DarkGate v6 Unpacked: Five Layers of Encryption, Bulletproof Hosting, and the Campaign Behind Key 4479023
TL;DR: A DarkGate v6 sample delivered inside an IExpress self-extracting archive was fully unpacked through a five-layer decryption chain -- from IExpress cabinet to obfuscated batch script to AutoIt3 loader (2,462 encrypted strings) to RC4+LZNT1 payload decryption to process hollowing injection into explorer.exe. The core DLL, compiled May 2023, operates under campaign key 4479023 and was co-delivered alongside LummaStealer for dual credential theft. Infrastructure analysis reveals Cloudflare-fronted C2 domains backed by bulletproof hosting providers in Germany and the Seychelles, with 388 certificates issued across two domains in a single month. All identified C2 infrastructure is currently dead, but the techniques and tooling remain actively reused across the DarkGate MaaS ecosystem.
Key Findings
DarkGate continues to be one of the most technically sophisticated Malware-as-a-Service (MaaS) offerings circulating in the cybercrime underground. This particular sample, first observed on October 21, 2025, demonstrates the depth of engineering that DarkGate affiliates deploy to evade detection at every stage of execution.
Five-Layer Attack Chain
The sample executes through a deeply nested series of stages, each designed to defeat a different class of defensive technology:
- IExpress Self-Extractor: The outer binary (
setup.exe) is a standard Windows IExpress cabinet that extracts its contents silently. - Batch Script Deobfuscation: 60
Setvariable commands resolve into a fully functional batch script that reconstructs executables from fragmented PE data. - AutoIt3 Loader: A legitimate AutoIt3 interpreter (compiled June 2025) runs a heavily obfuscated
.au3script containing 2,462 encrypted string calls using a customKOREAN()cipher. - RC4 + LZNT1 Payload Decryption: The campaign key
4479023serves as the RC4 decryption key, followed by Windows-native LZNT1 decompression. - Process Hollowing: The decrypted DarkGate core DLL is injected into
explorer.exevia standard hollowing (CreateProcess SUSPENDED, context manipulation, NtWriteVirtualMemory). If BitDefender is detected, the target switches toTapiUnattend.exe.
Dual Payload Delivery
The sample carries tags for both DarkGate and LummaStealer, indicating a multi-stage credential theft strategy. This dual-payload approach hedges the operator's bets: if one stealer is detected or blocked, the other may succeed.
Aggressive Anti-Analysis
The AutoIt3 loader implements a comprehensive anti-analysis suite before executing the payload:
- Hostname blacklist:
tz,NfZtFbPfH,ELICZ(known sandbox hostnames) - Username check:
test22(common sandbox user) - AV process detection: Avast (
avastui.exe), Kaspersky (avp.exe), BitDefender (bdagent.exe), and Sophos - VM detection: VirtualBox (
VboxTray.exe), VMware (vmtoolsd.exe) - Sandbox detection: Sandboxie (
SandboxieRpcSs.exe) - NTDLL unhooking: The loader maps a clean copy of
ntdll.dllfrom disk and overwrites the in-memory hooked copy, neutralizing EDR hooks - Adaptive injection target: Switches from
explorer.exetoTapiUnattend.exeif BitDefender is present, avoiding BitDefender's monitored process
The NTDLL unhooking technique is particularly notable. By reading the pristine ntdll.dll from disk via CreateFileA, mapping it with MapViewOfFile, and copying the .text section over the loaded copy with memcpy, the malware removes any inline hooks placed by security products. This allows subsequent API calls -- including the process hollowing injection -- to execute without interception.
Minimal Footprint Mode
All 52 configuration flags in the DarkGate config are set to "10" (disabled/default). This means the sample runs in minimal footprint mode, likely performing only core C2 communication and credential theft without enabling noisier features like keylogging, clipboard monitoring, or remote desktop.
