Request a Demo
Rewterz
Fake Error Pages Spread Cross-Platform Malware – Active IOCs
July 29, 2025
Rewterz
Scattered Spider Actively Exploiting VMware vSphere Infrastructure
July 29, 2025

DarkComet RAT – Active IOCs

Severity

High

Analysis Summary

DarkComet is a widely used Remote Access Trojan (RAT) that originated in 2008, developed by a French programmer known as Jean‑Pierre Lesueur (alias DarkCoderSc). Initially intended for legitimate remote administration, it was quickly adopted by threat actors due to its powerful capabilities. Though the developer ceased its development in 2012, citing ethical concerns, DarkComet continues to be exploited in the wild.

DarkComet has been used by various cybercriminals and APT groups, notably APT33 and suspected Iranian threat actors, to target sectors including government, military, energy, telecommunications, and human rights organizations. Countries most frequently targeted include the United States, United Kingdom, Syria, Egypt, and other Middle Eastern and North African nations. It is also known by aliases such as Fynloski and Backdoor:Win32/Fynloski.

The malware uses tactics and techniques consistent with APT-style operations, such as spear-phishing emails with malicious attachments, social engineering, and drive-by downloads. Once deployed, it provides attackers with full control of the infected system, including keylogging, webcam access, credential theft, and file exfiltration.

In recent activity, DarkComet was observed in campaigns targeting dissidents and civil society groups in Syria, often through fake humanitarian aid emails or trojanized software downloads, reflecting ongoing geopolitical surveillance and repression motives.

Impact

  • Unauthorized Access
  • Remote command execution
  • Sensitive Information Theft

Indicators of Compromise

MD5

  • 6a5f7d5099a1cbdbd749c15576555a33

  • eb24dd29ab0ec87ac879ad55c8d52b35

  • 6a67e8650816ca5485d88db9db8ed6b7

  • d07be99ad4cd309294695bdd084735c1

SHA-256

  • 5b323a4797ebd6ab5bccfb9697ae96ade527dc773abdec80628fb25ff644ff7f

  • b6842038ce1e67e57d85b6ba3cad9186aaf4b85bc7934a1a0eb74a5b3736f2b4

  • 6bfe660109350fecca53759c927004e96347e090df60b6572ac4bf7b201b82e6

  • 3f44d142fbdc7e297b0d520cda8499d4abd2e40a2bffa745411597d9b2030d4d

SHA1

  • 98a51f4c4d850de6b14a11027caaa1926d63b621

  • 188812faf7134da0d754f23d594ff88392646a99

  • 839f46a90991c9041fad48383f014301104d43bc

  • 931c3708c8ffc2ac6f39dcd0130edfd29da1b12d

Remediation

  • Block all threat indicators at your respective controls.
  • Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
  • Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
  • Patch and upgrade any platforms and software timely and make it into a standard security policy.
  • Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.