Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

DarkComet RAT

DarkComet RAT is a remote access trojan with extensive espionage and data-theft capabilities. The provided content describes it as enabling covert remote control of infected systems and supporting capabilities including offline keylogging, credential theft, file theft, webcam surveillance, remote desktop control, and process injection into legitimate processes such as notepad.exe. In the analyzed campaign, captured keystrokes were stored locally in a folder named dclogs.

The malware was observed in a campaign using Bitcoin-themed social-engineering lures. A RAR archive posed as a legitimate cryptocurrency application and contained an executable named "94k BTC wallet.exe". When executed, it silently deployed DarkComet RAT. The sample was packed with UPX and, after unpacking, was identified as Backdoor.DarkComet compiled with Borland Delphi (2006).

For persistence, the sample copied itself to %AppData%\Roaming\MSDCSC\explorer.exe and created a Windows Run key for autostart. Reported embedded configuration and indicators included the mutex DC_MUTEX-ARULYYD, install path MSDCSC\explorer.exe, command-and-control domain kvejo991.ddns.net, and TCP port 1604. Behavioral analysis showed repeated beaconing attempts to kvejo991.ddns.net:1604, with retransmissions suggesting the server was offline or blocking connections.

The content also states that DarkComet RAT has extensive espionage capabilities and was used by the Assad regime in Syria against Syrians seeking freedom from oppression. It further notes that DarkComet was discontinued by its original developer years ago, but continues to circulate in underground forums and cybercrime toolkits and is still repurposed in modern campaigns.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Syrian government

A new piece of old computer spyware, known as DarkComet RAT, was found cleverly hidden inside a file that looked exactly like a legitimate Bitcoin wallet or trading program.

via hackreadhackread.com
cia

A new piece of old computer spyware, known as DarkComet RAT, was found cleverly hidden inside a file that looked exactly like a legitimate Bitcoin wallet or trading program.

via hackreadhackread.com
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1204User ExecutionEvidence1

"Once a victim is tricked into running the file..."

Persistence

1 technique
T1547Boot or Logon Autostart ExecutionEvidence1

"creates an autostart entry to ensure it loads every time the computer is turned on"

Privilege Escalation

1 technique
T1547Boot or Logon Autostart ExecutionEvidence1

"creates an autostart entry to ensure it loads every time the computer is turned on"

Stealth

4 techniques
T1027Obfuscated Files or InformationEvidence1

"delivered inside a compressed RAR file, which is a common trick used by attackers to evade security filters"

T1027.002Software PackingEvidence1

"the file was “packed” using a technique called UPX."

T1036MasqueradingEvidence1

"DarkComet RAT, was found cleverly hidden inside a file that looked exactly like a legitimate Bitcoin wallet or trading program." / "an application named “94k BTC wallet.exe”."

T1564.001Hidden Files and DirectoriesEvidence1

"It copies itself into a hidden system folder"

Credential Access

1 technique
T1056.001KeyloggingEvidence1

"recording every single keystroke you make (keylogging)" / "recorded all of the victim’s keystrokes and saved them in a local folder called dclogs."

Collection

3 techniques
T1005Data from Local SystemEvidence1

"stealing files"

T1056.001KeyloggingEvidence1

"recording every single keystroke you make (keylogging)" / "recorded all of the victim’s keystrokes and saved them in a local folder called dclogs."

T1125Video CaptureEvidence1

"watching you through your webcam"

Command and Control

2 techniques
T1219Remote Access ToolsEvidence1

fisherxp’s account on popular Chinese technology forum 51CTO is still active and shows that he has downloaded not only the open-source DarkComet RAT ... including Gh0st RAT 3.6 ...

T1568.003DNS CalculationEvidence1

"connect to a specific remote location (kvejo991.ddns.net over port 1604)"

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app7 months ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
security online infoNews
Nov 13, 2025
Legacy Malware Resurfaces: DarkComet RAT Uses Bitcoin Wallet Lure to Deploy UPX-Packed Payload

Remote access trojan used for surveillance and data theft. In this campaign it is disguised as a Bitcoin wallet utility, packed with UPX, establishes persistence by copying itself to %AppData%\Roaming\MSDCSC\explorer.exe and creating a Run key, performs keylogging (stores logs in 'dclogs'), uses process injection (e.g., into notepad.exe), and beacons to a C2 server over TCP.

Read more
hackreadNews
Nov 12, 2025
DarkComet Spyware Resurfaces Disguised as Fake Bitcoin Wallet

Remote access trojan that provides covert remote control of an infected system, including keylogging, file theft, webcam spying, and remote desktop control. In the described campaign it is delivered via a RAR archive containing a fake Bitcoin wallet executable, establishes persistence via an autostart entry, and beacons to a DDNS C2 (kvejo991.ddns.net:1604) while logging keystrokes to a local 'dclogs' folder to steal credentials (including crypto wallet access).

Read more
eset welivesecurity blogNews
Aug 30, 2012
FinFisher helps people spy on you via your cellphone, for good or evil?

Remote access trojan with extensive espionage capabilities, discussed as surveillance malware used against targets in Syria.

Read more
eset welivesecurity blogNews
Aug 30, 2012
FinFisher helps people spy on you via your cellphone, for good or evil?

Remote access trojan with extensive espionage capabilities, cited here as an example of surveillance malware being repurposed for malicious political repression.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.