DarkGate
Also known as: Meh, MehCrypter
First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.
C2 Infrastructure
Last 7 days
| Date | C2 Hosts |
|---|---|
| May 3, 2026 | 1 |
Further Reading
In this report, we share our recent crimeware findings: the new DarkGate loader, new LokiBot campaign and new Emotet version delivered via OneNote.
In early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign by Black Basta ransomware operators.
Severity High Analysis Summary Microsoft stated that it is disabling the ms-appinstaller protocol handler again after various threat actors exploited it as an initial access vector to distribute ma...
In addition to our Water Hydra APT zero day analysis, the Zero Day Initiative (ZDI) observed a DarkGate campaign which we discovered in mid-January 2024 where DarkGate operators exploited CVE-2024-...
Malspam campaigns involving DarkGate Loader have been on the rise since its author started advertising it as a Malware-as-a-Service offering on popular cybercrime forums in June 2023. Until now Dar...
Join us as we explore the malicious tactics and activities of the DarkGate malware family.
Stay up-to-date on the latest industry news with ZeroFox's Intelligence Hub. Access timely flash reports and expert analysis to stay informed and prepared.