{
	"id": "c706aa6c-2f23-4a71-a372-e4b1931b287c",
	"created_at": "2026-04-06T00:08:40.351985Z",
	"updated_at": "2026-04-10T13:11:35.490567Z",
	"deleted_at": null,
	"sha1_hash": "f667c2cfa2ebeb28921359da1d3bb040daf16073",
	"title": "DarkRat - Hacking a malware control panel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1352930,
	"plain_text": "DarkRat - Hacking a malware control panel\r\nArchived: 2026-04-05 17:38:40 UTC\r\nIn this post I will be showing you how I found vulnerabilities in the control panel of a new piece of malware and\r\nhow I exploited these to be able to take it over. I will also be giving insight into chaining vulnerabilities.\r\nThe malware we are talking about today is DarkRat. This nasty bit of code has recently popped up on the least\r\nunderground hacking forum there is, HackForums. HackForums is a very accessible forum that shows just about\r\nanyone how to become a cybercriminal. It is full of very easy to use tools on all kinds of different subjects but\r\ntoday we will be concentrating on its malware \u0026 marketplace sections. The developer of today's target is very\r\nactive on this forum and you will find him posting in these two sections. The actor goes by the name \"Dark\r\nSpider\" and along with his main piece of malware (DarkRat) has created other pieces of malware including an\r\nexploit kit (CapeSand). Here is the banner of his profile on the site which I find quite ironic since he is a cyber\r\ncriminal and someone that is aiding other cyber criminals.\r\nHere is a screenshot of his sales thread for DarkRat. \r\nhttps://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel\r\nPage 1 of 8\n\nThe reason how I was able to get my hands on the source code of the control panel for this malware is that the\r\ndeveloper was developing the bot and updating it on github publicly, after a friend of mine discovered it and\r\nshared it with me I was able to quickly clone the repository and back it up locally. Not long after this the\r\ndeveloper discovered that the source code for all of his products had been discovered he proceeded to post this\r\nthread.\r\nhttps://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel\r\nPage 2 of 8\n\nObviously his products weren't for learning purposes but I'm happy he came to realize that what he was doing is\r\nwrong and has now stopped all sales. Onto the main topic of today!\r\nIf we look at the traffic that the malware sends to the control panel you will see a post parameter followed with\r\nwhat looks like gibberish to the untrained eye.\r\nFor those of you that have any experience with encoding you will notice that there is a trailing two equal signs\r\nafter the gibberish, this is a sign of padding for base64. If we decode the gibberish with base64 we simply get\r\nmore gibberish like so.\r\nHopefully you can notice from what I said in the previous paragraph that this is again base64. Decoding it again\r\nwill give us what we are looking for.\r\nWe can now see that the malware is sending an initial POST to the control panel, informing it of the specs and\r\ndetails of the computer it has just been run on. There are pieces of information that are base64 encoded within this\r\nalready double decoded request but I won't concentrate on those as they are just names of what hardware and\r\nsoftware the computer is using. So now that we know what the malware is sending to the control panel let's look at\r\nthe panel itself.\r\nThis is what the DarkRat main panel looks like after setup.\r\nhttps://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel\r\nPage 3 of 8\n\nTasks page\r\nBots page\r\nSettings page\r\nhttps://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel\r\nPage 4 of 8\n\nSo lets now take the POST request the malware sent to the panel and send it to my localhost and see what\r\nhappens. I have recreated the post within a web security tool called burp. \r\nAnd we get a successful update on the control panel.\r\nSo let's take a look at what is actually handling this request. Within the panel source code there is a file called bot\r\nhandler, this handles the malware connecting to the control panel. This file checks if the bot (infected computer) is\r\nin the database and if not it then prepares to insert the computers details into the database. This is done using SQL\r\nstatements in php but what the author forgets to do is to encode or remove special characters from what it inserts.\r\nThis is exactly what we want as this will lead to XSS. XSS or cross site scripting is when you manage to inject\r\nhtml into a webpage through user submitted content. On the main page we see the names of the computers that\r\nhave been infected. Here is what it looks like after I sent my request.\r\nhttps://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel\r\nPage 5 of 8\n\nSo what happens if we replace \"USER-PC\" with something like \"\u003cscript\u003ealert(1);\u003c/alert\u003e\"? To quickly explain\r\nthis I am inserting a script tag that will run the JavaScript between the tags, If you don't understand what I am\r\ntalking about please read this: Introduction to XSS so now that you can see what I am doing let's actually put it\r\ninto practice. \r\nIn the decoded request I replace \"USER-PC\" with \"\u003cscript\u003ealert(1);\u003c/alert\u003e\" and then double base64 encode it\r\nand send it back to the panel. Refreshing the panel we get alerted by this.\r\nSo now we can see that the XSS worked and this means that we can now insert whatever html/JavaScript we want\r\ninto the main page for the malware operator to see. Obviously we don't actually want the malware operator to get\r\nany visual indication that we have hacked his control panel so after our payload we can insert a bit of text so that\r\nthe original \"USER-PC\" still appears.\r\nNow that we have XSS we need to chain it with something else so that we can take over the control panel. A\r\nuseful web vulnerability we can use is CSRF or cross site request forgery. This is when you make the browser do\r\nsomething to emulate what a user would do. In this case we want the operator to add a new user to the control\r\npanel so that we can access it. To do this we need to send a POST request to the settings page that will then add\r\nthe user to the panel. Here is the post that is sent when you try to add a new user to the control panel.\r\nhttps://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel\r\nPage 6 of 8\n\nSo now from this we can use a tool within burp to create a CSRF payload from this.\r\nWhat this is doing is automatically submitting a form to the settings panel that emulates what the control panel\r\noperator would be submitting if they were to add a new user to their panel. You can see on the right the values\r\n\"guestuser\" being set as the value for the user and password input fields. Now we want this form to automatically\r\nbe submitted once viewed. The new html looks like this.\r\nYou can see the JavaScript at the end, this automatically submits the form upon visit. Due to the way the\r\ndeveloper has configured the database I have only 100 characters that I can enter into the pc name column. This\r\nhttps://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel\r\nPage 7 of 8\n\nmeans that I cannot directly enter this piece of code into the site as it is well over the 100-character limit, so I have\r\nto display it differently. This can be done with an iframe. An iframe displays another webpage within a webpage\r\nwhich is perfect for our needs. We can use this iframe that has a style set so that it is invisible to the user. So if we\r\nsave the html above as \"payload.html\" and host it at our domain of attacker.com then our new iframe payload will\r\nlook like this.\r\nSo now that we have our final payload we can then append \"USER-PC\" to the end so that it displays something\r\nthat the control panel operator expects to see for maximum stealth. We can now insert this into our payload,\r\nencode it twice and send it to the control panel. Once the operator views his control panel then he will be secretly\r\nadding a user to his control panel. I can then monitor requests to my domain \u0026 host so that I know when this user\r\nhas been added. Now that I have access I can remove all the infected computers by adding this command to the\r\npanel.\r\nAnd there we go! That brings this blog post to a close. I hope that you enjoyed the read and learnt something!\r\nUntil next time, goodbye!\r\nSource: https://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel\r\nhttps://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel"
	],
	"report_names": [
		"darkrat-hacking-a-malware-control-panel"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434120,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f667c2cfa2ebeb28921359da1d3bb040daf16073.pdf",
		"text": "https://archive.orkl.eu/f667c2cfa2ebeb28921359da1d3bb040daf16073.txt",
		"img": "https://archive.orkl.eu/f667c2cfa2ebeb28921359da1d3bb040daf16073.jpg"
	}
}