S1111 DarkGate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named “DarkGate” by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.1 DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.2
| Item | Value |
|---|---|
| ID | S1111 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 09 February 2024 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | DarkGate uses two distinct User Account Control (UAC) bypass techniques to escalate privileges.1 |
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.004 | Parent PID Spoofing | DarkGate relies on parent PID spoofing as part of its “rootkit-like” functionality to evade detection via Task Manager or Process Explorer.2 |
| enterprise | T1098 | Account Manipulation | - |
| enterprise | T1098.007 | Additional Local or Domain Groups | DarkGate elevates accounts created through the malware to the local administration group during execution.1 |
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | DarkGate command and control includes hard-coded domains in the malware chosen to masquerade as legitimate services such as Akamai CDN or Amazon Web Services.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.004 | DNS | DarkGate can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. 1 |
| enterprise | T1010 | Application Window Discovery | DarkGate will search for cryptocurrency wallets by examining application window names for specific strings.1 DarkGate extracts information collected via NirSoft tools from the hosting process’s memory by first identifying the window through the FindWindow API function.1 |
| enterprise | T1119 | Automated Collection | DarkGate searches for stored credentials associated with cryptocurrency wallets and notifies the command and control server when identified.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | DarkGate installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.13 DarkGate installation finishes with the creation of a registry Run key.1 |
| enterprise | T1115 | Clipboard Data | DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.13 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | DarkGate has used PowerShell to create a remote shell.3 |
| enterprise | T1059.003 | Windows Command Shell | DarkGate uses a malicious Windows Batch script to run the Windows code utility to retrieve follow-on script payloads.2 DarkGate has also used cmd.exe to create a remote shell.3 |
| enterprise | T1059.005 | Visual Basic | DarkGate initial infection mechanisms include masquerading as pirated media that launches malicious VBScript on the victim.1 |
| enterprise | T1059.010 | AutoHotKey & AutoIT | DarkGate uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as test.au3.1 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | DarkGate creates a local user account, SafeMode, via net user commands.1 |
| enterprise | T1555 | Credentials from Password Stores | DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions.2 |
| enterprise | T1486 | Data Encrypted for Impact | DarkGate can deploy follow-on ransomware payloads.1 |
| enterprise | T1005 | Data from Local System | DarkGate has stolen sitemanager.xml and recentservers.xml from %APPDATA%\FileZilla\ if present.3 |
| enterprise | T1001 | Data Obfuscation | DarkGate will retrieved encrypted commands from its command and control server for follow-on actions such as cryptocurrency mining.1 |
| enterprise | T1622 | Debugger Evasion | DarkGate checks the BeingDebugged flag in the PEB structure during execution to identify if the malware is being debugged.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | DarkGate installation includes binary code stored in a file located in a hidden directory, such as shell.txt, that is decrypted then executed.1 DarkGate uses hexadecimal-encoded shellcode payloads during installation that are called via Windows API CallWindowProc() to decode and then execute.2 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | DarkGate has deleted all files in the Mozilla directory using the following command: /c del /q /f /s C:\Users\User\AppData\Roaming\Mozilla\firefox*.3 |
| enterprise | T1480 | Execution Guardrails | DarkGate uses per-victim links for hosting malicious archives, such as ZIP files, in services such as SharePoint to prevent other entities from retrieving them.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | DarkGate uses existing command and control channels to retrieve captured cryptocurrency wallet credentials.1 |
| enterprise | T1083 | File and Directory Discovery | Some versions of DarkGate search for the hard-coded folder C:\Program Files\e Carte Bleue.1 |
| enterprise | T1657 | Financial Theft | DarkGate can deploy payloads capable of capturing credentials related to cryptocurrency wallets.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | DarkGate initial installation involves dropping several files to a hidden directory named after the victim machine name.1 Additionally, DarkGate uses attrib to hide a directory in the following command: C:\Windows\system32\attrib.exe” +h C:/rjtu/.4 |
| enterprise | T1665 | Hide Infrastructure | DarkGate command and control includes hard-coded domains in the malware masquerading as legitimate services such as Akamai CDN or Amazon Web Services.2 |
| enterprise | T1574 | Hijack Execution Flow | DarkGate edits the Registry key HKCU\Software\Classes\mscfile\shell\open\command to execute a malicious AutoIt script.1 When eventvwr.exe is executed, this will call the Microsoft Management Console (mmc.exe), which in turn references the modified Registry key. |
| enterprise | T1574.001 | DLL | DarkGate includes one infection vector that leverages a malicious “KeyScramblerE.DLL” library that will load during the execution of the legitimate KeyScrambler application.2 |
| enterprise | T1574.007 | Path Interception by PATH Environment Variable | DarkGate overrides the %windir% environment variable by setting a Registry key, HKEY_CURRENT_User\Environment\windir, to an alternate command to execute a malicious AutoIt script. This allows DarkGate to run every time the scheduled task DiskCleanup is executed as this uses the path value %windir%\system32\cleanmgr.exe for execution.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | DarkGate will terminate processes associated with several security software products if identified during execution.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | DarkGate has deleted its staging directories.3 |
