DarkGate Loader Delivered Through Stolen Email Threads

The research revealed high malspam activity of DarkGate malware distributed via phishing emails to the users either through MSI files or VBs script payloads.

Darkgate malware has been active since 2018 and has the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation.

A user RastaFarEye has been advertising DarkGate Loader on the xss[.]is an exploit[.]in cybercrime forums since June 16, 2023, with different pricing models.

“The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates,” Telekom Security said.

Attack Execution

Initially, phishing emails distributed the payload with either the MSI variant or the VBScript variant.

The attack commences from clicking on the phishing URL which redirects the user to the phishing site via a Traffic distribution system(TDS).

Subsequently, the MSI file will be downloaded, which executes the AutoIt script to execute a shellcode that acts as a conduit to decrypt and launch DarkGate via a crypter (or loader).

Whereas Visual Basic Script payload uses cURL to retrieve the AutoIt executable and script file to execute the malware.

Infection Chain

On successful initialization of darkgate malware, the malware will write a copy of itself to disk and create a registry run key to persist execution between reboots.

It also can terminate the process when it gets detected by the AV and alters its behavior according to the well-known AV product.

The malware can query different data sources to obtain information about the operating system, the logged-on user, the currently running programs, and other things. 

The malware uses multiple legitimate freeware tools published by Nirsoft to extract confidential data.

The malware periodically polls the C2 server for new instructions, executes the received commands, and finally sends back the results to the C2 server.


SHA256 6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *