Legacy Malware Resurfaces: DarkComet RAT Uses Bitcoin Wallet Lure to Deploy UPX-Packed Payload

The Lat61 Threat Intelligence Team has uncovered a new campaign using Bitcoin-themed lures to distribute DarkComet RAT, a remote access trojan long known for its surveillance and data theft capabilities. The analysis reveals that cybercriminals are repackaging legacy malware in modern cryptocurrency disguises, preying on users’ interest in digital assets.

Although DarkComet was discontinued by its original developer years ago, it continues to circulate in underground forums and cybercrime toolkits. In this latest variant, attackers rebranded the trojan as a Bitcoin wallet utility, distributing it through compressed archive files designed to bypass antivirus filters and user suspicion.

Lat61’s investigation began with a RAR archive posing as a legitimate cryptocurrency application. Inside the archive was a single executable file, deceptively named “94k BTC wallet.exe.”

“The naming convention and iconography suggested that the attacker was targeting cryptocurrency enthusiasts, leveraging Bitcoin as the lure,” the report noted.

Once extracted and executed, the file silently deployed DarkComet RAT, granting full remote control to the attacker. The researchers observed that the malware’s portable executable (PE) structure revealed signs of compression and obfuscation — specifically, the use of the UPX packer, a common technique to conceal malicious code.

“DarkComet RAT samples are often packed with UPX to make detection and analysis more difficult,” Lat61 explained. “Packing hides the real API imports and code structure, which makes it harder for analysts and antivirus engines to understand the malware’s behavior through static inspection.”

After unpacking, the team’s engine successfully identified the file as Backdoor.DarkComet, compiled in Borland Delphi (2006) and containing clear traces of the RAT’s configuration and persistence routines.

Once executed, the malware ensures long-term control by copying itself to the user’s AppData\Roaming directory under the misleading name explorer.exe and registering itself for auto-start.

“The binary copies itself as explorer.exe under %AppData%\Roaming\MSDCSC\ and creates a Run key for autostart. Ensures execution every system reboot,” the report described.

Further analysis revealed that the DarkComet configuration embedded in memory contained the following indicators of compromise (IOCs):

• Mutex: DC_MUTEX-ARULYYD
• C2 Server: kvejo991.ddns.net (Port 1604)
• Install Path: MSDCSC\explorer.exe
• Persistence Flags: Installation enabled, offline keylogging active

These findings confirm that the RAT retains its classic surveillance toolkit — capable of keylogging, remote desktop control, and credential theft — while using updated infrastructure for modern deployment.

During behavioral analysis, researchers observed the malware’s keylogging functionality, which records every keystroke typed by the victim, storing the logs locally before transmitting them to the attacker’s C2 server.

“It records the victim’s keystrokes to capture sensitive information such as login credentials, chat messages, or banking details,” the Lat61 report states. The captured keystrokes are then stored locally inside a folder named ‘dclogs’ before exfiltration.

In addition to logging user activity, DarkComet deploys process injection techniques to mask its presence. It spawns legitimate Windows processes like notepad.exe to host its malicious payload — a known tactic used to evade detection and blend into normal system activity.

Network monitoring confirmed that the unpacked executable repeatedly attempted to connect to its command-and-control (C2) domain — kvejo991.ddns.net on TCP port 1604 — which is consistent with known DarkComet activity.

“The connection logs showed multiple retransmissions, suggesting that the remote server was either offline or blocking incoming connections,” the analysts explained. “Despite the failed connection, these repeated attempts clearly indicate active C2 beaconing behavior.”

This communication channel enables attackers to issue commands, retrieve stolen data, and execute remote actions on compromised systems.

“Old malware never truly dies,” the Lat61 team wrote. “Once publicly leaked, families like DarkComet are repurposed indefinitely.”

The researchers further warned that the Bitcoin investment boom provides an effective disguise for malicious payloads, noting that cryptocurrency remains a prime attack vector for both casual users and experienced investors.

“By hiding inside a file packaged as a cryptocurrency utility, the attacker leveraged the ongoing hype around Bitcoin to trick users into executing a well established remote access trojan,” the report concludes.

Related Posts:

• Uncovering a New Persistence Technique: TypeLib Hijacking with Explorer.exe
• Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
• North Korean Hackers Exploit Old Office Flaw to Deploy Keylogger
• Outdated and Unblocked: Legacy Driver Vulnerability Exploited in Widespread Attack
• Oracle Discloses Second Hack (Client Login Data)