DarkGate malware activity has seen a recent increase due to the developer renting it out to a limited number of affiliates [3]. This malspam campaign utilizes hijacked email threads to deceive recipients into downloading DarkGate, a readily available malware that has recently been rented out to a select few affiliates.


The attack begins with a phishing URL that leads to an MSI payload [1] [2] [4] [5], which is triggered by opening an MSI file or a Visual Basic Script [5]. DarkGate [1] [2] [3] [4] [5], sold on underground forums by an individual known as RastaFarEye, possesses various capabilities such as evading detection, establishing persistence, escalating privileges [1] [2] [4] [5], and stealing data from web browsers and other software [1] [5]. Furthermore, it establishes communication with a command-and-control server for various malicious activities [1] [2] [4] [5]. The malware is offered as a subscription with different pricing options [1] [2] [4] [5]. According to a recent report [1] [2] [4], phishing attacks remain the primary method for delivering malware [4] [5], accounting for 79% of identified threats in Q2 2023 [4] [5].


The increased activity of DarkGate malware poses significant risks to individuals and organizations. Its ability to evade detection and steal sensitive data highlights the need for robust cybersecurity measures. Mitigations should include educating users about phishing techniques and implementing strong email security protocols. As phishing attacks continue to be a prevalent threat, it is crucial to remain vigilant and stay updated on emerging trends in malware delivery.


[1] https://www.redpacketsecurity.com/darkgate-malware-activity-spikes-as-developer-rents-out-malware-to-affiliates/
[2] https://thehackernews.com/2023/08/darkgate-malware-activity-spikes-as.html
[3] https://www.linkedin.com/posts/wdevault_darkgate-malware-activity-spikes-as-developer-activity-7102303858630012928-r-BE
[4] https://jn66dataanalytics.com/news/darkgate-malware-activity-spikes-as-developer-rents-out-malware-to-affiliates-the-hacker-news
[5] https://vulners.com/thn/THN:87C22E8B53C509361BB9373A14D7B461