EXECUTIVE SUMMARY:
A recent campaign involves the deceptive distribution of the DarkComet Remote Access Trojan (RAT), concealed within a fake Bitcoin wallet application. The attack leverages social engineering by enticing users with a RAR archive named 94k BTC wallet exe, which claims to offer access to a massive cryptocurrency wallet. Once executed, the malware installs DarkComet RAT, a remote administration tool capable of granting attackers full control over an infected device. This campaign illustrates how cybercriminals exploit cryptocurrency-related lures to target individuals driven by financial curiosity or greed. By disguising the payload as a legitimate wallet tool, attackers effectively trick victims into self-installing the malware. The use of simple yet manipulative tactics demonstrates that traditional social engineering remains a powerful weapon in modern cybercrime, particularly when combined with popular digital currency themes to increase credibility and user engagement.
When the malicious Bitcoin wallet executable runs, it silently drops and launches the DarkComet RAT payload. The malware establishes persistence by creating registry entries and employs process obfuscation techniques to evade detection. Once operational, it enables remote access to the compromised system, allowing attackers to browse files, record keystrokes, capture screenshots, and activate webcams or microphones. The malware also exfiltrates sensitive user information, including saved credentials and browser history. Communication with the Command and Control (C2) infrastructure occurs over encrypted HTTP POST requests, concealing data transfer from monitoring tools. Additionally, the RAT may attempt to disable antivirus defenses and escalate privileges for uninterrupted control. Through mutex creation, encrypted communication, and stealth-based persistence mechanisms, the malware ensures it remains undetected while maintaining long-term access for continued espionage and data theft.
This campaign highlights the persistent threat from re-emerging malware families like DarkComet, which continue to evolve through new delivery vectors. By exploiting the popularity of cryptocurrency, attackers successfully distribute old yet potent RATs to unsuspecting users. Despite its age, DarkComet remains a formidable tool due to its wide range of spying and remote-control capabilities. The incident underscores the need for heightened vigilance and proper cybersecurity hygiene—users must avoid downloading software from unverified or unofficial sources. On a broader scale, implementing multi-layered defense mechanisms such as endpoint protection, behavioral monitoring, and network anomaly detection can significantly reduce infection risks. Organizations should also emphasize user education, as awareness of phishing and malware delivery tactics remains one of the most effective defenses. Ultimately, this case demonstrates how a simple lure, coupled with a powerful RAT, can facilitate deep system compromise with minimal attacker effort.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing attachment |
| Execution | T1059 | Command and Scripting Interpreter | - |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys . Startup Folder |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
| Defense Evasion | T1027 | Obfuscated Files or Information | - |
| T1055 | Process Injection | - | |
| Collection | T1113 | Screen Capture | - |
| Discovery | T1083 | File and Directory Discovery | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Execution | E1204 | User Execution |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Defense Evasion | F0005 | Hidden Files and Directories |
| E1027 | Obfuscated Files or Information | |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Collection | E1113 | Screen Capture |
| Command and Control | B0030 | C2 Communication |
| Execution | B0011 | Remote Commands |
REFERENCES:
The following reports contain further technical details: