Home/Threat Actor/DarkGate Operators
Threat Actor

DarkGate Operators

darkgate_operators · russia_speaking_organized_cybercrime · active since 2018

DarkGate Operators is a Russia-speaking organized cyber- criminal cluster financially-motivated, operating the DarkGate malware family under the Malware-as-a-Service (MaaS) commercial model since June 2023 (with private-use operations dating to approximately 2018)

the operator-developer persona is RastaFarEye on Russian-language Exploit[.]in and xss[.]is cybercrime forums.

the cluster operationally distinguishes itself from in-house-operated loader clusters (Qakbot, Emotet, IcedID) through the MaaS commercial model with developer- operator providing DarkGate as paid service to multiple distribution-affiliate customer threat actors.

June 16, 2023 cybercrime-forum advertising operationally transformed DarkGate from private-use custom tool to one of the most rapidly-proliferating commodity loader-as-a-service offerings of the 2023-2024 era.

post-FBI-Operation-Duck-Hunt Qakbot takedown (August 2023), DarkGate distribution operationally surged with TA577 pivoting to DarkGate distribution alongside IcedID and PikaBot from September 22, 2023 onward (Deutsche Telekom CERT CTI canonical disclosure)

signature operational innovations include Microsoft Teams chat-message phishing delivery (August 2023+, Truesec/Bridewell/MalwareBytes independent documentation), Google DoubleClick Ad open- redirect abuse (January 2024+), DNS TXT record abuse for command-execution evasion (2024), AutoIT-script-based payload execution tradecraft (signature DarkGate operational pattern), and built-in multi-capability payload including hVNC, keylogger, info-stealer, cryptocurrency miner, and rootkit module (operationally distinguishable from pure-loader clusters)

downstream ransomware-affiliate relationships with BianLian, Black Basta, and adjacent post-Conti-ecosystem operators.

fills the modern MaaS-loader-operations cell in the curated corpus complementing Tier-2.5 in-house-operated loader-as-a-service coverage (qakbot_operators, emotet_operators, icedid_operators) and Tier-2.5 initial-access-broker coverage (bumblebee_exotic_lily).

russia_speaking_organized_cybercrime confidence: high 16 aliases MITRE ATT&CK G1046 ↗
Sigma rules200 YARA rules46 Live IOCs15 CVEs exploited4

Profile

DarkGate Operators is a Russia-speaking organized cyber- criminal cluster financially-motivated, operating the DarkGate malware family under the Malware-as-a-Service (MaaS) commercial model since June 2023 (with private-use operations dating to approximately 2018). The cluster's operator-developer persona is RastaFarEye (canonical online handle on Russian-language Exploit[.]in and xss[.]is cybercrime forums), who in June 2023 publicly advertised DarkGate for paid rent to up to ten cybercrime-forum customers, operationally transforming DarkGate from a private-use custom tool into one of the most rapidly- proliferating commodity loader-as-a-service offerings of the 2023-2024 era. The cluster operationally distinguishes itself from the Tier-2.5 loader-as-a-service clusters (qakbot_operators.yaml, emotet_operators.yaml, icedid_operators.yaml) curated in this corpus through the explicit MaaS commercial model: DarkGate operates a developer-operator (RastaFarEye persona) providing DarkGate as a paid service to multiple distribution- affiliate customer threat actors who conduct the operational distribution campaigns, versus the Tier-2.5 LaaS clusters that operate single in-house operator-team models combining development and distribution.

The MaaS commercial model operationally enables rapid distribution proliferation across multiple distribution-affiliate clusters and operational diversification of downstream operations.

Operational phases of the cluster's longitudinal history: (1) PRIVATE-USE DEVELOPMENT ERA (2018
  • June 2023). DarkGate was originally developed by 2018 and operated privately by its original developer through approximately mid-2023, with limited public-industry visibility during this private-use era. The long private-development period enabled iterative feature development and stability refinement before MaaS rollout, contributing to the rapid post-June-2023 distribution proliferation. (2) MAAS COMMERCIALIZATION ERA (June 2023.
  • Present). On June 16, 2023, RastaFarEye publicly advertised DarkGate Malware-as-a-Service on Russian-language cybercrime forums. The advertisement characterized DarkGate's signature features including hidden Virtual Network Computing (hVNC), browser info-stealer, keylogging, cryptocurrency-miner, rootkit module, AutoIT-script-based payload execution, XOR-encrypted C2 configuration, and multi-format infection vector support. The MaaS commercialization operationally transformed DarkGate operations and triggered rapid distribution proliferation across multiple cybercrime-forum-customer affiliates. (3) POST-QAKBOT-TAKEDOWN DISTRIBUTION SURGE (September 2023.
  • Present). Following the August 25-29, 2023 FBI Operation Duck Hunt Qakbot takedown, DarkGate distribution operationally surged to fill the loader-distribution void. TA577 (one of the most operationally significant post-Qakbot-takedown distribution-affiliate clusters) pivoted to DarkGate distribution alongside IcedID and PikaBot from September 22, 2023 onward per Deutsche Telekom CERT CTI team disclosure. The September 2023 distribution surge operationally established DarkGate as a primary post-Qakbot loader ecosystem. (4) MICROSOFT TEAMS PHISHING INNOVATION (August 2023.
  • October 2023). DarkGate distribution operators (including Microsoft Storm-1811 tracking) operationally innovated by using Microsoft Teams chat messages to deliver DarkGate via HR-themed social-engineering messages, operationally bypassing email-security platform scanning mechanisms. Truesec, Bridewell, and MalwareBytes independently documented the Microsoft Teams phishing operational pattern. The Teams delivery channel was operationally distinctive among 2023- era loader operations and prompted Microsoft to add Teams- message security features to constrain the tradecraft. (5) MULTI-CHANNEL DISTRIBUTION + LEGITIMATE-SERVICE ABUSE ERA (2024-Present). DarkGate operators have continued tradecraft evolution with: (a) Google DoubleClick Ad open- redirect abuse (January 2024 onward) for legitimate-service traffic-profile evasion; (b) DNS TXT record abuse for command-execution evasion (2024); (c) shifts to CAB and MSI archive formats (January 2024 onward); (d) DLL side-loading via VLC and iTunesHelper through compromised MSI installers (version 6.1.6); (e) continued affiliate-relationship diversification across post-Conti-ecosystem ransomware operations including BianLian and Black Basta.
Signature operational tradecraft includes
  • AutoIT-script-based payload execution: DarkGate's signature tradecraft is delivery of an encrypted .AU3 AutoIT script that runs via legitimate AutoIT.exe binary downloaded via LOLBAS (curl.exe), the .AU3 script contains the encrypted DarkGate payload, decrypts during execution, and injects DarkGate into AutoIT.exe or another targeted process. This operational pattern operationally evades signature-based detection focused on traditional PE-executable analysis.
  • Multi-channel phishing distribution: email (primary channel), Microsoft Teams (signature 2023+ innovation), DoubleClick Ad open-redirects (2024+), DNS TXT records (2024+), SEO poisoning (2024+), operationally distinguishable from competing loader operations that typically rely on single-channel email-phishing distribution.
  • Built-in multi-capability payload: DarkGate is not purely a loader, it includes hVNC (Hidden Virtual Network Computing for remote operator interactive control), keylogger, info- stealer (browser credentials, cryptocurrency wallets, clipboard data, system information), cryptocurrency miner, and rootkit module. The built-in multi-capability operational positioning operationally distinguishes DarkGate from pure loaders (Qakbot, Emotet, IcedID, Bumblebee) that typically focus on single-capability initial-access delivery.
  • Sophisticated anti-analysis tradecraft: anti-VM, anti- sandbox, anti-debug detection routines, internal payload crypter (v5+), parent PID spoofing, Portable Executable injection, signed-process abuse, XOR-encrypted C2 configuration with version-dependent key rotation.
  • Information-gathering signature: collects username, CPU information, anti-virus information from victim devices to operationally support pre-engagement reconnaissance for downstream operator customers.
  • LOLBAS heavy use: curl.exe (download), wscript.exe + cscript.exe (VBS execution), ping.exe (internet-connectivity check), AutoIT.exe (script execution), regsvr32.exe + rundll32.exe (DLL execution), operationally consistent with broader Russia-speaking-organized-cybercrime tooling patterns and operationally signature for DarkGate.
  • Distribution-affiliate cluster relationships: DarkGate is distributed by multiple affiliate clusters including TA577 (post-Qakbot pivot, primary high-volume distribution affiliate), Ducktail (per EclecticIQ tracking), Storm-1811 (Microsoft Teams operations), and broader cybercrime-forum- customer affiliates. The multi-affiliate distribution operational pattern operationally extends DarkGate's reach beyond any single distribution-affiliate cluster's capability.
  • Downstream ransomware-affiliate operations: DarkGate infections serve as initial-access vectors for BianLian and Black Basta ransomware operations (signature 2023-2024 affiliate relationships) and adjacent post-Conti-ecosystem operations. Industry analysis (EclecticIQ comparative analysis) observes operational similarities between DarkGate and IcedID distribution methods, shared use of PING.exe for internet- connectivity verification, CURL.exe for payload downloading, decoy PDF documents, that may reflect either operational coordination between the clusters or shared tradecraft adoption from common cybercrime-forum tradecraft-knowledge bases. The shared tradecraft pattern operationally suggests that the broader Russia-speaking-organized-cybercrime loader-ecosystem has developed common operational tradecraft patterns that are adopted across multiple clusters. The cluster is operationally significant as the modern era's canonical example of Malware-as-a-Service commercial model operations among loader-ecosystem clusters. The cluster fills the modern MaaS-loader-operations cell in this curated corpus, complementing the broader Tier-2.5 loader-as-a- service coverage (qakbot_operators.yaml, emotet_operators.yaml, icedid_operators.yaml, all of which operate in-house operator-team models) and the broader Tier-2.5 initial- access-broker coverage (bumblebee_exotic_lily.yaml, which operates the IAB specialization model) by providing analytical coverage of the MaaS commercial model specialization within the broader Russia-speaking-organized-cybercrime loader ecosystem.

Aliases

16
darkgatedark gatedark_gatedarkgate_loaderdarkgate loadermehrastafareyerasta fareyerasta_fareyerastafareye personaducktailstorm-1811darkgate_operatorsdarkgate operatorsdarkgate_maasdarkgate maas

Notable Campaigns

8
2024-2025Continued Operations and Operational Continuity (2024-2025)
2024Google DoubleClick Ad Open-Redirect Abuse (January 2024)
2024German Banking Sector Targeting (2024)
2024DNS TXT Record Abuse for Command-Execution Evasion (2024)
2023Malware-as-a-Service Commercialization on Russian-Language Cybercrime Forums (June 2023)
2023Post-Qakbot-Takedown Distribution Surge (September 2023)
2023Microsoft Teams Phishing Innovation (August - October 2023)
2018-2023DarkGate Initial Development and Private-Use Era (2018-2023)

Attribution & Reporting

Attributed by
Microsoft Threat Intelligence CenterTrend MicroEclecticIQ Threat ResearchCofenseTruesecTrustwave SpiderLabsBridewellMalwareBytesNetskope Threat LabsRed CanaryCisco TalosSymantec / Broadcom Threat Hunter TeamProofpointTelekom Security (Deutsche Telekom CERT CTI)SecureWorks Counter Threat UnitPalo Alto Networks Unit 42MandiantCrowdStrikeCybereasonSentinelOneCheck Point ResearchESETKaspersky GReATUS FBI
Key reporting
reportEclecticIQ Threat Research: DarkGate, Opening Gates for Financially Motivated Threat Actors (February 12, 2024), canonical industry vendor research-report publication
reportTruesec: DarkGate Loader Delivered via Microsoft Teams (August 2023), canonical Teams-phishing-delivery first-disclosure
reportDeutsche Telekom CERT CTI Team: DarkGate Loader Technical Analysis (August 2023), canonical technical-attribution publication
reportBridewell SOC: An Encounter With DarkGate, Phishing via Microsoft Teams (September 22, 2023)
reportTrend Micro: DarkGate Campaign Abusing Skype and Microsoft Teams (October 2023)
reportMalwareBytes: DarkGate Loader Delivered via Microsoft Teams (September 2023)
reportCofense: DarkGate and PikaBot Phishing Campaign Using Qakbot Tactics (November 2023), analyst Dylan Duncan analysis
reportTrustwave SpiderLabs: DarkGate Operational Tracking
reportRed Canary: DarkGate Threat Profile in 2023 Threat Detection Report
reportMicrosoft Threat Intelligence: Storm-1811 + DarkGate Tracking (multi-channel phishing operations)
reportCisco Talos: DarkGate Malware Analysis (multiple campaign analyses)
reportPalo Alto Networks Unit 42: DarkGate + PikaBot + TA577 Tracking (multiple campaign analyses)
reportSymantec / Broadcom: TA577 + DarkGate Continued Operational Tracking
reportProofpoint: TA577 Post-Qakbot DarkGate Distribution Tracking (September 2023 - 2024)
reportTrend Micro: Water Curupira + PikaBot Operational Tracking (DarkGate adjacent)
reportNetskope Threat Labs: DarkGate MSI Loading Tactic with Cobalt Strike Default Shellcode Stub (October 2023)
reportSentinelOne: DarkGate Continued Tracking
reportCheck Point Research: DarkGate Evolution and Cybercrime-Forum-Advertising Documentation
reportRecorded Future Insikt Group: DarkGate Operational Tracking
reportMalpedia Malware Profile: Win.DarkGate

