Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

DarkVision

107
Global rank
52 infographic chevron month
Month rank
54 infographic chevron week
Week rank
0
IOCs

DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.

RAT
Type
Unknown
Origin
1 May, 2020
First seen
30 August, 2025
Last seen

How to analyze DarkVision with ANY.RUN

RAT
Type
Unknown
Origin
1 May, 2020
First seen
30 August, 2025
Last seen

IOCs

Last Seen at
Last Seen at

Recent blog posts

post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 786
comments 0
post image
Major Cyber Attacks in August 2025: 7-Stage T...
watchers 1946
comments 0
post image
How to Enrich IOCs with Actionable Threat Con...
watchers 1221
comments 0

What is DarkVision RAT Malware?

DarkVision RAT is a highly customizable Remote Access Trojan that emerged in 2020, gaining notoriety for its affordability and extensive feature set. Priced as low as $60 on platforms like Hack Forums, it has become a popular tool among cybercriminals, including those with minimal technical skills. Written in C/C++ and assembly, DarkVision RAT poses a significant threat to individuals and organizations worldwide due to its stealthy capabilities and sophisticated attack chain.

Its modular design makes it easy to adapt for credential theft, surveillance, lateral maneuvers, and persistence. Recent technical analyses show it is often delivered via multi-stage loaders (Donut shellcode / PureCrypter and implements a bespoke network protocol to communicate with command-and-control (C2) servers. The RAT also uses a variety of evasion and privilege-escalation techniques (DLL hijacking, process injection, autorun/backdoor patterns).

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

DarkVision RAT Victimology

The malware targets primarily Windows endpoints: home users, SMEs and enterprise workstations.

Its distribution profile — opportunistic criminal operators (ransomware / data theft actors, commodity cybercriminals) and less skilled attackers who buy prebuilt RAT kits.

Sectors observed in campaigns: general business environments where user workstations have internet access and credentials that can unlock broader access (finance, professional services, manufacturing have all been impacted in commodity RAT campaigns). The availability and low price point of DarkVision make it attractive to a wide array of attackers.

DarkVision RAT Typical Attack Chain

ANY.RUN’s Interactive Sandbox provides fresh samples of DarkVision recently detonated and thoroughly studied by our half-a-million community of threat analysts.

Let’s explore a sample to see the main stages of an attack chain on a live example.

View analysis

DarkVision analysis in Interactive Sandbox DarkVision sample analysis in the Interactive Sandbox

  1. Initial Infection and Process Masquerading The DarkVision Remote Access Trojan (RAT) begins its operation by copying itself to the directory: C:\ProgramData\windows\windows.exe.

DarkVision in Windows system folder DarkVision establishes itself in a system directory

This location and filename are deliberately chosen to mimic a legitimate Windows executable, making it harder for the user or antivirus software to recognize it as malicious.

  1. Registry Modifications Once executed, the malware creates a new registry key under: HKEY_CURRENT_USER\SOFTWARE\

It then adds three entries, each identified by a hardcoded GUID (Globally Unique Identifier). These values store Current System Time in a FILETIME structure.

Registry changes by DarkVision DarkVision registry activity

RAT File Content – a large block of hexadecimal data representing the malicious binary’s content.

DarkVision data file Binary file viewable in ANY.RUN Sandbox

RAT File Path – the full filesystem path to the RAT executable.

DarkVision registry modification for establishing in the system Another DarkVision registry modification for establishing in the system

These registry entries allow the malware to preserve important execution details and can be used for reloading the payload or tracking the system’s infection state.

  1. Persistence Mechanism

To ensure it runs automatically after the system restarts, DarkVision RAT drops a batch script (.bat) file.

Script content example:

Bat file static analysis in ANY.RUN Sandbox Bat file static analysis in ANY.RUN Sandbox

The script is then linked via a .lnk shortcut placed in the user’s startup folder

DarkVision persistence mechanism DarkVision persistence mechanism

This guarantees execution every time the system boots.

  1. Process Injection

The malware injects its code into multiple legitimate Windows processes to avoid detection and run with elevated privileges. In this observed case, the target processes included explorer.exe, svchost.exe, сmd.exe

DarkVision injecting system Windows processes DarkVision injecting system Windows processes

  1. Command and Control (C2) Communication After setup, DarkVision RAT connects to its hardcoded Command and Control server:

DarkVision network activity Network activity signaling malicious activity

This connection is used to receive the C2 IP server and port, as well as later instructions from the threat actor, and to send back collected information about the infected machine. The screenshots confirm DNS queries to the *.ddns.net domain, flagged by Suricata IDS as potentially malicious traffic.

Once communication is established, the RAT stays idle, waiting for the attacker’s commands. Potential capabilities include file exfiltration, system manipulation, additional payload downloads, and real-time surveillance.

How DarkVision RAT Generally Functions

DarkVision RAT typically spreads through a multi-stage infection chain, often initiated via phishing campaigns or malicious downloads:

  • Initial Stage: A .NET executable, protected by .NET Reactor, executes a command cmd /c timeout 10 and decrypts second-stage shellcode using Triple DES (3DES) with Base64-encoded keys and IVs.
  • Second Stage: The Donut loader, an x86 position-independent shellcode, decrypts and loads a .NET assembly using the Chaskey block cipher.
  • Third Stage: PureCrypter, a .NET assembly, decompresses and deserializes a protobuf structure containing the encrypted DarkVision RAT payload (AES-CBC). It also executes PowerShell commands to add Windows Defender exclusions for malicious file paths and processes.
  • Fourth Stage: The RAT copies itself to a designated path (e.g., %APPDATA%\photos\System.exe), establishes persistence, and initiates C2 communication. Phishing emails with malicious attachments or links to domains like nasyiahgamping[.]com/yknoahdrv.exe are common delivery vectors.

DarkVision RAT operates through a multi-stage attack chain, leveraging sophisticated techniques to infiltrate and persist on systems:

  • Dynamic API Resolution: Uses GetProcAddress and LoadLibrary to resolve APIs dynamically, avoiding antivirus hooks. API names are XOR-encoded with the key [19 72 19 72].
    • Command-Line Parsing: Utilizes Globally Unique Identifiers (GUIDs) as command-line arguments for registry keys, folder names, and file names, ensuring randomness to evade detection.
  • Privilege Escalation: Employs DLL hijacking targeting WinSAT.exe and DXGI.DLL for auto-elevation on Windows 10 and above.
    • Persistence Mechanisms: Achieves persistence via:
  • Startup Folder: Creates a batch script and shortcut in the Windows startup folder.
  • Autorun Keys: Adds entries to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKLM for system-wide persistence.
  • Task Scheduler: Uses the ITaskService COM interface to schedule malicious tasks.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

What DarkVision RAT Can Do to an Endpoint Device

DarkVision RAT is equipped with an extensive array of malicious capabilities that can severely compromise endpoint devices:

  • Keylogging: Captures keystrokes to steal sensitive information like usernames, passwords, and other credentials.
  • Screen Capture: Takes screenshots or records the victim’s desktop to monitor activities.
  • File Manipulation: Allows attackers to upload, download, delete, or modify files on the infected system.
  • Process Injection: Injects malicious code into legitimate processes to evade detection.
  • Remote Code Execution: Executes arbitrary commands on the victim’s device, enabling full control.
  • Password Theft: Extracts credentials from browsers, applications, and system files.
  • **Audio and Webcam Capture: Records audio or video, compromising user privacy.
  • Remote Access: Provides attackers with direct control over the infected device via Virtual Network Computing (VNC) or reverse proxy operations. These capabilities are often implemented through encrypted plugins, which remain in plain text only in memory, enhancing the malware’s stealth.

How DarkVision RAT Threatens Businesses and Organizations

  • Data theft: sensitive files and credentials exfiltrated lead to IP loss, compliance breaches, and downstream fraud.
  • Lateral movement: stolen credentials and remote shells enable access to privileged systems.
  • Surveillance & espionage: persistent access permits long-term monitoring of sensitive activity.
  • Operational disruption: attackers can deploy ransomware or destructive commands from an already present RAT.
  • Reputation & legal exposure: stolen customer or employee data leads to regulatory and PR fallout. Because it’s inexpensive and modular, attackers can quickly reuse or reconfigure it for targeted campaigns.

Gathering Threat Intelligence on DarkVision RAT Malware

Threat intelligence (TI) gives security teams:

  • Up-to-date IOCs (domains, IPs, hashes) to block and hunt.
  • Campaign context (delivery method, loader chains) to prioritize detection coverage (e.g., inspect for Donut/PureCrypter stages).
  • Behavioral TTPs mapped to frameworks (MITRE ATT&CK) so defenders can create analytic detections and response playbooks.

Start with a malware name search request to ANY.RUN’s Threat Intelligence Lookup and dive deep into contextual data on DarkVision. View public analyses of the malware’s fresh samples, extract the behavioral patterns, gather IOCs from each session.

threatName:"darkvision"

DarkVision samples found via Threat Intelligence Lookup DarkVision sample analyses found via Threat Intelligence Lookup

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

DarkVision RAT remains a formidable threat due to its affordability, versatility, and sophisticated evasion techniques. Its ability to compromise endpoint devices, steal sensitive data, and maintain persistence poses significant risks to businesses and individuals alike. By understanding its attack chain, implementing robust detection and prevention measures, and leveraging threat intelligence, organizations can mitigate the risks posed by this malware.

Proactive cybersecurity practices, including user education, endpoint protection, and real-time monitoring, are essential to defend against DarkVision RAT and similar threats in the evolving cyber landscape.

Gather fresh actionable threat intelligence for quick detection and response via ANY.RUN’s TI Lookup: start with 50 trial requests.

HAVE A LOOK AT

FatalRAT screenshot
FatalRAT
fatalrat
FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region.
Read More
Ramnit screenshot
Ramnit
ramnit
Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.
Read More
Salvador Stealer screenshot
Salvador Stealer
salvador
Salvador Stealer is a powerful, information-stealing Android malware designed to silently infiltrate systems, extract sensitive data, and exfiltrate it to cybercriminals. Often sold on underground forums, it is part of the growing ecosystem of “stealers-as-a-service” (SaaS) tools that target individuals and organizations alike.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
X-Files screenshot
X-Files
xfiles
X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.
Read More