S1111: DarkGate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]
Analyst context for executives and security teams
DarkGate matters because MITRE describes it as a Windows malware family used for initial access and data gathering, with associations to credential theft, cryptomining, cryptotheft, and pre-ransomware activity. For leaders, the practical issue is not a single signature; it is whether Windows endpoint, identity, scripting, DNS, and command-and-control monitoring can connect early execution and discovery behaviors to later data theft or ransomware-preparation risk.
Executive priority
Prioritize DarkGate as a resilience and readiness test for Windows environments: can the organization detect suspicious scripting, masqueraded files, credential collection, C2 over DNS, tool transfer, data collection, and exfiltration over C2 before business disruption occurs? Because MITRE lists DarkGate as Malware-as-a-Service and under active development, leadership should expect variation and ask for evidence-based coverage across behavior patterns, not just static indicators.
Technical view
ATT&CK provides no official detection text for S1111, so SOC and IR teams should validate coverage through the related techniques. Focus on Windows execution through PowerShell, cmd, Visual Basic, AutoHotKey/AutoIT, and WMI; defense evasion through obfuscated or encoded files, masquerading, double extensions, renamed utilities, process hollowing, and file deletion; discovery of processes, files, directories, system information, and application windows; credential collection via keylogging; C2 using obfuscation and DNS; ingress tool transfer; and exfiltration over the C2 channel. Treat these as behavior clusters that should be correlated across endpoint, identity, and network telemetry.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell, Windows command shell, WMI, Visual Basic, AutoHotKey, and AutoIT execution logs where available
- File creation, rename, deletion, extension, and encoded/obfuscated artifact metadata
- Process injection or process hollowing-related endpoint alerts or memory telemetry
- DNS query and response logs, including unusual volume, domains, timing, or encoded-looking labels
Detection direction
- Validate correlation rules that join scripting or WMI execution with subsequent discovery, file manipulation, network beaconing, or tool transfer.
- Tune for masquerading patterns such as double extensions and renamed utilities, while accounting for legitimate administration and software packaging activity.
- Review DNS monitoring for C2-like behavior, but avoid relying only on domain reputation because ATT&CK notes data obfuscation and DNS-based communications.
- Hunt for suspicious process hollowing or unusual parent-child process relationships on Windows endpoints.
- Monitor group membership changes as persistence or privilege-escalation evidence, especially when preceded by suspicious execution.
Mitigation priorities
- Start with Windows endpoint visibility: ensure process, script, file, and network telemetry is collected and retained for investigation.
- Reduce risky script execution paths through administrative controls, least privilege, and review of PowerShell, WMI, cmd, VB, AutoHotKey, and AutoIT usage.
- Strengthen email and file-handling controls where masqueraded or double-extension files could reach users, while recognizing the supplied object does not specify a delivery method.
- Harden identity and local administration: monitor and restrict local/domain group changes and privileged account use.
- Improve DNS and egress governance so C2 and exfiltration over allowed channels are observable and controllable.
Analyst notes and limits
DarkGate is a Windows malware object in ATT&CK S1111. MITRE describes it as first emerging in 2018, evolving into an initial access and data gathering tool, and being associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions. The strongest defensive value comes from mapping the related techniques into testable detection and response use cases rather than treating DarkGate as a single static malware signature.
MITRE provides no official detection text, no aliases, no object-level tactics, and only Windows as the platform for this object. The relationship list supplies behavior context but does not prove local exposure, active intrusion, or detection coverage. Local telemetry, incident evidence, and approved threat intelligence are required to determine relevance in a specific environment.
DarkGate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | DarkGate will gather various system information such as domain, display adapter description, operating system type and version, processor type, and RAM amount.CitationEnsilo Darkgate 2018CitationRapid7 BlackBasta 2024 |
| Enterprise | T1569.002 | Service Execution Sub-technique | DarkGate tries to elevate privileges to |
| Enterprise | T1071.004 | DNS Sub-technique | DarkGate can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. CitationEnsilo Darkgate 2018 |
| Enterprise | T1119 | Automated Collection | DarkGate searches for stored credentials associated with cryptocurrency wallets and notifies the command and control server when identified.CitationEnsilo Darkgate 2018 |
| Enterprise | T1574 | Hijack Execution Flow | DarkGate edits the Registry key |
| Enterprise | T1480 | Execution Guardrails | DarkGate uses per-victim links for hosting malicious archives, such as ZIP files, in services such as SharePoint to prevent other entities from retrieving them.CitationTrellix Darkgate 2023 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | DarkGate uses two distinct User Account Control (UAC) bypass techniques to escalate privileges.CitationEnsilo Darkgate 2018 |
| Enterprise | T1622 | Debugger Evasion | DarkGate checks the |
| Enterprise | T1685 | Disable or Modify Tools | DarkGate will terminate processes associated with several security software products if identified during execution.CitationEnsilo Darkgate 2018 |
| Enterprise | T1486 | Data Encrypted for Impact | DarkGate can deploy follow-on ransomware payloads.CitationEnsilo Darkgate 2018 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | |
| Enterprise | T1614 | System Location Discovery | |
| Enterprise | T1680 | Local Storage Discovery | DarkGate uses the Delphi methods |
| Enterprise | T1010 | Application Window Discovery | DarkGate will search for cryptocurrency wallets by examining application window names for specific strings.CitationEnsilo Darkgate 2018 DarkGate extracts information collected via NirSoft tools from the hosting process's memory by first identifying the window through the |
| Enterprise | T1070.004 | File Deletion Sub-technique | DarkGate has deleted its staging directories.CitationRapid7 BlackBasta 2024 |
| Enterprise | T1036.007 | Double File Extension Sub-technique | DarkGate masquerades malicious LNK files as PDF objects using the double extension |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | DarkGate installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.CitationEnsilo Darkgate 2018CitationRapid7 BlackBasta 2024 DarkGate installation finishes with the creation of a registry Run key.CitationEnsilo Darkgate 2018 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | DarkGate uses existing command and control channels to retrieve captured cryptocurrency wallet credentials.CitationEnsilo Darkgate 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1552 | Unsecured Credentials | DarkGate uses NirSoft tools to steal user credentials from the infected machine.CitationEnsilo Darkgate 2018 NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe. |
| Enterprise | T1005 | Data from Local System | DarkGate has stolen `sitemanager.xml` and `recentservers.xml` from `%APPDATA%\FileZilla\` if present.CitationRapid7 BlackBasta 2024 |
| Enterprise | T1047 | Windows Management Instrumentation | DarkGate has used WMI to execute files over the network and to obtain information about the domain.CitationRapid7 BlackBasta 2024 |
| Enterprise | T1027 | Obfuscated Files or Information | DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.CitationTrellix Darkgate 2023 |
| Enterprise | T1490 | Inhibit System Recovery | DarkGate can delete system restore points through the command |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | DarkGate executes a Windows Batch script during installation that creases a randomly-named directory in the |
| Enterprise | T1059.001 | PowerShell Sub-technique | DarkGate has used PowerShell to create a remote shell.CitationRapid7 BlackBasta 2024 |
| Enterprise | T1496.001 | Compute Hijacking Sub-technique | DarkGate can deploy follow-on cryptocurrency mining payloads.CitationEnsilo Darkgate 2018 |
| Enterprise | T1136.001 | Local Account Sub-technique | DarkGate creates a local user account, |
| Enterprise | T1056.001 | Keylogging Sub-technique | DarkGate will spawn a thread on execution to capture all keyboard events and write them to a predefined log file.CitationEnsilo Darkgate 2018CitationRapid7 BlackBasta 2024 |
| Enterprise | T1059.010 | AutoHotKey & AutoIT Sub-technique | DarkGate uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as `test.au3`.CitationEnsilo Darkgate 2018 |
| Enterprise | T1665 | Hide Infrastructure | DarkGate command and control includes hard-coded domains in the malware masquerading as legitimate services such as Akamai CDN or Amazon Web Services.CitationTrellix Darkgate 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.CitationEnsilo Darkgate 2018 DarkGate uses Windows Batch scripts executing the |
| Enterprise | T1057 | Process Discovery | DarkGate performs various checks for running processes, including security software by looking for hard-coded process name values.CitationEnsilo Darkgate 2018CitationRapid7 BlackBasta 2024 |
| Enterprise | T1583.001 | Domains Sub-technique | DarkGate command and control includes hard-coded domains in the malware chosen to masquerade as legitimate services such as Akamai CDN or Amazon Web Services.CitationTrellix Darkgate 2023 |