Operational

State sponsor

Russia-speaking organized cyber-criminal cluster, financially- motivated, operating under the Malware-as-a-Service (MaaS) commercial model. The cluster's signature malware family (DarkGate) was developed by an operator persona using the RastaFarEye handle, who in June 2023 began advertising DarkGate for paid rent to up to ten cybercrime forum customers on the Russian-language Exploit[.]in and xss[.]is cybercrime forums. The Russian-language forum advertising and the persona's operational pattern are operationally consistent with Russia-based or Russia-speaking-CIS-region operational basing.

Industry vendor tracking (Microsoft, Trend Micro, EclecticIQ, Cofense, Truesec, Trustwave SpiderLabs, Bridewell, MalwareBytes, Netskope Threat Labs, Red Canary, Cisco Talos, Symantec, Proofpoint, Telekom Security, SecureWorks, Unit 42, Mandiant) is consistent in tracking the cluster as financially-motivated organized cybercrime. No formal government cybersecurity attribution to a specific state actor has been asserted. The cluster operates the MaaS commercial model with a developer-operator (RastaFarEye persona) providing DarkGate as a service to multiple distribution-affiliate customer threat actors who conduct the operational distribution campaigns, operationally consistent with the broader Russia-speaking-organized- cybercrime malware-as-a-service ecosystem patterns observed with adjacent MaaS clusters.

The MaaS commercial model operationally distinguishes DarkGate from in-house-developed- and-operated loader clusters (Qakbot, Emotet, IcedID, where a single operator cluster both develops and distributes the signature loader). Distribution affiliates of DarkGate include TA577 (one of the most operationally significant post-Qakbot-takedown distribution-affiliate clusters, curated as an alias in qakbot_operators.yaml), Ducktail, Storm-1811 (Microsoft Teams phishing operations), and broader cybercrime-forum-customer affiliates. DarkGate operations have additionally been associated with ransomware-affiliate downstream operations including BianLian, Black Basta, and adjacent post-Conti ecosystem operators.

The cluster's operational positioning is materially distinct from the Tier-2.5 loader-as-a-service clusters (qakbot_operators.yaml, emotet_operators.yaml, icedid_operators.yaml) curated in this corpus: those operate single in-house operator-team models, whereas DarkGate operates a multi-customer paid-MaaS commercial model.

Motivations
malware_as_a_service_revenue, loader_distribution_as_paid_service, access_resale_to_downstream_threat_actors, data_theft_and_extortion, cryptocurrency_theft, credential_harvesting, information_stealing
Sectors
financial_servicesbankingretailmanufacturinghealthcaretechnologyit_serviceseducationgovernment_administrationstate_and_local_governmentlaw_firmsinsurancelogistics_and_supply_chaincryptocurrency_industryhospitality
Regions
united_statesunited_kingdomcanadagermanyfranceitalynetherlandsaustraliaeurope_western_broadlyglobal_post_qakbot_takedown

Techniques Used

60
T1003T1003.001T1005T1010T1012T1014T1016T1018T1020T1021T1021.001T1021.002T1027T1027.001T1027.002T1027.005T1027.013T1029T1033T1036T1036.005T1039T1041T1053T1053.005T1055T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1071T1071.001T1071.004T1074T1074.001T1078T1082T1083T1087T1090T1090.001T1090.003T1095T1106T1110T1112T1113T1115T1119T1129T1132T1132.001

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)57/60 · 95%
Analytics (MITRE CAR)29/60 · 48%
Runtime / container (Falco)6/60 · 10%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)13/60 · 21%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

1 mapped
S0002 · Mimikatz
Other tooling / TTPs (curation, not ATT&CK-mapped):
METERPRETERMICROSOFT TEAMS EXTERNAL USER ABUSESHARPHOUND

CVEs Exploited

4
CVECVE-2017-0199
CVECVE-2017-11882
CVECVE-2022-30190
CVECVE-2023-36025
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin