What is DarkVision RAT Malware?

DarkVision RAT is a highly customizable Remote Access Trojan that emerged in 2020, gaining notoriety for its affordability and extensive feature set. Priced as low as $60 on platforms like Hack Forums, it has become a popular tool among cybercriminals, including those with minimal technical skills. Written in C/C++ and assembly, DarkVision RAT poses a significant threat to individuals and organizations worldwide due to its stealthy capabilities and sophisticated attack chain.

Its modular design makes it easy to adapt for credential theft, surveillance, lateral maneuvers, and persistence. Recent technical analyses show it is often delivered via multi-stage loaders (Donut shellcode / PureCrypter and implements a bespoke network protocol to communicate with command-and-control (C2) servers. The RAT also uses a variety of evasion and privilege-escalation techniques (DLL hijacking, process injection, autorun/backdoor patterns).

DarkVision RAT Victimology

The malware targets primarily Windows endpoints: home users, SMEs and enterprise workstations.

Its distribution profile — opportunistic criminal operators (ransomware / data theft actors, commodity cybercriminals) and less skilled attackers who buy prebuilt RAT kits.

Sectors observed in campaigns: general business environments where user workstations have internet access and credentials that can unlock broader access (finance, professional services, manufacturing have all been impacted in commodity RAT campaigns). The availability and low price point of DarkVision make it attractive to a wide array of attackers.

DarkVision RAT Typical Attack Chain

ANY.RUN’s Interactive Sandbox provides fresh samples of DarkVision recently detonated and thoroughly studied by our half-a-million community of threat analysts.

Let’s explore a sample to see the main stages of an attack chain on a live example.

View analysis

DarkVision sample analysis in the Interactive Sandbox

1. Initial Infection and Process Masquerading The DarkVision Remote Access Trojan (RAT) begins its operation by copying itself to the directory: C:\ProgramData\windows\windows.exe.

DarkVision establishes itself in a system directory

This location and filename are deliberately chosen to mimic a legitimate Windows executable, making it harder for the user or antivirus software to recognize it as malicious.

2. Registry Modifications Once executed, the malware creates a new registry key under: HKEY_CURRENT_USER\SOFTWARE\

It then adds three entries, each identified by a hardcoded GUID (Globally Unique Identifier). These values store Current System Time in a FILETIME structure.

DarkVision registry activity

RAT File Content – a large block of hexadecimal data representing the malicious binary’s content.

Binary file viewable in ANY.RUN Sandbox

RAT File Path – the full filesystem path to the RAT executable.

Another DarkVision registry modification for establishing in the system

These registry entries allow the malware to preserve important execution details and can be used for reloading the payload or tracking the system’s infection state.

3. Persistence Mechanism

To ensure it runs automatically after the system restarts, DarkVision RAT drops a batch script (.bat) file.

Script content example:

Bat file static analysis in ANY.RUN Sandbox

The script is then linked via a .lnk shortcut placed in the user’s startup folder

DarkVision persistence mechanism

This guarantees execution every time the system boots.

4. Process Injection

The malware injects its code into multiple legitimate Windows processes to avoid detection and run with elevated privileges. In this observed case, the target processes included explorer.exe, svchost.exe, сmd.exe

DarkVision injecting system Windows processes

5. Command and Control (C2) Communication After setup, DarkVision RAT connects to its hardcoded Command and Control server:

Network activity signaling malicious activity

This connection is used to receive the C2 IP server and port, as well as later instructions from the threat actor, and to send back collected information about the infected machine. The screenshots confirm DNS queries to the *.ddns.net domain, flagged by Suricata IDS as potentially malicious traffic.

Once communication is established, the RAT stays idle, waiting for the attacker’s commands. Potential capabilities include file exfiltration, system manipulation, additional payload downloads, and real-time surveillance.

How DarkVision RAT Generally Functions

DarkVision RAT typically spreads through a multi-stage infection chain, often initiated via phishing campaigns or malicious downloads:

• Initial Stage: A .NET executable, protected by .NET Reactor, executes a command cmd /c timeout 10 and decrypts second-stage shellcode using Triple DES (3DES) with Base64-encoded keys and IVs.
• Second Stage: The Donut loader, an x86 position-independent shellcode, decrypts and loads a .NET assembly using the Chaskey block cipher.
• Third Stage: PureCrypter, a .NET assembly, decompresses and deserializes a protobuf structure containing the encrypted DarkVision RAT payload (AES-CBC). It also executes PowerShell commands to add Windows Defender exclusions for malicious file paths and processes.
• Fourth Stage: The RAT copies itself to a designated path (e.g., %APPDATA%\photos\System.exe), establishes persistence, and initiates C2 communication. Phishing emails with malicious attachments or links to domains like nasyiahgamping[.]com/yknoahdrv.exe are common delivery vectors.

