Skip to content

Hide Navigation Hide TOC

DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)

DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.(Citation: Ensilo Darkgate 2018) DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.(Citation: Trellix Darkgate 2023)

Cluster A Galaxy A Cluster B Galaxy B Level
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
AutoHotKey & AutoIT - T1059.010 (3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern 1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern 1
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Hide Infrastructure - T1665 (eb897572-8979-4242-a089-56f294f4c91d) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52) Malware 1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern 2
AutoHotKey & AutoIT - T1059.010 (3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2