The DarkComet Remote Access Trojan (RAT), an older but still effective malware strain, has reemerged in a new campaign disguised as a fake Bitcoin-related application. The malware is distributed as a RAR archive containing a UPX-packed executable file, a packing method used to evade signature-based detection by antivirus solutions. Once the executable is unpacked and run, it installs itself under the name 'explorer.exe' within the user's AppData directory, a common tactic to blend with legitimate Windows processes. To maintain persistence, it creates a registry run key, ensuring execution upon system startup. The RAT establishes command and control (C2) communication with a server hosted at 'kvejo991.ddns.net' on port 1604, allowing attackers to remotely control infected machines. Functionally, DarkComet performs keylogging by capturing keystrokes and storing them in a 'dclogs' folder, enabling theft of sensitive information such as credentials. For stealth, it injects its payload into the legitimate notepad.exe process and spawns multiple cmd.exe and conhost.exe processes, complicating detection and analysis. The use of cryptocurrency-themed social engineering lures increases the likelihood of user interaction and infection. Although no new exploits or vulnerabilities are leveraged, the malware’s persistence and data exfiltration capabilities pose significant risks. Indicators of compromise include multiple file hashes and the C2 domain and URL. The malware’s tactics align with MITRE ATT&CK techniques such as T1056.001 (Keylogging), T1566.001 (Phishing), T1204 (User Execution), T1041 (Exfiltration Over C2 Channel), T1547.001 (Registry Run Keys), T1027.002 (Packing), and T1071.001 (Application Layer Protocol).

For European organizations, the DarkComet RAT poses a medium to high risk, particularly for entities involved in cryptocurrency trading, financial services, or those with employees susceptible to social engineering attacks involving Bitcoin. The malware’s keylogging capability threatens confidentiality by capturing sensitive credentials and personal data. Its persistence mechanisms and process injection techniques can lead to prolonged undetected access, enabling attackers to conduct espionage, data theft, or further network compromise. The spawning of multiple system processes may degrade system performance and complicate incident response. Additionally, the malware’s C2 communications could facilitate lateral movement or deployment of additional payloads. Given the widespread interest and investment in cryptocurrency across Europe, users may be more likely to fall victim to such lures, increasing infection rates. The threat also undermines trust in digital financial tools and may cause reputational damage if breaches become public. While the malware itself does not exploit zero-day vulnerabilities, its effective evasion and persistence tactics can result in significant operational disruption and data loss if not promptly detected and remediated.

European organizations should implement layered defenses tailored to this threat. First, deploy advanced endpoint detection and response (EDR) solutions capable of unpacking UPX-packed executables and detecting process injection behaviors, especially targeting notepad.exe and suspicious spawning of cmd.exe and conhost.exe processes. Monitor and alert on creation or modification of registry run keys in user AppData contexts to detect persistence attempts. Network defenses should include blocking and monitoring DNS queries and HTTP traffic to suspicious dynamic DNS domains such as 'kvejo991.ddns.net' and associated IP addresses on non-standard ports like 1604. User awareness training must emphasize the risks of downloading and executing unverified cryptocurrency tools and attachments, highlighting social engineering tactics. Implement strict application whitelisting to prevent execution of unauthorized binaries from user directories. Regularly audit and restrict user privileges to limit malware installation capabilities. Employ behavioral analytics to detect anomalous keylogging activities and unusual process behaviors. Finally, maintain updated threat intelligence feeds to identify and block known file hashes associated with this malware. Incident response plans should be prepared to isolate infected hosts and perform forensic analysis promptly.