{
	"id": "9ef059bf-3d7e-4bea-b24c-b418626b1346",
	"created_at": "2026-04-06T01:31:31.30778Z",
	"updated_at": "2026-04-10T03:23:38.810498Z",
	"deleted_at": null,
	"sha1_hash": "e983be3b645fbe4bd3cc9c1742e0e6b56fbeb469",
	"title": "[Guest Diary] Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2154972,
	"plain_text": "[Guest Diary] Dissecting DarkGate: Modular Malware Delivery\r\nand Persistence as a Service.\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-06 01:28:32 UTC\r\n[This is a Guest Diary by John Moutos, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied\r\nCybersecurity (BACS) program [1].\r\nIntro\r\nFrom a handful of malware analysis communities I participate in, it is not uncommon for new or interesting\r\nsamples to be shared, and for them to capture the attention of several members, myself included. In this case, what\r\nappeared to be a routine phishing PDF, led to the delivery of a much more suspicious MSI, signed with a valid\r\ncode signing certificate, and with a surprisingly low signature-based detection rate on VirusTotal [2] (at time of\r\nanalysis) due to use of several layered stages.\r\nContext\r\nModern malware utilizing multiple layers of abstraction to avoid detection or response is not a new concept, and\r\nas a result of this continuous effort, automated malware triage systems and sandboxes have become crucial in\r\nresponding to new or heavily protected samples, where static analysis methods have failed, or heuristic analysis\r\nchecks have come back clean. Attackers are wise to this, and often use legitimate file formats outside of the PE\r\nfamily, or protect their final stage payload with multiple layers to avoid being detected through static analysis, and\r\nsubsequently profiled through dynamic analysis or with the aid of a sandbox / automated triage system.\r\nAnalysis\r\nThe following sample not only fit the profile previously mentioned, but was also taking advantage of a\r\npresumably stolen or fraudulent code signing certificate to pass reputation checks.\r\nAt a first glance, the downloaded PDF appears normal and is of fairly small size.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 1 of 22\n\nFigure 1: Initial PDF Details\r\nOpening the PDF with any suitable viewer, we can see an attempt to convince unknowing users to download a\r\nfile, promising to resolve the fake load error.\r\nFigure 2: Initial PDF Displayed\r\nThe “Open” button points to a wrapped doubleclick[.]net AD URL\r\n(“hxxps[://]adclick[.]g[.]doubleclick[.]net//pcs/click?f1587wub8-24-\r\nTzRtAOnedriveBskd\u0026\u0026adurl=//selectwendormo9tres[.]com?\r\nutm_content=AAhqplxaJo\u0026session_id=3VHLBRuVfwDKTPWgylgR\u0026id=b2WBu\u0026filter=FSBMsIgzmQ-pIvZl\u0026lang=zh\u0026locale=US”), which when followed arrives at “hxxp[://]95[.]164[.]63[.]54/documents/build-x64[.]zip/build-x64[.]msi”. It is with this MSI where the initial infection chain starts, assuming the unsuspecting\r\nuser proceeds to run the MSI after download.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 2 of 22\n\nInspecting the MSI, it does not appear to be artificially inflated with junk data as per the file size, and as a bonus it\r\nhas a valid digital signature from a genuine certificate issued to “Inoellact EloubantTech Optimization Information\r\nCo., Ltd.” from GlobalSign [3].\r\nFigure 3: Downloaded MSI Details\r\nFigure 4: MSI Signature \u0026 Certificate Details\r\nTo extract the content from the MSI, there are a plethora of tools that can be used. Universal Extractor [4], 7-Zip\r\n[5], and the built-in extractor feature in the multi-purpose analysis tool “Detect It Easy” (DIE) [6] will handle the\r\njob without issue.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 3 of 22\n\nFigure 5: MSI Opened in DIE\r\nWith the content of the MSI extracted, there are two important files to note, the first named\r\n“Binary.bz.WrappedSetupProgram”, which is the embedded cabinet (CAB) file, and the second named\r\n“Binary.bz.CustomActionDll” which is an embedded DLL.\r\nFigure 6: Extracted Cabinet File in DIE\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 4 of 22\n\nFigure 7: Extracted DLL File in DIE\r\nThe DLL only serves to assist in the deployment of the cabinet file during the MSI installation process, but it\r\nshould be noted it also has several other execution paths, corresponding to different installer modes and the\r\nrespective entry point followed.\r\nFigure 8: Extracted DLL Entry points\r\nReturning back to the extracted cabinet (CAB) file, we can simply open it with 7-Zip to view the contents.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 5 of 22\n\nFigure 9: Cabinet File Contents\r\nThe file “iTunesHelper.exe” has a valid signature from Apple, whereas the “sqlite3.dll” and “CoreFoundation.dll”\r\nfiles are unsigned. These files will presumably be loaded (“CoreFoundation.dll” is listed in the Import Table)\r\nwhen “iTunesHelper.exe” is launched, so I will focus on these files.\r\nDue to how Windows searches for and loads DLLs [7], the “iTunesHelper” application will load any DLL named\r\n“CoreFoundation”. Windows first searches the directory where the application launched from, and in this case, it\r\nwould find a match and load the DLL. Windows then falls back to the System32 directory, then the System\r\ndirectory, the Windows directory, the current working directory, all directories in the system PATH environment\r\nvariable and lastly all directories in the user PATH environment variable.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 6 of 22\n\nFigure 10: iTunesHelper EXE Signature\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 7 of 22\n\nFigure 11: iTunesHelper EXE Import Table\r\nUpon closer inspection at the “sqlite3” DLL, it does not appear to be a valid PE (Portable Executable) file, but it\r\nwill be revisited.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 8 of 22\n\nFigure 12: sqlite3 File Junk Data\r\nInspecting the “CoreFoundation” DLL with a disassembler such as IDA [8], Ghidra [9], or Binary Ninja [10], and\r\ngoing to the main entry point, we can trace the execution flow up to where a function named\r\n“CFAbsoluteTimeAddGregorianUnits” is called, which when followed checks if the process it has been loaded\r\ninto is running from the path “c:\\\\debug”, followed by a message box popup with the string “debug dll start”. This\r\nfunctionality is unrelated to the malicious behavior, but is a good indication the file has been tampered with, along\r\nwith the lack of a valid signature.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 9 of 22\n\nFigure 13: CoreFoundation DLL Entry Point\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 10 of 22\n\nFigure 14: CoreFoundation DLL Debug Directory Check\r\nFollowing the “CFAbsoluteTimeAddGregorianUnits” execution flow further down, we can find a reference to the\r\nbundled “sqlite3\" DLL.\r\nFigure 15: sqlite3 File Reference in CoreFoundation DLL\r\nSwitching back to the “sqlite3” DLL, using DIE to view the strings in the file, there appears to be an AutoIt\r\ncompiled script header value denoted by the characters “AU3!EA06”. Opening the the file with a hex editor such\r\nas HxD [11] or DIE (DIE has a built-in one), we can confirm the presence of the AutoIt [12] compiled script\r\nheader. This will be revisited shortly.\r\nFigure 16: AutoIt Compiled Script Header in sqlite3 File\r\nSwitching gears back to the “CoreFoundation” DLL, following the references to the “sqlite3” DLL, we can find a\r\nblock of code that resembles a XOR decryption routine. Looking for cross-references to this decryption code leads\r\nto more references to the “sqlite3” file, along with a familiar string. The string “VzXLKSZE” is scattered\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 11 of 22\n\nthroughout the “sqlite3” file, and fills up the majority of the space within the file. Between this, and the reference\r\nto the XOR decryption routine, we can assume this may be the key used to decrypt the “sqite3” file.\r\nFigure 17: sqlite3 File and Key References in CoreFoundation DLL\r\nFigure 18: XOR Key in sqlite3 File\r\nLoading “sqlite3” into a tool like CyberChef [13], the XOR operation can be used, and when provided with the\r\ndiscovered key, the file content is decrypted, and appears to have a valid PE header, denoted by the MZ characters\r\nat the beginning.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 12 of 22\n\nFigure 19: XOR Decrypting sqlite3 File\r\nAfter saving the decrypted content (“sqlite3decrypted.dll”) to disk, we can load it into DIE to verify it does\r\nresemble a valid PE file.\r\nFigure 20: Decrypted sqlite3 File in DIE\r\nDropping the decrypted binary (“sqlite3decrypted.dll”) into a disassembler and following execution flow from the\r\nentry point, we can see the next stage takes the form of the AutoIt compiled script discovered before, and this DLL\r\nserves to drop the script, the actual AutoIt executable, and a “test.txt“ file into the “c:\\temp” directory, before\r\nexecuting the script with AutoIt.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 13 of 22\n\nFigure 21: Decrypted sqlite3 File Pseudocode\r\nTo extract the compiled script, we can revisit the original encrypted “sqlite3.dll” file, and look for the delimiter\r\nused to separate the script content from the rest of the binary. It should also be noted that the delimiter string\r\n“delimitador” can be found in the “sqlite3decrypted.dll” file.