Cybercriminals are leveraging the growing popularity of cryptocurrencies to deploy older, yet still potent, malware. Recent findings highlight the resurgence of the DarkComet Remote Access Trojan (RAT), now being disguised as legitimate Bitcoin-related applications. This tactic targets cryptocurrency enthusiasts who are lured into downloading tools from unverified sources, demonstrating how established threats can be weaponized with modern social engineering to exploit financial interests.
The DarkComet RAT, despite being officially discontinued by its creator years ago, continues to circulate in underground forums and remains a significant threat. Its effectiveness stems from powerful capabilities that allow attackers to gain extensive control over infected systems. These capabilities include keystroke logging, file theft, webcam surveillance, and remote desktop control, making it a particularly dangerous tool for targeting cryptocurrency users where stolen credentials can have direct financial consequences.
DarkComet RAT Exploits Cryptocurrency Hype
Security analysts at Point Wild have identified a malware campaign actively distributing a rebranded version of the DarkComet RAT. The malicious campaign focuses on cryptocurrency users, capitalizing on their interest in Bitcoin and related tools. Attackers are bundling the notorious malware within seemingly legitimate applications, preying on a user base that may be less cautious when seeking out new cryptocurrency management solutions.
The infection vector observed in this campaign involved distributing the malware as a compressed RAR archive. This archive contained an executable file cunningly disguised as “94k BTC wallet.exe.” This delivery method is designed to bypass standard email filters and reduce the likelihood of early detection by security software. Furthermore, the executable was packed with UPX (Ultimate Packer for Executables), a common technique used to obfuscate the malware’s true nature and make it more challenging for security analysis.
Technical Breakdown and Infection Mechanism
Upon execution, the fake Bitcoin tool immediately activates the full capabilities of the DarkComet RAT instead of providing any legitimate cryptocurrency functionality. The malware is designed to establish persistence on the infected system, ensuring its continued operation even after reboots. It achieves this persistence by copying itself to %AppData%RoamingMSDCSCexplorer.exe and creating a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. This configuration ensures that the malware launches automatically every time the system starts.
Analysis of the malware sample also revealed key operational details embedded within its configuration. A mutex named “DC_MUTEX-ARULYYD” is utilized to prevent multiple instances of the malware from running simultaneously on a single system. Network analysis indicated attempted connections to a command-and-control (C2) server located at kvejo991.ddns.net, communicating over TCP port 1604. Although the C2 server was unresponsive during testing, these repeated connection attempts signify active beaconing behavior consistent with DarkComet operations.
The unpacked executable exhibits standard Portable Executable (PE) sections, including .text, .data, and .idata. To evade detection and carry out its malicious functions stealthily, the malware injects its payload into legitimate Windows processes, such as notepad.exe. This allows it to perform sensitive operations like keylogging and screen capture without raising immediate suspicion. Captured keystrokes are subsequently stored in log files, often named with date-specific formats like “2025-10-29-4.dc,” before being exfiltrated to the C2 server.
File hashes for detection purposes include SHA256: 11bf1088d66bc3a63d16cc9334a05f214a25a47f39713400279e0823c97eb377 for the compressed archive and SHA256: 5b5c276ea74e1086e4835221da50865f872fe20cfc5ea9aa6a909a0b0b9a0554 for the packed executable. Users are strongly advised to exercise extreme caution and refrain from downloading any cryptocurrency-related tools from untrusted or unofficial sources. Maintaining up-to-date security software is also critical for effectively detecting and preventing such threats.
The ongoing exploitation of cryptocurrency interest by threat actors indicates a persistent trend. As the cryptocurrency market evolves and attracts more users, malicious actors will likely continue to adapt older malware, like DarkComet RAT, with sophisticated social engineering tactics to target financial assets. The effectiveness of such campaigns hinges on user vigilance and the adoption of robust cybersecurity practices.