DcRAT
DarkCrystal RAT (DCRat) is a .NET remote access trojan and malware-as-a-service platform, also referred to as Dark Crystal RAT, active since at least 2019 and sold on underground forums since at least 2018. It is commonly identified as an AsyncRAT-derived or related family, but reporting in the provided content confirms authentic DCRat builds by author qwqdanchun through artifacts such as the salt "DcRatByqwqdanchun," the default mutex "DcRatMutex_qwqdanchun," embedded X.509 certificates, and characteristic configuration structures.
Across the cited reporting, DCRat is described as a modular RAT with plugin architecture and MessagePack serialization. Documented capabilities include remote command execution; dynamic compilation and execution of C# and VB code; execution of BAT, VBS, and PowerShell scripts; file download and execution; process, filesystem, drive, screen, camera, and microphone enumeration; screenshot capture; clipboard theft; browser password and cookie theft; VPN, FileZilla, WinSCP, Telegram, Discord, and Steam credential/session theft; keylogging; screen capture; clipboard monitoring; registry editing; process and file management; USB spreading; and denial-of-service functions using HTTP POST, UDP, and TCP flooding. One report also notes runtime code compilation on the victim host.
Defense evasion and anti-analysis features directly mentioned include AMSI patching/bypass, ETW bypass, WLDP bypass in Donut-based delivery chains, anti-VM checks, Sandboxie and debugger checks, small-disk checks, sleep-prevention logic, anti-process kill lists, process protection via RtlSetProcessIsCritical, and use of the w32tm stripchart command as an execution-delay mechanism. DCRat has also been observed using SSL/TLS C2 with certificate pinning, certificate-based authentication for C2 servers, AES-256-CBC encrypted communications, MessagePack over TLS, and in other campaigns plaintext HTTP POST to PHP gate files on port 80. Pastebin integration for backup C2 resolution is also explicitly mentioned.
Persistence mechanisms documented in the content include scheduled tasks created with schtasks.exe, HKCU Run keys, Registry Run persistence, modification of the Windows NT CurrentVersion\Load key in related delivery chains, and in one technical analysis modification of the Winlogon Shell key. DCRat can also remove its own scheduled-task and registry persistence artifacts.
Observed infection vectors and delivery chains include phishing campaigns targeting Russian-speaking users with malicious Word documents and HTML/JavaScript files; archives masquerading as VK messenger or other Russian-named files; Golang loaders such as GOLoader that weaken Microsoft Defender before retrieving DCRat; Cloudflare Tunnel/WebDAV-hosted multi-stage chains using LNK, WSH, WSF, BAT, Python loaders, Donut shellcode, and Early Bird APC injection into explorer.exe; trojanized software installers including Internet Download Manager lures; and post-compromise deployment in broader intrusion activity. Payload delivery through SVG, PNG, LNK, JS, and HTA files is also mentioned in broader reporting where DCRat was among deployed malware.
The malware has been associated in the provided content with multiple operators and clusters rather than a single actor. These include unknown phishing operators targeting Russian-speaking users, the SERPENTINE#CLOUD cluster targeting German-speaking businesses and UK organizations, the Russian-speaking MaaS group NyashTeam, and broader Russian-linked intrusion activity in 2025 where Remcos RAT, DarkCrystal RAT, XWorm, and Lumma Stealer were deployed after compromise. Reporting also describes campaigns using very low-cost Russian shared hosting on Timeweb and SpaceWeb, trillex[.]io infrastructure, DuckDNS domains, LocaltoNet tunneling, Oracle Cloud, Tencent Cloud in Frankfurt, and AT&T-hosted C2 infrastructure.
Targeting and victimology explicitly mentioned include Russian-speaking users, German-speaking small businesses and DATEV/invoice-processing targets, UK organizations, and victims in campaigns tied to trojanized installers and commodity malware distribution. Industries and sectors mentioned in broader intrusion reporting include government, defense, energy, and other critical sectors in Ukraine and Europe where DCRat was one of several deployed malware families.
High-confidence indicators and artifacts directly cited in the content include C2 IPs and domains such as 77.246.107.91 with LineserverUniversal.php, trillex[.]io and multiple subdomains, cr404896[.]tw1[.]ru, cc812496[.]tw1[.]ru, hulr3lyand[.]temp[.]swtest[.]ru, y57kdsa.duckdns[.]org:7878, 43.157.1[.]71:3232, and historical sightings on 143.47.53.106:8090 and 217.119.139.23:8888 / 217.119.139.192:8080. Builder and config artifacts include the salt "DcRatByqwqdanchun," mutex "DcRatMutex_qwqdanchun," default group tag "Default," GUID-like config keys prefixed with {11111-22222-}, and certificates with subject CN=DcRat and issuer fields referencing qwqdanchun.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Windows Office Product Spawned Uncommon Process ... CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability ...
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The operator is NyashTeam -- a Russian-speaking MaaS group active since approximately 2022, selling SalatStealer (marketed as "WebRAT") for around 1,199 RUB/month (~$13 USD). They also distribute DCRat.
TAG-144 has employed a wide array of open-source and cracked RATs, including AsyncRAT, DcRAT, REMCOS RAT, XWorm, and LimeRAT, among others.
TAG-144 has employed a wide array of open-source and cracked RATs, including AsyncRAT, DcRAT, REMCOS RAT, XWorm, and LimeRAT, among others.
"The campaign ultimately deploys DCRat, a Russia-linked remote access Trojan (RAT)."
The toolkit includes PureLogs, PureHVNC, and repackaged commodity RATs (AsyncRAT, VenomRAT, DcRat, XWorm).
Proofpoint says TA584 has used a large number of payloads over the years, including Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, and DCRAT, which was still seen in one case in 2025.
Techniques & procedures
37 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesSupply chain intrusions added another serious layer of risk. Actors targeted software update mechanisms, third-party tools, and IT service providers to plant backdoors where scrutiny is typically lower.
Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.
When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript.
Execution
9 techniquesIt establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process.
It has the functionality of executing other PowerShell scripts or commands as directed by the C2 server.
The dropped JavaScript “UserCacheHelper.lnk.js” loads the contents of the “UserCache.ini” and executes it using the Invoke-Expression PowerShell command.
The batch stagers are the initial execution layer. 29 .bat files recovered across six evidence directories deduplicate to 13 unique templates in four categories.
The ZIP contains a Python runtime and one or more loader scripts. Each loader decrypts embedded shellcode, and that shellcode bootstraps the .NET Common Language Runtime (CLR) to load the actual payload.
The threat actor is also using HTML files embedded with malicious JavaScript in this campaign that are delivered to the victims through the malicious links in the phishing email.
allocate RWX memory, write shellcode via WriteProcessMemory ... ctypes.windll.kernel32.VirtualProtect(... 0x40, # PAGE_EXECUTE_READWRITE ... )
As of February 2024, the group continues to leverage trojanized software installers distributed via torrents on Ukrainian- and Russian-language forums as a means of achieving opportunistic initial access to potential targets of interest.
Persistence
2 techniquesIt establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process.
Startup folder BAT ( T1547.001 ): %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\start.bat -- re-executes all five payloads via the downloaded Python runtime | Registry Run key ( T1547.001 ): DcRat writes to SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Privilege Escalation
5 techniquesIt establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread.
The payload Dark Crystal RAT (DCRAT) sample that we analyzed in this campaign is a modular RAT associated with plugins to perform the DLL injection and information stealing tasks.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
Startup folder BAT ( T1547.001 ): %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\start.bat -- re-executes all five payloads via the downloaded Python runtime | Registry Run key ( T1547.001 ): DcRat writes to SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Stealth
12 techniquesThe content repeatedly describes adversaries using Base64, XOR, RC4, AES, hexadecimal encoding, string encryption, code flattening, custom crypters, and other obfuscation methods to hide payloads, strings, configuration data, URLs, and scripts.
Defense Evasion Obfuscated Files: Encrypted Payload T1027.013 1–6 Multi-layer encryption (XOR, AES, Donut/Chaskey)
The malicious 7-Zip archive masquerades as the VK messenger application archive file... The SFXRAR executable is masquerading as the legitimate VK application executable.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread.
The payload Dark Crystal RAT (DCRAT) sample that we analyzed in this campaign is a modular RAT associated with plugins to perform the DLL injection and information stealing tasks.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
Defense Evasion System Binary Proxy Execution: Wscript T1218.005 1–4, 6 wscript.exe WSH/WSF execution
If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip (full WBKS + BKSNO deployment).
Checks for AvastUI.exe and AVGUI.exe via tasklist. If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip
Virtualization/Sandbox Evasion: Time Based Checks - T1497.003 The STRT identified an interesting TTP associated with DarkCrystal RAT, the use of “W32tm” command with the “stripchart” parameter as an execution‑delay mechanism for both runtime and beaconing activities.
After patching, Donut loads mscoree.dll , calls CLRCreateInstance to start the .NET CLR (v4.0.30319), and invokes ExecuteInDefaultAppDomain with the target class and method names stored in the instance.
Donut is the bridge between the Python shellcode and .NET. Every wave uses it. The framework packages .NET assemblies as position-independent shellcode that bootstraps the CLR from scratch.
Credential Access
2 techniquesThe RAT can take screenshots and capture the keystrokes on the victim's machine.
With its stealer plugin modules, the RAT can steal sensitive information including credentials, files, and financial information from the victim's machine.
Discovery
3 techniquesIf detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip (full WBKS + BKSNO deployment).
Checks for AvastUI.exe and AVGUI.exe via tasklist. If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip
Virtualization/Sandbox Evasion: Time Based Checks - T1497.003 The STRT identified an interesting TTP associated with DarkCrystal RAT, the use of “W32tm” command with the “stripchart” parameter as an execution‑delay mechanism for both runtime and beaconing activities.
Collection
3 techniquesWith its stealer plugin modules, the RAT can steal sensitive information including credentials, files, and financial information from the victim's machine.
The RAT can take screenshots and capture the keystrokes on the victim's machine.
The RAT can take screenshots and capture the keystrokes on the victim's machine.
Command and Control
5 techniquesC2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.
After performing the reconnaissance, the PowerRAT attempts to connect to the C2 server by sending the collected data of the victim’s machine using a hardcoded URL through the HTTP GET method.
MITRE ATT&CK Technique Malware Families T1105 0bj3ctivity Stealer, Agent Tesla, Amadey, AsyncRAT, Castle RAT, DarkCrystal RAT, gh0st RAT, Lokibot, njRAT, PlugX, QuasarRAT, RedLine Stealer, Remcos
Malware Remcos RAT Remote access trojan used for persistent access ... Malware NetSupport RAT Legitimate RMM tool abused as malware
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Exfiltration
1 techniqueThe RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file ... and exfiltrates the sensitive data collected from the victim machine.
Impact
1 techniqueT1529 - System Shutdown/Reboot Description from ATT&CK Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Other
2 techniquesIt modifies the configuration settings for Microsoft Defender Antivirus, specifically by excluding the root directory “C:\” and the folder “C:\Users\$user\Desktop”.
The content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'
IOCs tracked for this family
101 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
115 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan deployed post-compromise for continued access.
A remote access trojan observed being delivered via abused GitHub/GitLab links in phishing campaigns.
Remote access trojan family identified on the same bulletproof hosting network.
A remote access trojan mentioned as one of the payloads delivered by PhantomVAI in other campaigns.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.