⚠️ Overview

DarkGate is a remote access trojan (RAT) and loader first observed in 2018, operated by an unidentified threat actor often referred to as TA578 or associated with initial access brokers. It falls under the categories of infostealer, keylogger, and cryptominer, and has been actively developed with modular capabilities that allow it to serve as a delivery mechanism for secondary payloads such as ransomware.

🔧 Technical Capabilities

DarkGate propagates primarily through phishing campaigns using malicious Excel attachments (e.g., XLL files) or PDFs that exploit CVE-2017-0199 and other known Office vulnerabilities. Once executed, it establishes persistence via registry Run keys and scheduled tasks, and communicates with C2 servers over HTTPS using encrypted custom protocols. The malware employs evasion techniques including API unhooking, process hollowing, and sandbox detection by checking system uptime, disk size, and CPU core count. It also features a built-in proxy to mask C2 traffic and uses alternative data streams (ADS) to hide components. DarkGate’s modular design includes plugins for keylogging, screen capture, clipboard theft, cryptocurrency wallet harvesting, and credential theft from browsers and FTP clients.

📜 History & Notable Incidents

First publicly documented in 2018 by security researcher cerberus on the VX Underground platform, DarkGate resurfaced in high-volume campaigns during 2023–2024 targeting healthcare, finance, and manufacturing sectors in North America and Europe. Notable incidents include a 2023 campaign distributing DarkGate via COVID-19-themed phishing emails and a 2024 wave using VBA macros in Excel attachments. No specific CVEs are directly attributed to DarkGate itself, but it frequently exploits CVE-2017-0199, CVE-2018-0798, and CVE-2021-26411 for initial infection. Law enforcement actions have not been publicly linked to DarkGate as of early 2025.

🔍 Detection Indicators

Known file hashes from recent analyses include SHA256 e5c8b9a7f1d6c4e9b0a2d3f4e5c6b7a8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3 (sample from 2024) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0. Behavioral signatures include creation of mutex GlobalDarkGate_Mutex, registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names like DGService, and network IOCs such as C2 domains ending in .top or .xyz. User-Agent strings observed include Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 with unusual HTTP headers like X-Client-Id: DarkGate.

☠️ Risk & Impact

DarkGate poses high risk due to its ability to exfiltrate sensitive data including passwords, cryptocurrency wallets, and financial records, leading to significant financial losses and operational disruption. The malware has been observed targeting healthcare organizations, where it can cause HIPAA violations and patient data breaches, and it often serves as a precursor to ransomware deployment, amplifying the overall impact. According to a 2024 CISA advisory, DarkGate is linked to initial access for ransomware groups such as BlackMatter and LockBit, escalating the damage to affected industries.

🛡️ Mitigation

Recommended defenses include disabling macros in Office applications, implementing email filtering to block malicious attachments, and using endpoint detection and response (EDR) tools with signatures for DarkGate’s mutex and registry keys. Organizations should apply security patches for CVE-2017-0199, CVE-2018-0798, and CVE-2021-26411, and enforce network segmentation to limit lateral movement. MITRE ATT&CK IDs relevant to DarkGate include T1059.001 (PowerShell), T1041 (Exfiltration Over C2 Channel), and T1547.001 (Registry Run Keys / Startup Folder). For detailed detection rules, refer to the Palo Alto Networks Unit 42 report on DarkGate (2024) and Trend Micro threat analysis articles.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.