S0334: DarkComet
Analyst context for executives and security teams
DarkComet matters because ATT&CK describes it as a Windows remote administration tool and backdoor, with relationships to behaviors that support persistence, command execution, discovery, collection, command-and-control, and defense impairment. For leaders, the practical issue is not the tool name alone: it is whether Windows endpoint, identity, RDP, network, and registry telemetry can prove or disprove remote access, data collection, and persistence activity during an incident.
Executive priority
Prioritize DarkComet as a readiness test for Windows remote-access malware coverage. ATT&CK links it to multiple groups and to techniques such as RDP use, Windows command shell execution, registry modification, Run Keys/Startup Folder persistence, web-protocol C2, keylogging, clipboard collection, audio/video capture, tool transfer, and firewall/security-tool impairment. Executives should ask whether SOC and IR teams can quickly answer: which Windows hosts have suspicious remote access, what accounts were used, what persistence was created, what data or peripherals may have been accessed, and whether security controls or Windows Firewall were modified.
Technical view
The official object has no ATT&CK detection text, so detection engineering should be built from the related techniques and validated locally. Focus on Windows evidence for unusual RDP logons, command shell execution, new or modified registry keys including Run Keys, startup-folder changes, host firewall changes, process and system discovery, file transfer into the environment, web-protocol outbound communications, packed or disguised executables, clipboard access, keylogging indicators, and microphone/camera access. Relationship context also shows ATT&CK reporting of use by APT38, SilverTerrier, and Transparent Tribe; use that as threat-intelligence context, not as proof of attribution in any local case.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and discovery commands
- Windows Security and RDP logon/session events for remote interactive access
- Registry auditing for autoruns, Run Keys, startup-related persistence, and other modifications
- File creation and executable metadata for newly introduced, packed, or suspiciously named binaries
- Network proxy, DNS, firewall, and EDR network telemetry for outbound web-protocol communications
Detection direction
- Treat the absence of official ATT&CK detection guidance as a coverage gap to close with behavior-based analytics mapped to the related techniques.
- Correlate suspicious RDP activity with subsequent command shell execution, registry changes, file transfer, discovery commands, and outbound web traffic from the same Windows host.
- Tune for false positives from legitimate administration tools, helpdesk activity, software deployment, remote support, and normal RDP use by requiring context such as unusual account, source, time, destination, newly created persistence, or security-control changes.
- Validate detections for Run Key/Startup Folder persistence and Windows Firewall modification because those behaviors materially affect incident containment and recovery.
- Review blind spots around endpoint telemetry depth: packed executables, renamed binaries in trusted-looking locations, clipboard/peripheral access, and security-tool impairment may be missed by log-only monitoring.
Mitigation priorities
- Start with Windows remote access governance: restrict and monitor RDP exposure, require strong account controls, and review who can initiate remote interactive sessions.
- Harden persistence and configuration-change surfaces by controlling write access to autorun registry locations, startup folders, and Windows Firewall settings.
- Maintain endpoint protection and logging resilience so attempts to disable, modify, or degrade security tools generate actionable alerts.
- Use application control or equivalent execution controls where feasible to reduce execution of unauthorized remote administration tools, backdoors, and packed binaries.
- Ensure IR playbooks cover credential risk, persistence removal, host isolation, log preservation, and review of possible collection from keyboard, clipboard, audio, and video sources.
Analyst notes and limits
ATT&CK identifies DarkComet as software S0334, a Windows remote administration tool and backdoor. The object has no aliases listed in the main fields, but external references include names such as DarkKomet, FYNLOS, Fynloski, and Krademok. Related techniques provide the most useful defensive framing: RDP, software packing, user/process/system discovery, command shell execution, web-protocol C2, tool transfer, registry modification, clipboard/audio/video collection, Run Key persistence, security-tool impairment, and Windows host firewall modification.
The supplied ATT&CK object does not provide official detection guidance and does not list tactics directly on the malware object. Several related technique descriptions are truncated or have broader platform lists, so this take limits platform-specific conclusions to the supplied DarkComet platform: Windows. Local telemetry, baselines, business-approved remote administration patterns, and incident evidence are required before determining exposure, impact, or attribution.
DarkComet
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | DarkComet can disable Security Center functions like the Windows Firewall.CitationTrendMicro DarkComet Sept 2014CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1059 | Command and Scripting Interpreter | DarkComet can execute various types of scripts on the victim’s machine.CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1115 | Clipboard Data | DarkComet can steal data from the clipboard.CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1125 | Video Capture | DarkComet can access the victim’s webcam to take pictures.CitationTrendMicro DarkComet Sept 2014CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1082 | System Information Discovery | DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.CitationTrendMicro DarkComet Sept 2014CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | DarkComet can load any files onto the infected machine to execute.CitationTrendMicro DarkComet Sept 2014CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1057 | Process Discovery | DarkComet can list active processes running on the victim’s machine.CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | DarkComet can launch a remote shell to execute commands on the victim’s machine.CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard.CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | DarkComet adds several Registry entries to enable automatic execution at every system startup.CitationTrendMicro DarkComet Sept 2014CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1685 | Disable or Modify Tools | DarkComet can disable Security Center functions like anti-virus.CitationTrendMicro DarkComet Sept 2014CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | DarkComet can use HTTP for C2 communications.CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1123 | Audio Capture | DarkComet can listen in to victims' conversations through the system’s microphone.CitationTrendMicro DarkComet Sept 2014CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1027.002 | Software Packing Sub-technique | DarkComet has the option to compress its payload using UPX or MPRESS.CitationMalwarebytes DarkComet March 2018 |
| Enterprise | T1112 | Modify Registry | DarkComet adds a Registry value for its installation routine to the Registry Key |
| Enterprise | T1056.001 | Keylogging Sub-technique | DarkComet has a keylogging capability.CitationTrendMicro DarkComet Sept 2014 |
| Enterprise | T1033 | System Owner/User Discovery | DarkComet gathers the username from the victim’s machine.CitationTrendMicro DarkComet Sept 2014 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.CitationTrendMicro DarkComet Sept 2014 |
Groups, software, and campaigns
G0134: Transparent Tribe
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]
G0083: SilverTerrier
SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.[1][2]
G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | bda8046af7fa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro DarkComet Sept 2014
TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
Open source URL -
[2]
Malwarebytes DarkComet March 2018
Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
Open source URL -
[3]
DarkComet
(Citation: TrendMicro DarkComet Sept 2014)
-
[4]
DarkKomet
(Citation: TrendMicro DarkComet Sept 2014)
-
[5]
FYNLOS
(Citation: TrendMicro DarkComet Sept 2014)
-
[6]
Fynloski
(Citation: TrendMicro DarkComet Sept 2014)
-
[7]
Krademok
(Citation: TrendMicro DarkComet Sept 2014)
-
[8]
mitre-attack S0334Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.