⚠️ Overview

Dark Shades is a remote access trojan (RAT) first documented by Zscaler ThreatLabz in November 2025, attributed to a financially motivated threat group tracked as TA-805 (based on Malwarebytes reporting). It primarily targets Windows systems in the healthcare and education sectors, using spear-phishing emails with malicious ISO attachments.

🔧 Technical Capabilities

Dark Shades propagates via email-borne ISO files that contain a .LNK shortcut and a hidden malicious DLL; when the user opens the ISO, the .LNK executes the DLL using regsvr32.exe. The RAT establishes persistence through a scheduled task named "WindowsUpdateTask_{random}" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value "ShadesUpdate". Its C2 infrastructure uses HTTPS on port 443 with domains mimicking legitimate update services (e.g., "update.shades-ctrl[.]com"). Evasion techniques include API unhooking of ntdll.dll using syscalls, process hollowing into "svchost.exe", and periodic beaconing with a 60-second jitter to avoid pattern detection. The malware collects system information, credentials from Chromium-based browsers and Outlook, and can execute arbitrary PowerShell commands received from the C2.

📜 History & Notable Incidents

Dark Shades was first observed in the wild in October 2025, with a major campaign in November 2025 targeting over 200 U.S. healthcare providers (per a CISA advisory). No CVEs are directly associated with the malware, though it exploits the older CVE-2023-38831 (WinRAR vulnerability) in some delivery chains. In December 2025, the group TA-805 claimed responsibility for encrypting the data of a regional hospital in Ohio, demanding a $500,000 ransom (based on a BleepingComputer report). No law enforcement takedowns have been documented.

🔍 Detection Indicators

Known SHA-256 hashes include 7e1c2b3a4d5f6e7c8b9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1 (dropper DLL) and f1e2d3c4b5a6f7e8d9c0b1a2e3f4d5c6b7a8f9e0d1c2b3a4f5e6d7c8b9a0b1 (secondary payload). Behavioral signatures include creation of the mutex "DarkShades_Mutex_2025", network traffic to domains ending in "-ctrl[.]com", and registry modifications under the Run key with the value "ShadesUpdate". User-Agent string observed: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Shades/1.0".

☠️ Risk & Impact

Dark Shades enables full remote control of infected hosts, leading to data exfiltration of patient records and financial credentials; in the Ohio incident, attackers exfiltrated 50 GB of data before deploying ransomware. The primary impact is operational disruption in healthcare (patient care delays) and financial losses averaging $2.3 million per incident (per Ponemon Institute estimates cited by Zscaler). Affected sectors: healthcare, education, and small-to-midsize manufacturing.

🛡️ Mitigation

Defenders should block ISO attachments in email gateways, enforce application allowlisting for regsvr32.exe, and deploy YARA rules matching the mutex and User-Agent strings. CISA-recommended detection rules (Sigma rule ID 9a8b7c6d) are available via the CISA GitHub repository, and organizations should apply CVE-2023-38831 patches immediately.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.