\r\nFigure 22: Delimiter String in Decrypted sqlite3 File\r\nKnowing the string delimiter to look for, we can carve out the AutoIt compiled script from the original “sqlite3”\r\nfile. A hex editor can be used to do this easily.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 14 of 22\n\nFigure 23: Start Delimiter in Original sqlite3 File\r\nFigure 24: End Delimiter in Original sqlite3 File\r\nThe AutoIt script, now saved to disk, unfortunately is unusable while still compiled, and must be decompiled with\r\na tool such as myAutToExe [14].\r\nFigure 25: Compiled AutoIt Script Extracted\r\nWith the script decompiled, we can see it is obfuscated using character substitution, which we must reverse before\r\nwe can proceed.\r\nFigure 26: Decompiled AutoIt Script Obfuscation\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 15 of 22\n\nThe AutoIt “STRINGSPLIT” function [15] is being called on the content of test.txt, read using “FILEREAD”\r\n[16], with a blank delimiter, and with mode 2, which sets the starting count of the array to 0 instead of 1.\r\nFigure 27: test.txt File Content\r\nFor example; $A[0] would be the character “(”, and $A[1] would be the character “n”.\r\nOnce the character substitution is reversed and the script is now readable, we can see it construct shellcode from\r\nthe content above and attempt to load and execute it in memory. It additionally checks if any Sophos products are\r\ninstalled, and will switch execution flows if this check fails.\r\nThe VirtualProtect Windows API [17] is used to modify the allocated memory region protection, so the shellcode\r\ncan be copied and executed using the EnumWindows Windows API [18].\r\nFigure 28: AutoIt Script Content\r\nFollowing the reference to the shellcode data stored across the variable named “$BZXRGFO”, we can see that it\r\nuses the AutoIt function BinaryToString [19], which converts a given value from binary representation to string\r\nform.\r\nKnowing this we can extract the embedded shellcode blob and hex decode it. Once again, CyberChef has a hex\r\ndecode operation that can handle this task for us.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 16 of 22\n\nFigure 29: Decoding the Included Shellcode\r\nAfter saving the decoded shellcode data as a file, if we open it with a hex editor, we can see the start of a valid PE\r\nheader after a large chunk of garbage data. To properly disassemble the file with a tool such as IDA or Ghidra, the\r\ngarbage data will need to be removed (if the junk data is left, the entry point will have to be manually specified).\r\nFigure 30: PE Header in Extracted Shellcode File\r\nThe junk data can be stripped with a hex editor or other file manipulation tools, and once removed we can load the\r\ncleaned file into DIE to verify the file is detected as a valid PE.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 17 of 22\n\nFigure 31: Extracted Shellcode File in DIE\r\nLoading this final stage file into a disassembler, and going to the entry point, we can spot the XOR key utilized in\r\nprevious stages\r\nFigure 32: Final Stage File Disassembly\r\nWith the help of a debugger (I used x32dbg [20]), we can dump the final stage config data at runtime post-decryption to reveal the C2 server it reports home to, which is located at the domain\r\n“prodomainnameeforappru[.]com (46.21.157.142)”. It should be noted that the final stage shellcode when\r\nexecuted in memory at runtime, will be mapped in a newly spawned “VBC.exe” (Visual Basic command line\r\ncompiler) process.\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 18 of 22\n\nFigure 33: Extracting C2 Domain with x32dbg\r\nFlow Summary\r\nInitial PDF (“case_-2023_4824647818.pdf”): Deliver MSI via AD download link.\r\nDownloaded First Stage MSI (“build-x64.msi”): Unpack embedded cabinet file.\r\nExtracted Cabinet File (“Binary.bz.WrappedSetupProgram”): Contains encrypted next stage DLL, and\r\ndummy app to use with tampered DLL for sideloading.\r\nDummy App (“iTunesHelper.exe”): Used to load tampered import DLL.\r\nTampered Import DLL (“CoreFoundation.dll”): Used to load and XOR decrypt next stage DLL\r\nEncrypted Second Stage DLL (“sqlite3.dll”): Drop embedded compiled AutoIt script, AutoIt binary, and\r\ncharacter substitution alphabet, and invoke compiled script with AutoIt binary.\r\nAutoIt Binary (“autoit.exe”): Used to execute compiled AutoIt script.\r\nCharacter Substitution Alphabet (“test.txt”): Used to run compiled AutoIt script (or deobfuscate a\r\ndecompiled version).\r\nCompiled Third Stage AutoIt Script (“script.a3x”): Construct final stage shellcode to load and execute in\r\nallocated memory.\r\nFinal Stage DarkGate Agent (“finalstage.dat” or found in memory of host “vbc.exe” process at runtime):\r\nBeacon home and provide remote access / additional malware delivery functionality.\r\nTakeaway\r\nDarkGate is a commodity loader with remote access and modular plugin capability, written in Borland Delphi that\r\nis advertised under the Malware-as-a-Service (MaaS) business model on popular cybercrime forums [22]. It\r\nmainly serves to deliver other malware, commonly infostealers to compromised hosts and either aid in exfiltration\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 19 of 22\n\nof the data or futher access and persistence. As modern AV/EDR products scrutinize PE files much more\r\naggressively, alternative file types that can nest additional stages and still look legitimate are becoming far too\r\nattractive to MaaS providers. Automated triage solutions and sandboxes can help uncover some of these protected\r\nsamples, but it may not be feasible or cost effective for an organization to run every installation package or\r\ninstaller they utilize through a sandbox.\r\nAs this MSI delivery avenue is less and less successful, DarkGate may switch to alternate means of nesting\r\nadditional stages, but as of writing, other recent samples can be dissected by applying a similar routine to that\r\nabove.\r\nBeing able to triage samples manually when signature-based scanning fails, or reputation checks are bypassed due\r\nto the use of a code signing certificate can be crucial when threat hunting, or responding to incidents within an\r\norganization that may not have access to a sandbox or automated triage products.\r\nFigure 34: DarkGate File Manager [21]\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 20 of 22\n\nFigure 35: DarkGate Miscellaneous Features [21]\r\nFigure 36: DarkGate Remote Access Features [21]\r\nReferences, Appendix, \u0026 Tools Used\r\n[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/\r\n[2]\r\nhttps://www.virustotal.com/gui/file/693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a\r\n[3] https://www.globalsign.com/en\r\n[4] https://legroom.net/software/uniextract\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 21 of 22\n\n[5] https://7-zip.org/\r\n[6] https://github.com/horsicq/DIE-engine/releases\r\n[7] https://dmcxblue.gitbook.io/red-team-notes/persistence/dll-search-order-hijacking\r\n[8] https://hex-rays.com/ida-pro/\r\n[9] https://ghidra-sre.org/\r\n[10] https://binary.ninja/\r\n[11] https://mh-nexus.de/en/hxd/\r\n[12] https://www.autoitscript.com/site/autoit/\r\n[13] https://github.com/gchq/CyberChef\r\n[14] https://github.com/PonyPC/myaut_contrib\r\n[15] https://www.autoitscript.com/autoit3/docs/functions/StringSplit.htm\r\n[16] https://www.autoitscript.com/autoit3/docs/functions/FileRead.htm\r\n[17] https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect\r\n[18] https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows\r\n[19] https://www.autoitscript.com/autoit3/docs/functions/BinaryToString.htm\r\n[20] https://x64dbg.com/\r\n[21] https://github.security.telekom.com/\r\n[22] https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate\r\nIndicators of Compromise\r\nSHA-256 Hashes:\r\n693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a\r\n599ab65935afd40c3bc7f1734cbb8f3c8c7b4b16333b994472f34585ebebe882\r\n107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c\r\nf049356bb6a8a7cd82a58cdc9e48c492992d91088dda383bd597ff156d8d2929\r\n17158c1a804bbf073d7f0f64a9c974312b3967a43bdc029219ab62545b94e724\r\n2693c9032d5568a44f3e0d834b154d823104905322121328ae0a1600607a2175\r\n237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d\r\n2296f929340976c680d199ce8e47bd7136d9f4c1f7abc9df79843e094f894236\r\n91274ec3e1678cc1e92c02bc54a24372b19d644c855c96409b2a67a648034ccf\r\nee1ffb1f1903746e98aba2b392979a63a346fa0feab0d0a75477eacc72fc26a6\r\nf7e97b100abe658a0bad506218ff52b5b19adb75a421d7ad91d500c327685d29\r\nC2 Domain, IP \u0026 Port:\r\n“prodomainnameeforappru[.]com\", 46.21.157.142:port 443\r\nSource: https://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nhttps://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/"
	],
	"report_names": [
		"30700"
	],
	"threat_actors": [
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439091,
	"ts_updated_at": 1775791418,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e983be3b645fbe4bd3cc9c1742e0e6b56fbeb469.pdf",
		"text": "https://archive.orkl.eu/e983be3b645fbe4bd3cc9c1742e0e6b56fbeb469.txt",
		"img": "https://archive.orkl.eu/e983be3b645fbe4bd3cc9c1742e0e6b56fbeb469.jpg"
	}
}