WithSecure´s forskare binder nyligen DarkGate attacker i UK, USA och Indien tillbaka till hotaktörer, kända för att stjäla information för att kapa Meta företagskonton.
Helsinki, Finland – October 20, 2023: WithSecure™ (formerly known as F-Secure Business) researchers have tracked attacks using DarkGate malware to an active cluster of cyber criminals operating out of Vietnam.
DarkGate is a Remote Access Trojan (RAT) that has been used in attacks since at least 2018 and is currently available to cyber criminals as Malware-as-a-Service (MaaS). It has a diverse user base and a variety of capabilities. It has been observed in information stealing, cryptojacking, and ransomware campaigns.
WithSecure™ researchers began their investigation into DarkGate after detecting multiple infection attempts against organizations in the UK, US, and India.
Based on non-technical indicators, such as lure files, themes, targeting, and delivery methods, researchers were able to tie these attempted attacks back to the same threat actors using the Ducktail infostealer that WithSecure™ researchers have been tracking for approximately the last year and half.

“The DarkGate attacks we observed have very strong identifiers—identifiers which allowed us to establish links between these attacks and others we’ve seen using different infostealers and malware, including Ducktail. Based on what we’ve observed, it is very likely that a single actor is behind several of the campaigns we’ve been tracking that target Meta Business accounts,” said WithSecure™ Senior Threat Intelligence Analyst Stephen Robinson.
Other types of malware researchers tied to the same threat actors include Ducktail, Lobshot, and Redline Stealer.
Lures and malicious files used by the group’s different campaigns have the following identifiable metadata:
- LNK Drive ID
- Canva PDF design service account details
- MSI file metadata
According to Robinson, the growth of cyber crime services that can be purchased by different threat actors has created a situation where specific tools used in attacks can no longer tell defenders who their adversaries are.
“DarkGate has been around for a long time and is being used by many groups for different purposes, and not just this group or cluster in Vietnam. The flipside of this is that actors can use multiple tools for the same campaign, which could obscure the true extent of their activity from purely malware-based analysis,” he said.
The full research is available at https://labs.withsecure.com/publications/darkgate-malware-campaign.
WithSecure™ media relations
Adam Pilkey
+358406378859
Om WithSecure™
WithSecure™, tidigare F-Secure Business, är en pålitlig partner som är expert på cybersäkerhet. IT-tjänsteleverantörer, MSSP:er och företag, tillsammans med de största finansiella instituten, tillverkare, och tusentals av världens mest avancerade kommunikations- och teknikleverantörer vänder sig till oss för resultatbaserad cybersäkerhet.
Vårt AI-baserade skydd säkrar såväl klienter som molnbaserade tjänster och lösningar. Våra lösningar för upptäckt av hot och realtidshantering av attacker baseras på proaktiv Threat Hunting. Våra konsulter arbetar tätt tillsammans med storföretag och utmanare inom teknikbranschen för att bygga motståndskraftiga cybersäkerhetslösningar. Med mer än 30 års erfarenhet av teknikutveckling som stödjer affärsverksamhet har vi skapat en lösningsportfölj som är utformad för att smidigt kunna växa tillsammans med partners genom kommersiella modeller.
WithSecure™ är grundat 1988 och noterat på NASDAQ OMX Helsinki Ltd.