| enterprise | T1105 | Ingress Tool Transfer | DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.1 DarkGate uses Windows Batch scripts executing the curl command to retrieve follow-on payloads.2 DarkGate has stolen sitemanager.xml and recentservers.xml from %APPDATA%\FileZilla\ if present.3 |
| enterprise | T1490 | Inhibit System Recovery | DarkGate can delete system restore points through the command cmd.exe /c vssadmin delete shadows /for=c: /all /quiet”.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | DarkGate will spawn a thread on execution to capture all keyboard events and write them to a predefined log file.13 |
| enterprise | T1680 | Local Storage Discovery | DarkGate uses the Delphi methods Sysutils::DiskSize and GlobalMemoryStatusEx to collect disk size and physical memory as part of the malware’s anti-analysis checks for running in a virtualized environment.1 |
| enterprise | T1036 | Masquerading | DarkGate can masquerade as pirated media content for initial delivery to victims.1 |
| enterprise | T1036.003 | Rename Legitimate Utilities | DarkGate executes a Windows Batch script during installation that creases a randomly-named directory in the C:\ root directory that copies and renames the legitimate Windows |
| enterprise | T1036.007 | Double File Extension | DarkGate masquerades malicious LNK files as PDF objects using the double extension .pdf.lnk.2 |
| enterprise | T1106 | Native API | DarkGate uses the native Windows API CallWindowProc() to decode and launch encoded shellcode payloads during execution.2 DarkGate can call kernel mode functions directly to hide the use of process hollowing methods during execution.1 DarkGate has also used the CreateToolhelp32Snapshot, GetFileAttributesA and CreateProcessA functions to obtain a list of running processes, to check for security products and to execute its malware.3 |
| enterprise | T1027 | Obfuscated Files or Information | DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.2 |
| enterprise | T1027.013 | Encrypted/Encoded File | DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.1 DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | DarkGate can be distributed through emails with malicious attachments from a spoofed email address.1 |
| enterprise | T1566.002 | Spearphishing Link | DarkGate is distributed in phishing emails containing links to distribute malicious VBS or MSI files.2 DarkGate uses applications such as Microsoft Teams for distributing links to payloads.2 |
| enterprise | T1057 | Process Discovery | DarkGate performs various checks for running processes, including security software by looking for hard-coded process name values.13 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | DarkGate leverages process hollowing techniques to evade detection, such as decrypting the content of an encrypted PE file and injecting it into the process vbc.exe.13 |
| enterprise | T1496 | Resource Hijacking | - |
| enterprise | T1496.001 | Compute Hijacking | DarkGate can deploy follow-on cryptocurrency mining payloads.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | DarkGate looks for various security products by process name using hard-coded values in the malware.3 DarkGate will not execute its keylogging thread if a process name associated with Trend Micro anti-virus is identified, or if runtime checks identify the presence of Kaspersky anti-virus. DarkGate will initiate a new thread if certain security products are identified on the victim, and recreate any malicious files associated with it if it determines they were removed by security software in a new system location.1 |
| enterprise | T1539 | Steal Web Session Cookie | DarkGate attempts to steal Opera cookies, if present, after terminating the related process.3 |
| enterprise | T1082 | System Information Discovery | DarkGate will gather various system information such as domain, display adapter description, operating system type and version, processor type, and RAM amount.13 |
| enterprise | T1614 | System Location Discovery | DarkGate queries system locale information during execution.1 Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.2 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | DarkGate tries to elevate privileges to SYSTEM using PsExec to locally execute as a service, such as cmd /c c:\temp\PsExec.exe -accepteula -j -d -s [Target Binary].2 |
| enterprise | T1529 | System Shutdown/Reboot | DarkGate has used the shutdowncommand to shut down and/or restart the victim system.3 |
| enterprise | T1124 | System Time Discovery | DarkGate creates a log file for capturing keylogging, clipboard, and related data using the victim host’s current date for the filename.1 DarkGate queries victim system epoch time during execution.1 DarkGate captures system time information as part of automated profiling on initial installation.2 |
| enterprise | T1552 | Unsecured Credentials | DarkGate uses NirSoft tools to steal user credentials from the infected machine.1 NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe. |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | DarkGate initial infection payloads can masquerade as pirated media content requiring user interaction for code execution.1 DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | DarkGate queries system resources on an infected machine to identify if it is executing in a sandbox or virtualized environment.1 |
| enterprise | T1047 | Windows Management Instrumentation | DarkGate has used WMI to execute files over the network and to obtain information about the domain.3 |
References
-
Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Divya. (2024, April 30). Darkgate Malware Leveraging Autohotkey Following Teams. Retrieved November 22, 2024. ↩
-
Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024. ↩