{
  "name": "DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool",
  "slug": "darkcomet-rat-malware-hidden-inside-fake-bitcoin-tool",
  "description": "A malware analysis reveals the reemergence of DarkComet RAT disguised as a Bitcoin-related application. The malware, packed with UPX to evade detection, is distributed as a RAR archive containing an executable file. Once unpacked, it installs itself as 'explorer.exe' in the user's AppData folder and creates a registry run key for persistence. The RAT's configuration shows its command and control server as 'kvejo991.ddns.net' on port 1604. It employs keylogging, storing captured keystrokes in a 'dclogs' folder. The malware's process behavior includes spawning multiple cmd.exe and conhost.exe processes, and injecting its payload into notepad.exe for stealth. Despite its age, DarkComet remains a potent threat, especially when combined with cryptocurrency lures.",
  "published": "2025-11-14T11:09:29+00:00",
  "created_at": "2025-11-14T11:09:29+00:00",
  "modified_at": "2025-11-14T11:46:00+00:00",
  "created_at_opencti": "2025-11-14T11:09:29+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-11-14",
    "bitcoin",
    "c2 communication",
    "cryptocurrency",
    "darkcomet",
    "darkcomet rat",
    "keylogging",
    "persistence",
    "rat",
    "upx packing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "http://kvejo991.ddns.net:1604"
      },
      {
        "id": "",
        "name": "kvejo991.ddns.net"
      },
      {
        "id": "",
        "name": "5b5c276ea74e1086e4835221da50865f872fe20cfc5ea9aa6a909a0b0b9a0554"
      },
      {
        "id": "",
        "name": "58c284e7bbeacb5e1f91596660d33d0407d138ae0be545f59027f8787da75eda"
      },
      {
        "id": "",
        "name": "11bf1088d66bc3a63d16cc9334a05f214a25a47f39713400279e0823c97eb377"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:4f9a987d16ef9b6c",
        "name": "DarkComet RAT",
        "slug": "darkcomet-rat"
      }
    ],
    "attack_patterns": [
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ]
  },
  "external_refs": [
    "https://www.pointwild.com/threat-intelligence/darkcomet-rat-malware-hidden-inside-fake-bitcoin-tool",
    "https://otx.alienvault.com/pulse/69171bf900fb2aed178f3e3b"
  ]
}