DarkVision RAT operates through a multi-stage attack chain, leveraging sophisticated techniques to infiltrate and persist on systems:

• Dynamic API Resolution: Uses GetProcAddress and LoadLibrary to resolve APIs dynamically, avoiding antivirus hooks. API names are XOR-encoded with the key [19 72 19 72].
  • Command-Line Parsing: Utilizes Globally Unique Identifiers (GUIDs) as command-line arguments for registry keys, folder names, and file names, ensuring randomness to evade detection.
• Privilege Escalation: Employs DLL hijacking targeting WinSAT.exe and DXGI.DLL for auto-elevation on Windows 10 and above.
  • Persistence Mechanisms: Achieves persistence via:
• Startup Folder: Creates a batch script and shortcut in the Windows startup folder.
• Autorun Keys: Adds entries to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKLM for system-wide persistence.
• Task Scheduler: Uses the ITaskService COM interface to schedule malicious tasks.

What DarkVision RAT Can Do to an Endpoint Device

DarkVision RAT is equipped with an extensive array of malicious capabilities that can severely compromise endpoint devices:

• Keylogging: Captures keystrokes to steal sensitive information like usernames, passwords, and other credentials.
• Screen Capture: Takes screenshots or records the victim’s desktop to monitor activities.
• File Manipulation: Allows attackers to upload, download, delete, or modify files on the infected system.
• Process Injection: Injects malicious code into legitimate processes to evade detection.
• Remote Code Execution: Executes arbitrary commands on the victim’s device, enabling full control.
• Password Theft: Extracts credentials from browsers, applications, and system files.
• **Audio and Webcam Capture: Records audio or video, compromising user privacy.
• Remote Access: Provides attackers with direct control over the infected device via Virtual Network Computing (VNC) or reverse proxy operations. These capabilities are often implemented through encrypted plugins, which remain in plain text only in memory, enhancing the malware’s stealth.

How DarkVision RAT Threatens Businesses and Organizations

• Data theft: sensitive files and credentials exfiltrated lead to IP loss, compliance breaches, and downstream fraud.
• Lateral movement: stolen credentials and remote shells enable access to privileged systems.
• Surveillance & espionage: persistent access permits long-term monitoring of sensitive activity.
• Operational disruption: attackers can deploy ransomware or destructive commands from an already present RAT.
• Reputation & legal exposure: stolen customer or employee data leads to regulatory and PR fallout. Because it’s inexpensive and modular, attackers can quickly reuse or reconfigure it for targeted campaigns.

Gathering Threat Intelligence on DarkVision RAT Malware

Threat intelligence (TI) gives security teams:

• Up-to-date IOCs (domains, IPs, hashes) to block and hunt.
• Campaign context (delivery method, loader chains) to prioritize detection coverage (e.g., inspect for Donut/PureCrypter stages).
• Behavioral TTPs mapped to frameworks (MITRE ATT&CK) so defenders can create analytic detections and response playbooks.

Start with a malware name search request to ANY.RUN’s Threat Intelligence Lookup and dive deep into contextual data on DarkVision. View public analyses of the malware’s fresh samples, extract the behavioral patterns, gather IOCs from each session.

threatName:"darkvision"

DarkVision sample analyses found via Threat Intelligence Lookup

Conclusion

DarkVision RAT remains a formidable threat due to its affordability, versatility, and sophisticated evasion techniques. Its ability to compromise endpoint devices, steal sensitive data, and maintain persistence poses significant risks to businesses and individuals alike. By understanding its attack chain, implementing robust detection and prevention measures, and leveraging threat intelligence, organizations can mitigate the risks posed by this malware.

Proactive cybersecurity practices, including user education, endpoint protection, and real-time monitoring, are essential to defend against DarkVision RAT and similar threats in the evolving cyber landscape.

Gather fresh actionable threat intelligence for quick detection and response via ANY.RUN’s TI Lookup: start with 50 trial requests.