DarkGate

Also known as: Meh, MehCrypter

First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.

C2 Infrastructure

Hosting/VPS100%

Last 7 days

Mar 24, 2026

C2 Hosts: 1

Daily C2 host counts for the last 7 days
Date	C2 Hosts
Mar 24, 2026	1

Further Reading

DarkGate Opens Organizations for Attack via Skype, Teams

CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign

In addition to our Water Hydra APT zero day analysis, the Zero Day Initiative (ZDI) observed a DarkGate campaign which we discovered in mid-January 2024 where DarkGate operators exploited CVE-2024-...

Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion

Title: DarkGate Loader delivered via Teams - Truesec

Malspam campaigns involving DarkGate Loader have been on the rise since its author started advertising it as a Malware-as-a-Service offering on popular cybercrime forums in June 2023. Until now Dar...

DarkGate: From AutoIT to Shellcode Execution - VMRay

Join us as we explore the malicious tactics and activities of the DarkGate malware family.

The Underground Economist: Volume 3, Issue 12

Stay up-to-date on the latest industry news with ZeroFox's Intelligence Hub. Access timely flash reports and expert analysis to stay informed and prepared.