Attack Chain
The full execution flow from initial delivery to in-memory DarkGate execution follows this path:
[1] IExpress Self-Extractor (setup.exe)
|
v
[2] Cabinet Extraction
|-- Palestine.xlm (obfuscated batch script)
|-- 6 encrypted data files (.xlm extensions)
|-- Marie.xlm (nested cabinet with PE fragments)
|
v
[3] Batch Script Deobfuscation
|-- 60 Set variables resolve via cmd expansion
|-- AV detection via tasklist | findstr
|-- PE fragments reconstructed using extrac32 + findstr /V
|-- AutoIt script assembled: Wild + Cg + Wto + Contracts + Card + Camera -> t.au3
|
v
[4] AutoIt3 Loader Execution
|-- 2,462 KOREAN() encrypted string calls
|-- Anti-analysis checks (hostname, username, VM, AV, sandbox)
|-- NTDLL unhooking (clean copy from disk)
|-- RC4 decryption with key "4479023"
|-- LZNT1 decompression via RtlDecompressFragment
|
v
[5] Process Hollowing Injection
|-- Target: explorer.exe (or TapiUnattend.exe if BitDefender)
|-- CreateProcessW (SUSPENDED) -> GetThreadContext
|-- VirtualAllocExNuma -> NtWriteVirtualMemory
|-- NtSetContextThread -> NtResumeThread
|
v
[6] DarkGate Core DLL (in-memory only)
|-- Runtime string decryption
|-- Custom base64 encoded configuration
|-- HTTP-based C2 communication
Why This Chain Matters
Each layer serves a specific evasion purpose:
- IExpress is a legitimate Windows tool, so the outer binary has a clean import table and generic PE signature.
- Batch obfuscation defeats static analysis of the script layer.
- AutoIt3 is a legitimate interpreter, and the script's encryption prevents signature-based detection.
- RC4 + LZNT1 ensures the payload never exists in decrypted form on disk.
- Process hollowing means the final DarkGate DLL runs entirely in memory within a trusted process.
The use of extrac32.exe (a legitimate Windows cabinet extraction tool) and findstr /V (inverted string matching) to reconstruct PE fragments from scattered data files is a creative abuse of system binaries that can evade application whitelisting policies focused only on cmd.exe and powershell.exe.
Infrastructure Analysis
C2 Domains
Two domains were identified as DarkGate C2 endpoints for this campaign:
| Domain | Status | CT Certificates | First Cert |
|---|---|---|---|
investmentsystems[.]top | DEAD (NXDOMAIN) | 209 certificates | October 2024 |
oneinvestmentstudio[.]top | DEAD (NXDOMAIN) | 179 certificates | October 2024 |
Both domains were reported to ThreatFox as DarkGate C2 on January 24, 2026, and were already dead (NXDOMAIN) at the time of this investigation.
Certificate Analysis
The 388 certificates across both domains, all issued by DigiCert in October 2024, reveal a Cloudflare-fronted infrastructure pattern. The subdomain naming follows randomized prefixes:
pay.pay.pay.kwid9.investmentsystems[.]topuw9i.investmentsystems[.]topv6j6e.oneinvestmentstudio[.]topl7nqb.oneinvestmentstudio[.]topvhakn.investmentsystems[.]topfcvkr.oneinvestmentstudio[.]top
This pattern is characteristic of DarkGate campaigns that use Cloudflare as a reverse proxy. Each randomized subdomain receives its own certificate through Cloudflare's Universal SSL feature. The volume (388 certs in one month) suggests either automated subdomain rotation or preparation for a large-scale campaign with domain fronting capabilities.
Backend Hosting
Behind the Cloudflare front, four IP addresses were identified as backend C2 servers:
| IP | Provider | ASN | Country | Ports | Status |
|---|---|---|---|---|---|
155[.]138[.]149[.]77 | Vultr Holdings LLC | AS20473 | Canada | N/A | DEAD |
185[.]196[.]10[.]22 | Global-Data System IT Corp | SC-GLOBAL-DATA | Seychelles | 22, 3389, 5357, 5985 | LIVE |
154[.]216[.]16[.]83 | Wave Broadband (Mauritius) | -- | Mauritius | N/A | DEAD |
2[.]58[.]56[.]243 | 1337 Services GmbH | DE-1337SERVICES | Germany/Netherlands | 21, 25, 53, 80, 443, 8443, 8880 | LIVE |
Bulletproof Hosting Providers
Two of the backend providers are well-known bulletproof hosting (BPH) operations:
1337 Services GmbH (Hamburg, Germany): Operates 2[.]58[.]56[.]0/24 allocated to the Netherlands. The server at 2[.]58[.]56[.]243 runs nginx (web), Postfix (SMTP), FTP, and DNS services -- a full C2 backend stack. 1337 Services has been associated with multiple cybercrime hosting operations and is slow or unresponsive to abuse complaints.
