DarkGate attacks linked to Vietnam-based cyber criminals

Press Release  |  October 20, 2023

WithSecure researchers tie recent DarkGate attacks in the UK, US, and India back to threat actors known for stealing information to hijack Meta Business accounts.

Helsinki, Finland – October 20, 2023: WithSecure™ (formerly known as F-Secure Business) researchers have tracked attacks using DarkGate malware to an active cluster of cyber criminals operating out of Vietnam.

DarkGate is a Remote Access Trojan (RAT) that has been used in attacks since at least 2018 and is currently available to cyber criminals as Malware-as-a-Service (MaaS). It has a diverse user base and a variety of capabilities. It has been observed in information stealing, cryptojacking, and ransomware campaigns.

WithSecure™ researchers began their investigation into DarkGate after detecting multiple infection attempts against organizations in the UK, US, and India.

Based on non-technical indicators, such as lure files, themes, targeting, and delivery methods, researchers were able to tie these attempted attacks back to the same threat actors using the Ducktail infostealer that WithSecure™ researchers have been tracking for approximately the last year and half.


“The DarkGate attacks we observed have very strong identifiers—identifiers which allowed us to establish links between these attacks and others we’ve seen using different infostealers and malware, including Ducktail. Based on what we’ve observed, it is very likely that a single actor is behind several of the campaigns we’ve been tracking that target Meta Business accounts,” said WithSecure™ Senior Threat Intelligence Analyst Stephen Robinson.   

Other types of malware researchers tied to the same threat actors include Ducktail, Lobshot, and Redline Stealer.

Lures and malicious files used by the group’s different campaigns have the following identifiable metadata:

  • LNK Drive ID
  • Canva PDF design service account details
  • MSI file metadata

According to Robinson, the growth of cyber crime services that can be purchased by different threat actors has created a situation where specific tools used in attacks can no longer tell defenders who their adversaries are.

“DarkGate has been around for a long time and is being used by many groups for different purposes, and not just this group or cluster in Vietnam. The flipside of this is that actors can use multiple tools for the same campaign, which could obscure the true extent of their activity from purely malware-based analysis,” he said.

The full research is available at https://labs.withsecure.com/publications/darkgate-malware-campaign.

WithSecure™ media relations
Adam Pilkey

About WithSecure™

WithSecure™, formerly F-Secure Business, is cyber security’s reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world’s most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations.

Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we’ve built our portfolio to grow with our partners through flexible commercial models.

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.