Skip to content

DarkGate

Also known as: Meh, MehCrypter

First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.

C2 Infrastructure

Hosting/VPS 100%

Last 7 days

Jul 11, 2026
C2 Hosts: 1

Further Reading

Kaspersky crimeware report: Emotet, DarkGate and LokiBot opens in a new tab

In this report, we share our recent crimeware findings: the new DarkGate loader, new LokiBot campaign and new Emotet version delivered via OneNote.

securelist.com
Black Basta Ransomware Campaign Drops Zbot, DarkGate, & Custom Malware | Rapid7 Blog opens in a new tab

In early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign by Black Basta ransomware operators.

rapid7.com
Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs - Rewterz opens in a new tab

Severity High Analysis Summary Microsoft stated that it is disabling the ms-appinstaller protocol handler again after various threat actors exploited it as an initial access vector to distribute ma...

rewterz.com
DarkGate Opens Organizations for Attack via Skype, Teams opens in a new tab
trendmicro.com
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign opens in a new tab

In addition to our Water Hydra APT zero day analysis, the Zero Day Initiative (ZDI) observed a DarkGate campaign which we discovered in mid-January 2024 where DarkGate operators exploited CVE-2024-...

trendmicro.com
Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion opens in a new tab
trendmicro.com
Title: DarkGate Loader delivered via Teams - Truesec opens in a new tab

Malspam campaigns involving DarkGate Loader have been on the rise since its author started advertising it as a Malware-as-a-Service offering on popular cybercrime forums in June 2023. Until now Dar...

truesec.com
DarkGate: From AutoIT to Shellcode Execution - VMRay opens in a new tab

Join us as we explore the malicious tactics and activities of the DarkGate malware family.

vmray.com
The Underground Economist: Volume 3, Issue 12 opens in a new tab

Stay up-to-date on the latest industry news with ZeroFox's Intelligence Hub. Access timely flash reports and expert analysis to stay informed and prepared.

zerofox.com

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.