DarkGate malware

DarkGate is a loader with RAT capabilities developed in Delphi with modules developed in C++, which has gained notoriety in the second half of 2023, due to its ability to operate secretly and its agility to evade detection by antivirus systems. As a result, it can spread quickly across networks, infecting multiple devices and causing damage within organizations.

On various cybercrime forums, DarkGate is sold as Malware-as-a-Service (MaaS) by RastaFarEye. Over the past few months, it has been used by multiple threat actors such as TA577 and Ducktail.

To infect systems and accelerate its spread, its users resort to the most widespread methods such as:

- Phishing emails: A social engineering technique to trick users into clicking on malicious links or downloading infected attachments.

- Compromised websites: Attackers inject DarkGate into legitimate websites, exploiting vulnerabilities to initiate a download or installation process without the user's knowledge.

- Malware updates: DarkGate can masquerade as a legitimate software updater or installer, tricking users into giving it the necessary permissions to infect the system.

On Sekoia.io's blog, our TDR team conducted an in-depth technical analysis of DarkGate, shedding light on how it works (MITRE ATT&CK TTP), infection chain, evasion techniques, and potential impacts.

If you would also like to discover how we enable users of our XDR platform to anticipate the presence of IT threats before impact, you can watch this interactive demo: