DarkGate Malware: Transitioning to AutoHotkey in Recent Attacks

In a recent and significant move, the DarkGate malware has left AutoIt scripts behind, instead adopting the use of AutoHotkey for the final stages of its attacks. This change, identified in DarkGate version 6 released in March 2024 by the developer known as RastaFarEye, shows cybercriminals’ constant efforts to stay one step ahead of security solutions.


Innovation in Malware Delivery

DarkGate, active since at least 2018, is a sophisticated remote access trojan (RAT) that offers command and control (C2) capabilities and rootkit functions. It is designed with modules for credential theft, keylogging, screenshot capture, and remote desktop control. Recently, McAfee Labs researchers documented DarkGate’s use of AutoHotkey in April 2024, a strategy that uses vulnerabilities such as CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen protections via attachments in phishing emails.

Infection Techniques

DarkGate campaigns use a variety of methods to infect systems. One recent approach involves using Excel files with embedded macros that run Visual Basic scripts, which then invoke PowerShell commands to launch an AutoHotkey script. This script downloads and decodes the DarkGate payload from a text file, thereby bypassing traditional cybersecurity defenses.

Improvements in Version 6

DarkGate version 6 not only includes new functionality, but has also removed some features from previous versions to reduce the possibility of detection. Among the new capabilities are audio recording, mouse control, and keyboard management. However, features such as privilege escalation, cryptomining, and HVNC (Hidden Virtual Network Computing) have been removed. Ernesto Fernandez Provecho, a security researcher at Trellix, suggests that these modifications may be a response to the specific demands of customers who purchase DarkGate.


Broader Context

In addition to the updates to DarkGate, there has been an increase in the abuse of legitimate services such as Docusign, with cybercriminals selling customizable phishing templates on underground forums. These templates, designed to mimic legitimate document signing requests, seek to trick recipients into clicking on malicious links or revealing sensitive information.



DarkGate’s constant evolution underscores the dynamic nature of today’s cyber threats. For organizations, it is crucial to stay on top of these advanced tactics and continually update their defense strategies. Collaboration between security researchers and the implementation of proactive measures are essential to mitigate the risks associated with sophisticated malware such as DarkGate.

Related Posts
Clear Filters

La Agencia de Seguridad de Infraestructura y Ciberseguridad de Estados Unidos (CISA) ha añadido una vulnerabilidad de alta severidad en…

ASUS ha lanzado una actualización de firmware crucial para solucionar una vulnerabilidad que afecta a siete modelos de routers, permitiendo…

Devel Group
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.