DarkComet
DarkComet is a commodity Windows remote access trojan (RAT), also known by aliases including DarkKomet, Fynlos, Fynloski, and Krademok. It was originally developed in 2008 by Jean-Pierre Lesueur (DarkCoderSc) as a remote administration tool, proliferated widely by early 2012, and was later discontinued after abuse by threat actors, including reported use during the Syrian civil war to monitor activists. Different versions remain available, and version 5.3.1 is specifically referenced in reverse-engineering analysis.
The malware provides full remote control of compromised Windows systems and is described as opening a backdoor and stealing information. Documented capabilities include execution of various scripts and commands via the Windows command shell, active screen viewing with mouse and keyboard control, keylogging, clipboard theft, audio capture through the system microphone, video capture, system and user discovery, process discovery, ingress tool transfer, and use of Remote Desktop Protocol. DarkComet can establish persistence via Registry Run keys or the Startup folder, modify the registry, disable Windows Host Firewall, and disable Security Center functions such as antivirus. It also uses masquerading by matching legitimate resource names or locations and software packing for obfuscation. Reverse-engineering analysis states that DarkComet communications are protected with RC4, and that its so-called "small" payload is simply a UPX-packed version of the same executable as the normal payload.
Observed infection and delivery patterns in the provided content include use as a payload in phishing and malware campaigns, use with crypter services advertising FUD encryption for .NET payloads, and deployment under deceptive filenames such as WinDefender.Exe and winupdate.exe to appear legitimate. General RAT infection vectors referenced in the supporting material include malicious email attachments, links, downloads, torrent files, social engineering, and temporary physical access.
DarkComet appears repeatedly as an off-the-shelf RAT used by both cybercriminal and state-linked actors. The content associates it with Syrian targeting of activists and opposition figures, UAE-related surveillance cases, Nigerian BEC operations tracked as SilverTerrier, APT33/Elfin intrusions, MOLERATS-linked infrastructure overlaps, BlueNorOff/Lazarus-associated tooling lists, and reporting on openly available tools used by ALUMINUM SARATOGA. It is also tracked in ATT&CK as S0334 and appears in command-and-control infrastructure reporting, including Recorded Future observations showing DarkComet among the most observed C2 families in 2022 with reported year-over-year growth.
High-confidence infrastructure and IOC details directly mentioned include DarkComet samples hosted on google.wwwhost.biz communicating with r.ddns.me; shared infrastructure involving a.ddns.me, IPs 198.105.125.158 and 23.229.3.37, and overlap with the MOLERATS domain test.cable-modem.org. In one APT33/Elfin intrusion, DarkComet was deployed alongside POSHC2 and Quasar RAT during activity in February-April 2018. Additional file-name indicators explicitly mentioned are WinDefender.Exe and winupdate.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In early 2013 UAE H.R. activist E forwarded numerous documents that included a particular CVE-2012-0158 exploit for Microsoft Word. In all, these totaled 17 distinct hashes of documents, and 10 distinct hashes of payloads.
"...spear-phishing emails with malicious RTF files exploiting CVE-2010-3333 or CVE-2012-0158..." | "...off-the-shelf remote administration tools (RATs) and downloaders, such as DarkComet and Bozok."
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The top 10 of the RATs used in Nigerian BEC scams is formed by NetWire, DarkComet, NanoCore, LuminosityLink, Remcos, ImminentMonitor, NJRat, Quasar, Adwind, and Hworm.
google.wwwhost.biz also hosted two DarkComet samples, which communicated with r.ddns.me , which shared IP address 198.105.125.158 with a.ddns.me , which shared IP address 23.229.3.37 with MOLERATS domain test.cable-modem.org .
DarkComet (Backdoor.Breut): Another commodity RAT used to open a backdoor on an infected computer and steal information.
Malware associated with BlueNorOff include: "DarkComet, Mimikatz, Nestegg, Macktruck, WannaCry, Whiteout, Quickcafe, Rawhide, Smoothride, TightVNC, Sorrybrute, Keylime, Snapshot, Mapmaker, net.exe, sysmon, Bootwreck, Cleantoad, Closeshave, Dyepack, Hermes, Twopence, Electricfish, Powerratankba, and Powerspritz"
"...off-the-shelf remote administration tools (RATs) and downloaders, such as DarkComet and Bozok."
“ALUMINUM SARATOGA uses many openly available tools for its operations, including… DarkComet…”
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe attacks we have documented usually involve the use of malicious links or e-mail attachments, designed to obtain information from a device.
Execution
3 techniquesAPT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.
The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.
The messages usually include text, often in Arabic, that attempts to persuade the target to execute the file or click the link.
Persistence
2 techniquesAcross the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
1 techniqueThe content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
3 techniquesTo keep them under the antivirus radar, Nigerian actors techniques use "crypters" - software tools designed to encrypt, obfuscate, and modify malware.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
Defense Impairment
1 techniqueCredential Access
1 techniqueDiscovery
3 techniquesThe content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Collection
5 techniquesThe attacks we have documented usually involve the use of malicious links or e-mail attachments, designed to obtain information from a device.
We found that the spyware has a modular design, and can download additional modules from a command & control (C&C) server, including password capture...
We found that the spyware has a modular design, and can download additional modules from a command & control (C&C) server, including password capture (from over 20 applications) and recording of screenshots...
We found that the spyware has a modular design, and can download additional modules from a command & control (C&C) server, including password capture... and input from the computer’s microphone and webcam.
We found that the spyware has a modular design, and can download additional modules from a command & control (C&C) server, including password capture... and input from the computer’s microphone and webcam.
Command and Control
4 techniquesRecorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). We observed over 17,000 unique command-and-control (C2) servers during 2022...
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
the attackers became active on the compromised machine and proceeded to download the archiving tool WinRAR... attackers were observed downloading a custom .NET FTP tool... using Quasar RAT to download a second custom AutoIt FTP exfiltration tool known as FastUploader...
According to the Remote Access Trojan definition, a RAT is a form of malware that provides the perpetrator remote access and control of the infected computer or server.
Impact
1 techniqueScammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.
Other
2 techniquesThe content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
52 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan referenced as a payload type supported by the crypter service for obfuscation/encryption.
A 2000s-era RAT grouped with commercial/blackhat malware that added builders, UPX packing, DLL injection, API hooking, remote plugin support, persistence, and mutex-based execution control.
A remote access trojan originally developed as a remote administration tool and later abused by threat actors to gain unauthorized access, establish C2 communication, and provide full control over compromised Windows systems.
A remote access trojan mentioned as part of the more malicious RAT families that emerged by 2010.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.