216.73.217.80

DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool

· Published 14/11/2025 12:09 · Modified 14/11/2025 12:46

Export JSON

Essential information

Published
14/11/2025 12:09
Modified
14/11/2025 12:46
Tags
2025-11-14 bitcoin c2 communication cryptocurrency darkcomet darkcomet rat keylogging persistence rat upx packing
Related entities
5 observables, 6 techniques (mitre), 1 malware

Description

A malware analysis reveals the reemergence of disguised as a -related application. The malware, packed with UPX to evade detection, is distributed as a RAR archive containing an executable file. Once unpacked, it installs itself as 'explorer.exe' in the user's AppData folder and creates a registry run key for . The 's configuration shows its command and control server as 'kvejo991.ddns.net' on port 1604. It employs , storing captured keystrokes in a 'dclogs' folder. The malware's process behavior includes spawning multiple cmd.exe and conhost.exe processes, and injecting its payload into notepad.exe for stealth. Despite its age, remains a potent threat, especially when combined with lures.

External references