayload analysis \r\nOn March 12, 2024, the DarkGate campaign transitioned from deploying AutoIT scripts to employing\r\nAutoHotKey scripts. \r\nAutoIT and AutoHotKey are scripting languages designed for automating tasks on Windows. While both\r\nlanguages serve similar purposes, their differences lie in their syntax complexity, feature sets and community\r\nresources. AutoHotKey offers more advanced text manipulation features, extensive support for hotkeys, and a vast\r\nlibrary of user-contributed scripts for various purposes. While both AutoIT and AutoHotKey have legitimate\r\npurposes, they are often abused by adversaries to run malicious scripts, consistent with other scripting languages\r\noften observed in infection chains. \r\nAs shown in the screenshot above, one of the files retrieved is ‘test.txt.’ Within this file, there is base64-encoded\r\nblob that, when decoded, transforms into binary data. This binary data is then processed to execute the DarkGate\r\nmalware payload directly within memory on infected systems. \r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 6 of 11\n\nAs shown in the previous PowerShell code, payloads are initially saved to disk within a directory (C:\\rimz\\) on the\r\nsystem. The directory name changes across infection chains that were analyzed. \r\nIn this case, the attacker was using a legitimate copy of the AutoHotKey binary (AutoHotKey.exe) to execute a\r\nmalicious AHK script (script.ahk). \r\nThe executed AHK script reads content from the text file (test.txt), decodes it in memory, and executes it without\r\never saving the decoded DarkGate payload to disk. This file also contains shellcode that is loaded and executed by\r\nthe AHK script, as shown below. \r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 7 of 11\n\nPersistence mechanisms \r\nComponents used during the final stage of the infection process are stored at the following directory location: \r\nC:\\ProgramData\\cccddcb\\AutoHotKey.exe \r\nC:\\ProgramData\\cccddcb\\hafbccc.ahk \r\nC:\\ProgramData\\cccddcb\\test.txt \r\nPersistence across reboots is established through the creation of a shortcut file within the Startup directory on the\r\ninfected system. \r\nShortcut\r\nParameter \r\nValue \r\nShortcut\r\nLocation \r\nC:\\Users\\\u003cUSERNAME\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\DfAchhd.lnk \r\nShortcut\r\nExecution \r\nC:\\ProgramData\\cccddcb\\AutoHotkey.exe \r\nC:\\ProgramData\\cccddcb\"C:\\ProgramData\\cccddcb\\hafbccc.ahk \r\nTalos’ threat intelligence and detection response teams have successfully developed detection for these campaigns\r\nand blocked them as appropriate on Cisco Secure products. However, because of the evolving nature of recent\r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 8 of 11\n\nDarkGate campaigns — as demonstrated by the shift from AutoIT to AutoHotKey scripts and use of remote\r\ntemplate injection — serves as a stark reminder of the continuous arms race in cybersecurity. \r\nCoverage \r\n Ways our customers can detect and block this threat are listed below.  \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.  \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.  \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.  \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.  \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.  \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.  \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.  \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.  \r\nThe following Snort SIDs apply to this threat:  \r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 9 of 11\n\nSnort 2 SIDs: 3, 12, 11192, 13667, 15306, 16642, 19187, 23256, 23861, 44484, 44485, 44486, 44487,\r\n44488, 63521, 63522, 63523, 63524 \r\nSnort 3 SIDs: 1, 16, 260, 11192, 15306, 36376, 44484, 44486, 44488, 63521, 63522, 63523, 63524 \r\nThe following ClamAV detections are also available for this threat:  \r\nDoc.Malware.DarkGateDoc \r\nPs1.Malware.DarkGate-10030456-0 \r\nVbs.Malware.DarkGate-10030520-0 \r\nIndicators of Compromise (IOCs) \r\nIndicators of Compromise (IOCs) associated with this threat can be found here.  \r\nBelow is an example of the configuration parameters extracted from one of the DarkGate payloads analyzed.  \r\nConfiguration\r\nParameter \r\nValue \r\nC2 \r\nhxxp://badbutperfect[.]com \r\nhxxp://withupdate[.]com \r\nhxxp://irreceiver[.]com \r\nhxxp://backupitfirst[.]com \r\nhxxp://goingupdate[.]com \r\nhxxp://buassinnndm[.]net \r\nFamily  DarkGate \r\nAttributes  anti_analysis = true \r\nanti_debug = false \r\nanti_vm = true \r\nc2_port = 80 \r\ninternal_mutex (Provides the XOR key/maker used for DarkGate payload\r\ndecryption) = WZqqpfdY \r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 10 of 11\n\nping_interval = 60 \r\nstartup_persistence = true \r\nusername = admin \r\nSource: https://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nhttps://blog.talosintelligence.com/darkgate-remote-template-injection/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/darkgate-remote-template-injection/"
	],
	"report_names": [
		"darkgate-remote-template-injection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434334,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e7c37d98a454c78bf8f1bd1757452eed0f526deb.pdf",
		"text": "https://archive.orkl.eu/e7c37d98a454c78bf8f1bd1757452eed0f526deb.txt",
		"img": "https://archive.orkl.eu/e7c37d98a454c78bf8f1bd1757452eed0f526deb.jpg"
	}
}