Global-Data System IT Corp (Seychelles): Operates 185[.]196[.]8[.]0/22. The server at 185[.]196[.]10[.]22 exposes OpenSSH for Windows and RDP with self-signed certificates, suggesting a Windows-based management server. Seychelles registration provides jurisdictional protection against takedown efforts.
Hosting Hierarchy
Cloudflare CDN (Front)
|
+-- investmentsystems[.]top (209 certs, DEAD)
+-- oneinvestmentstudio[.]top (179 certs, DEAD)
|
v
Bulletproof Hosting (Backend)
|
+-- 1337 Services GmbH (DE/NL) -- nginx, Postfix, DNS
+-- Global-Data System IT Corp (SC) -- RDP, SSH
|
VPS Hosting (Secondary)
|
+-- Vultr (CA) -- DEAD
+-- Wave Broadband (MU) -- DEAD
Detection
YARA Summary
Detection rules target three distinct layers of this attack chain:
-
IExpress/DarkGate Dropper: Matches the specific IExpress packing with DarkGate-associated internal file names (Palestine.xlm, Marie.xlm), the PE fragment reconstruction technique, and the AutoIt script assembly pattern.
-
AutoIt3 KOREAN() Encryption: Detects the position-based cipher function used across 2,462 string decryption calls. The rule matches the
KOREANfunction name combined with AutoIt3 script markers and the characteristic key derivation pattern using4294967291(0xFFFFFFFB for 32-bit unsigned overflow). -
DarkGate Core DLL: Matches the in-memory DLL by targeting the custom base64 config magic
cabcaC, the campaign ID4479023, RC4 key patterns, and process hollowing API call sequences (CreateProcessW + NtWriteVirtualMemory + NtSetContextThread).
Suricata Summary
Network detection rules cover:
-
HTTP C2 Beaconing: Alerts on HTTP requests to
investmentsystems[.]topandoneinvestmentstudio[.]topon any port, matching DarkGate's known HTTP-based C2 protocol patterns. -
Cloudflare-Fronted DarkGate: Detects TLS connections with SNI values matching the randomized subdomain pattern (4-5 character alphanumeric prefixes) on the identified C2 domains.
-
Process Hollowing Network Callback: Alerts on the first network connection originating from
explorer.exeto external IP ranges associated with the identified C2 infrastructure, indicating successful injection.
IOCs (Defanged)
Network Indicators
C2 Domains:
investmentsystems[.]top
oneinvestmentstudio[.]top
C2 IPs:
155[.]138[.]149[.]77 (Vultr, CA -- DEAD)
185[.]196[.]10[.]22 (Global-Data System, SC -- LIVE)
154[.]216[.]16[.]83 (Wave Broadband, MU -- DEAD)
2[.]58[.]56[.]243 (1337 Services, DE -- LIVE)
File Indicators
Dropper (setup.exe):
SHA256: dbdab701feecc382b037b61b4268f1f796c28f3c30d77e18506cb1646bf9cb0b
SHA1: f3a403871eee2abf3d4150c3b0dbd878c8c80c31
MD5: 358e54bf814e5c420568c0af8cd13df9
Core DLL (in-memory):
SHA256: 5c1004c7c5b0f54b879c349a908bea056f44e7739bb8caf89feabee162605f09
MD5: 9a6860a975d00df6f0ad5a5d306297ad
AutoIt3 Interpreter (legitimate, abused):
SHA256: 881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb
Behavioral Indicators
Mutex candidate: LZedmNtUrLonBH
Identifier: AfjCJruXYGTAUCaJ
PDB path: wextract.pdb
Config magic: cabcaC
Campaign ID / RC4 key: 4479023
Primary injection target: explorer.exe
Alt injection target: \TapiUnattend.exe
Sandbox hostname checks: tz, NfZtFbPfH, ELICZ
Sandbox username check: test22
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Application |
|---|---|---|---|
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | Obfuscated batch script (Palestine.xlm) with 60 Set variable substitutions |
| Execution | Command and Scripting Interpreter: AutoHotKey and AutoIt | T1059.010 | AutoIt3 loader with KOREAN() position-based string encryption |
| Defense Evasion | Deobfuscate/Decode Files or Information | T1140 | RC4 decryption + LZNT1 decompression of payload |
| Defense Evasion | Process Injection: Process Hollowing | T1055.012 | Hollow into explorer.exe or TapiUnattend.exe via suspended process creation |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | NTDLL unhooking by mapping clean copy from disk |
| Defense Evasion | Virtualization/Sandbox Evasion: System Checks | T1497.001 | Hostname, username, VM, AV, and sandbox detection |
| Defense Evasion | Obfuscated Files or Information: Encrypted/Encoded File | T1027.013 | Custom base64 config with runtime-generated alphabet, KOREAN() string encryption |
| Defense Evasion | System Binary Proxy Execution | T1218 | IExpress/WExtract for initial execution, extrac32 for PE reconstruction |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | HTTP-based C2 communication |
Campaign Timeline
| Date | Event |
|---|---|
| 2023-05-13 | DarkGate core DLL compiled |
| 2024-10-24 | First CT certificates issued for C2 domains (DigiCert via Cloudflare) |
| 2024-12-14 | Related DarkGate samples observed using 154[.]216[.]16[.]83 and 2[.]58[.]56[.]243 |
| 2025-01-25 | DarkGate samples using 155[.]138[.]149[.]77, signed as "KDL CENTRAL LIMITED" |
| 2025-06-29 | AutoIt3 interpreter compiled |
| 2025-10-21 | This sample first observed on MalwareBazaar (web download delivery) |
| 2026-01-24 | ThreatFox reports both C2 domains as DarkGate infrastructure |
| 2026-03-10 | Investigation date; both C2 domains dead/NXDOMAIN |
Threat Actor Assessment
Developer: RastaFarEye, the known operator and developer of the DarkGate MaaS platform. DarkGate has been offered as a subscription service on underground forums since at least 2018, with v6 representing the latest major version.
Operator: Unknown affiliate using campaign ID 4479023. The DarkGate MaaS model means the developer provides the builder and infrastructure tools, while affiliates handle distribution. The dual-payload delivery with LummaStealer and the minimal-footprint configuration suggest an operator focused on credential theft rather than ransomware deployment.
Motivation: Financial. The DarkGate + LummaStealer combination is designed for bulk credential harvesting, particularly targeting browser-stored passwords, cookies, and cryptocurrency wallet data.
Analyst Notes
Config Extraction Challenge
Fourteen distinct approaches were attempted to statically extract the C2 configuration from the DarkGate core DLL. All failed. The custom base64 alphabet used for the configuration is generated at runtime by executable code, not stored as static data. The standard DarkGate alphabet spacer used by public extractors (Telekom Security, rivitna, RussianPanda, Kroll, Trellix) is absent from this binary. The config blob at .data+0x80B0 has zero cross-references from .text section instructions, meaning it is accessed through an indirect mechanism.
This represents an evolution in DarkGate's anti-extraction capabilities. Previous versions stored the alphabet in a recognizable format that allowed static extraction. This v6 build requires dynamic analysis (debugger breakpoints or emulation) to capture the alphabet after runtime generation.
Sandbox Evasion Effectiveness
All public sandbox reports (ANY.RUN, CAPE, Triage) show zero network IOCs extracted from this sample. The anti-analysis checks successfully prevented C2 communication in every automated analysis environment tested. The C2 addresses used in this report were obtained through OSINT correlation with ThreatFox reporting and related sample analysis, not from the binary itself.
Defensive Recommendations
Organizations should prioritize:
- AutoIt3 execution monitoring: Flag any
AutoIt3.exeexecution from non-standard paths in EDR telemetry. - extrac32.exe abuse detection: Alert on
extrac32.exespawned by batch scripts, as this is a rare legitimate use case. - NTDLL integrity monitoring: Implement checks for ntdll.dll
.textsection modifications, which indicate hook removal attempts. - CT log monitoring: Track certificate issuance for
.topdomains with randomized 4-5 character subdomains, a signature of DarkGate Cloudflare-fronted infrastructure. - BPH ASN blocking: Consider blocking or alerting on traffic to 1337 Services GmbH and Global-Data System IT Corp IP ranges at the network perimeter.
Published by Breakglass Intelligence -- GHOST automated analysis pipeline. Investigation ID: darkgate-march10 | TLP:WHITE | 2026-03-10