| Enterprise | T1555 | Credentials from Password Stores | DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions.CitationTrellix Darkgate 2023 |
| Enterprise | T1083 | File and Directory Discovery | Some versions of DarkGate search for the hard-coded folder |
| Enterprise | T1106 | Native API | DarkGate uses the native Windows API |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DarkGate installation includes binary code stored in a file located in a hidden directory, such as |
| Enterprise | T1204.002 | Malicious File Sub-technique | |
| Enterprise | T1124 | System Time Discovery | DarkGate creates a log file for capturing keylogging, clipboard, and related data using the victim host's current date for the filename.CitationEnsilo Darkgate 2018 DarkGate queries victim system epoch time during execution.CitationEnsilo Darkgate 2018 DarkGate captures system time information as part of automated profiling on initial installation.CitationTrellix Darkgate 2023 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | DarkGate looks for various security products by process name using hard-coded values in the malware.CitationRapid7 BlackBasta 2024 DarkGate will not execute its keylogging thread if a process name associated with Trend Micro anti-virus is identified, or if runtime checks identify the presence of Kaspersky anti-virus. DarkGate will initiate a new thread if certain security products are identified on the victim, and recreate any malicious files associated with it if it determines they were removed by security software in a new system location.CitationEnsilo Darkgate 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | DarkGate can be distributed through emails with malicious attachments from a spoofed email address.CitationEnsilo Darkgate 2018 |
| Enterprise | T1657 | Financial Theft | DarkGate can deploy payloads capable of capturing credentials related to cryptocurrency wallets.CitationEnsilo Darkgate 2018 |
| Enterprise | T1115 | Clipboard Data | DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.CitationEnsilo Darkgate 2018CitationRapid7 BlackBasta 2024 |
| Enterprise | T1574.001 | DLL Sub-technique | DarkGate includes one infection vector that leverages a malicious "KeyScramblerE.DLL" library that will load during the execution of the legitimate KeyScrambler application.CitationTrellix Darkgate 2023 |
| Enterprise | T1134.004 | Parent PID Spoofing Sub-technique | DarkGate relies on parent PID spoofing as part of its "rootkit-like" functionality to evade detection via Task Manager or Process Explorer.CitationTrellix Darkgate 2023 |
| Enterprise | T1574.007 | Path Interception by PATH Environment Variable Sub-technique | DarkGate overrides the |
| Enterprise | T1539 | Steal Web Session Cookie | DarkGate attempts to steal Opera cookies, if present, after terminating the related process.CitationRapid7 BlackBasta 2024 |
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | DarkGate elevates accounts created through the malware to the local administration group during execution.CitationEnsilo Darkgate 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | DarkGate initial infection mechanisms include masquerading as pirated media that launches malicious VBScript on the victim.CitationEnsilo Darkgate 2018 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | DarkGate initial installation involves dropping several files to a hidden directory named after the victim machine name.CitationEnsilo Darkgate 2018 Additionally, DarkGate uses attrib to hide a directory in the following command: ` C:\Windows\system32\attrib.exe” +h C:/rjtu/`.Citationgbhackers Darkgate Malware 2024 |
| Enterprise | T1529 | System Shutdown/Reboot | DarkGate has used the `shutdown`command to shut down and/or restart the victim system.CitationRapid7 BlackBasta 2024 |
| Enterprise | T1001 | Data Obfuscation | DarkGate will retrieved encrypted commands from its command and control server for follow-on actions such as cryptocurrency mining.CitationEnsilo Darkgate 2018 |
| Enterprise | T1497.001 | System Checks Sub-technique | DarkGate queries system resources on an infected machine to identify if it is executing in a sandbox or virtualized environment.CitationEnsilo Darkgate 2018 |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | DarkGate has deleted all files in the Mozilla directory using the following command: `/c del /q /f /s C:\Users\User\AppData\Roaming\Mozilla\firefox*`.CitationRapid7 BlackBasta 2024 |
| Enterprise | T1036 | Masquerading | DarkGate can masquerade as pirated media content for initial delivery to victims.CitationEnsilo Darkgate 2018 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | DarkGate leverages process hollowing techniques to evade detection, such as decrypting the content of an encrypted PE file and injecting it into the process vbc.exe.CitationEnsilo Darkgate 2018CitationRapid7 BlackBasta 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique |
Groups, software, and campaigns
C0037: Water Curupira Pikabot Distribution
Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a29cd382d9c4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Ensilo Darkgate 2018
Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
Open source URL -
[2]
Trellix Darkgate 2023
Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
Open source URL -
[3]
mitre-attack S1111Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.