Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

DarkGate

99
Global rank
86 infographic chevron month
Month rank
80
Week rank
0
IOCs

DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.

Loader
Type
ex-USSR
Origin
15 November, 2018
First seen
20 July, 2025
Last seen
Also known as
Meh

How to analyze DarkGate with ANY.RUN

Type
ex-USSR
Origin
15 November, 2018
First seen
20 July, 2025
Last seen

IOCs

IP addresses
164.132.5.124
178.236.247.7
194.26.192.57
193.142.146.203
45.89.53.187
94.158.245.124
45.61.156.3
86.104.72.124
170.130.55.130
5.252.177.213
103.124.106.237
80.66.88.145
94.156.8.166
91.92.245.171
141.95.114.22
77.75.230.59
45.147.228.138
194.180.48.144
80.76.51.250
5.180.24.155
Domains
zadaravstvai.shop
comodozeropoint.com
goingupdate.com
buassinnndm.net
irreceiver.com
projetodegente.com
withupdate.com
backupitfirst.com
rourtmanjsdadhfakja.com
wpseed.com
madeyourbackup.com
31yc.com
ingatecsus.com.br
badbutperfect.com
wassonite.com
nextroundst.com
onlineserviceboonkers.com
tottalonlineservis.com
projecktupdatemonk.com
sftp.noheroway.com
URLs
http://sanibroadbandcommunicton.duckdns.org/
http://185.130.227.202/
http://jordanmikejeforse.com/
http://81.19.135.17/
http://piret-wismann.com/
http://adhufdauifadhj13.com/
http://80.66.88.145/
http://87.106.16.115:9061/
http://zochao.com/
http://80.85.152.122/
http://taochinashowwers.com/
http://94.228.169.143/
http://89.248.193.66/
http://89.248.193.66:2351/
http://uiahbmajokriswhoer.net/
http://cheneseemeg7575.cash/
http://annoyingannoying.vodka/
http://saintelzearlava.com/
http://trans1ategooglecom.com/
http://vintagecarsforlife.com/
Last Seen at

Recent blog posts

post image
How MSSPs Detect Incidents Early with Threat...
watchers 512
comments 0
post image
Free. Powerful. Actionable. Make Smarter Secu...
watchers 2853
comments 0
post image
Enterprise Plan: Boost SOC Performance, Reduc...
watchers 2809
comments 0

What is DarkGate malware?

DarkGate is a loader malware family that was first detected in 2018 and has since been continuously undergoing serious development, significantly expanding its functionality. This malicious software is notable for the use of various evasion techniques, such as process hollowing.

It is distributed based on the malware-as-a-service (MaaS) model by its developer who goes by the name RastaFarEye on popular Darkweb forums. According to the creator of the malware, they have been developing it since 2017.

As of the beginning of 2024, RastaFarEye offers only 30 seats per month to those willing to purchase a subscription, which is priced at $15,000/mo. The malware has been observed to be used by known threat actors in different attacks involving data theft and extortion. Operators get to control the malware via a special panel.

Expose malicious activities and get IOCs with ANY.RUN sandbox

  • Analyze malware in Windows 7, 10, and 11 VMs
  • Interact with files and links, just like on your own computer
  • Work in a private team space with your colleagues
Request 14-day free trial

Technical details of the DarkGate malicious software

DarkGate is a multi-functional malware, meaning that it can be employed for a range of malicious purposes. Here is an overview of its key capabilities:

  • DarkGate can execute malware to memory, making it more difficult to detect and remove.
  • It can remotely control the victim's computer, giving the attacker complete access to the victim's data and system, as well as log its keystrokes and take screenshots.
  • DarkGate can browse and manage files on the victim's computer.
  • It can steal the victim's passwords, credit card numbers, cookies, history, and other sensitive information from their web browsers.
  • The malware can gain administrator privileges on the victim's computer, giving the attacker even more control over the system.
  • DarkGate can steal the victim's Discord login token, which can be used to log in to their account and steal their data.
  • It is also equipped with a cryptominer, allowing operators to mine various cryptocurrencies using the victim's computer's CPU and/or GPU.

The DarkGate virus achieves persistence, making sure it stays on the computer even after a restart, in several ways. For instance, it can create a shortcut in the Startup folder or change a setting in the registry. Additionally, it employs Asynchronous Process Call injection.

In order to evade antivirus software, DarkGate has the functionality to check the presence of a list of popular security products on the system. It also has an anti-sandboxing capability, where it can detect a virtual machine environment and halt or adjust its execution.

All the communication with the command and control (C2) server is performed via HTTP and is obfuscated.

Execution process of DarkGate attacks

Despite having an anti-sandboxing capability, DarkGate can be easily analyzed in ANY.RUN. As a result, we can easily detect the malware and observe its activity by simply uploading its sample to the sandbox.

DarkGate threat details shown in ANY.RUN DarkGate`s threat details demonstrated in ANY.RUN

The execution chain of DarkGate may vary depending on the versions and other factors. In some instances, the entire execution chain is contained in a single file that facilitates all activities post-infection. Let's examine our sample.

DarkGate may perform process hollowing into certain processes within the infected operating system. This can include TabTip32, BraveUpdate, MicrosoftEdgeUpdate, ielowutil, or, in our case, GoogleUpdate. This malware often utilizes AutoIT scripts and files for injection and execution of shellcode and other malicious activities. The primary malicious activities are executed through the injected GoogleUpdate process. It adds itself to the startup directory, checks for the presence of antivirus software, connects to the command and control server (C2), downloads payloads, and more.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering threat intelligence on Darkgate malware

To collect up-to-date intelligence on Darkgate, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like Darkgate.

Darkgate ANY.RUN Search results for Darkgate in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"darkgate" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from DarkGate samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of the DarkGate malware

Like other common malware families, including Remcos and njRAT, DarkGate infiltrates systems through deceptive emails.

However, instead of directly embedding malware into an email attachment, DarkGate typically utilizes malicious links that direct users to compromised websites hosting MSI installer files. When unsuspecting users download and execute these infected MSIs, the DarkGate malware silently installs itself on their computers. Once embedded, DarkGate begins to steal sensitive information and perform other similar actions.

Conclusion

DarkGate is an extremely capable malware that is operated by infamous threat groups, which puts it on a list of major cybersecurity concerns. To ensure your organization has the capacity to avoid becoming another victim of the malware, you need to have access to up-to-date information on DarkGate.

Utilize the ANY.RUN sandbox to examine the latest samples of DarkGate and gather up-to-date insights into their behavior patterns. Uncover the TTPs employed by the malware and collect its indicators of compromise. Leverage ANY.RUN's interactive malware analysis approach to safely interact with the malware as if on your own device, extracting even more relevant information.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

ValleyRAT screenshot
ValleyRAT
valleyrat
ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More