MalwareUsed by 2 actors

DarkTrack RAT

DarkTrack RAT is a remote access trojan referenced in CERT-UA reporting as tooling used by the threat group UAC-0050. CERT-UA assessed UAC-0050 activity as spanning cyber-espionage, theft of funds, and information-psychological operations conducted under the “Fire Cells Group” brand. In that reporting, DarkTrack RAT was listed alongside other malware and RAT families including Remcos, TEKTONITRMS, MeduzaStealer, LummaStealer, Xeno RAT, SectopRAT, and MarsStealer. Separately, reporting cited in the source material states that an actor dubbed PseudoSticky targeted Russian organizations while deploying RemcosRAT and DarkTrack RAT. The provided content does not include specific technical details for DarkTrack RAT’s internal capabilities, infection chain, persistence, or command-and-control protocol beyond its identification as a RAT used in these campaigns. High-confidence associated context includes targeting of Ukrainian enterprises and individual entrepreneurs by UAC-0050 during September–October 2024, including compromises of accountants’ computers and attempted fraudulent payments through remote banking systems, as well as targeting of Russian organizations by PseudoSticky. No DarkTrack-RAT-specific indicators of compromise are explicitly provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UAC-0050

…MARSSTEALER, DARKTRACKRAT та ін.

via cert uacert.gov.ua

PseudoSticky

"...drop DarkTrack RAT via PureCrypter."

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence1

TacticInitial Access

“Victims are typically infected by phishing emails containing malicious attachments that lead to the deployment of the trojans.”

Command and Control

1 technique

T1071Application Layer ProtocolEvidence1

TacticCommand and Control

C2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Feb 24, 2026

UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoors

Remote access trojan used for comprehensive data theft and remote control; delivered via PureCrypter in the described attack chain.

cert uaNews

Mar 18, 2026

CERT-UA

Named RAT in the toolset attributed to UAC-0050, used for remote control of victim machines to support theft and espionage objectives.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.