⚠️ Overview

DARKDEW is an advanced stealer malware first documented in July 2024 by the Juniper Threat Labs team. It belongs to the category of information stealers and remote access trojans (RATs), focusing on credential theft, cryptocurrency wallet extraction, and sensitive data exfiltration. The malware is believed to be operated by a Chinese-speaking threat actor tracked as TA-2024-0813, based on code similarities to earlier RedLine Stealer variants.

🔧 Technical Capabilities

DARKDEW propagates primarily through phishing emails containing malicious Microsoft Office documents (XLS macros) or ISO files. Upon execution, it drops an initial DLL loader that uses process hollowing to inject into legitimate processes like explorer.exe. The malware communicates with its C2 infrastructure over HTTPS to randomly generated domains registered via Freenom, employing base64-encoded JSON payloads for data exfiltration. Persistence is achieved by writing a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a random filename. Evasion techniques include API unhooking via direct syscalls, delaying execution to evade sandbox analysis, and checking for debuggers or virtual machine artifacts (e.g., registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass{4D36E968-E325-11CE-BFC1-08002BE10318} for VMware detection). It also uses the CreateTimerQueueTimer API for timed execution to bypass time-based detection.

📜 History & Notable Incidents

DARKDEW first appeared in mid-2024 targeting manufacturing and technology sectors in North America and East Asia. A major campaign in September 2024 compromised over 200 endpoints in a single automotive supply chain company, exfiltrating 3GB of design files and VPN credentials. No CVEs are specifically associated with the malware itself; it relies on document macro abuse (CVE-2017-11882 exploited in older Office versions) and social engineering. Law enforcement actions have not been publicly reported as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (variant A) and d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592 (variant B). Behavioral signatures include outbound HTTPS connections to domains matching the pattern *.ml;*.ga;*.cf with User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. Registry mutex GlobalDARKDEW_MUTEX_2024 is created to prevent multiple instances.

☠️ Risk & Impact

DARKDEW causes credential theft from browsers (Chrome, Edge, Firefox), cryptocurrency wallet extraction from wallets like MetaMask and Exodus, and sensitive file exfiltration of documents with extensions .doc, .xls, .pdf, and .kdbx (KeePass). Financial losses in reported incidents average $150,000 per breach due to stolen VPN access and business email compromise. The malware particularly affects small-to-medium enterprises in the manufacturing and engineering sectors.

🛡️ Mitigation

Defenders should block Office macros from untrusted sources, deploy YARA rules matching the known hashes and the mutex name, and implement network segmentation to limit lateral movement. Enable attack surface reduction rules in Microsoft Defender for Office to prevent macro execution. No specific patch is required; hardening against phishing and disabling auto-run for ISO files is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.