As cryptocurrency continues to grow in popularity, cybercriminals are aggressively shifting their tactics to exploit enthusiasts searching for new tools, wallets, and mining apps. One of the latest threats involves attackers disguising the DarkComet remote access trojan (RAT) as Bitcoin-related software—tricking unwary users into installing a highly dangerous piece of malware.
Security researchers at Point Wild recently uncovered a malicious campaign where DarkComet was bundled inside fake cryptocurrency utilities. Despite being an older malware strain, DarkComet remains powerful, flexible, and effective—especially when paired with modern social engineering techniques.
A Classic RAT Resurfaces With a Cryptocurrency Twist
DarkComet RAT, though discontinued years ago, still thrives in underground cybercrime communities. It provides attackers with a full suite of surveillance and control capabilities, including:
- Keystroke logging (keylogging)
- File theft and exfiltration
- Webcam and microphone spying
- Remote desktop access
- System manipulation and command execution
For cryptocurrency users, these capabilities pose extreme danger—stolen keystrokes or screenshots can expose private wallet keys, exchange credentials, seed phrases, or two-factor authentication codes.
The Malware Is Delivered as a Fake Bitcoin Wallet
Researchers found that the rogue file was distributed as a RAR archive, falsely labeled as:
“94k BTC wallet.exe”
This tactic provides several advantages for attackers:
- Helps bypass email filters
- Decreases antivirus detection
- Appears legitimate to users searching for Bitcoin tools
- Adds an extra step (extraction), increasing trust
The executable inside was packed using UPX (Ultimate Packer for Executables), a known technique for evading detection by compressing and obfuscating the malware’s internal code structure.
Once executed, the file does not launch any type of cryptocurrency function. Instead, it immediately deploys the full DarkComet RAT payload.
Technical Breakdown: Persistence, Injection, and C2 Activity
1. Persistence Mechanism
Upon execution, the malware copies itself to:
%AppData%\Roaming\MSDCSC\explorer.exe
It then creates a Windows registry entry at:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This ensures DarkComet launches automatically at every system startup, maintaining long-term access.
2. UPX Packing and Hidden Structure
Inside the RAR archive, the executable displayed classic UPX packing. After unpacking, analysts found standard PE file sections such as:
- .text
- .data
- .idata
These are commonly seen in trojans built for stealth and modularity.
3. Embedded Configuration and Mutex
The sample’s configuration file contains critical operational data, including the mutex:
DC_MUTEX-ARULYYD
This prevents multiple malware instances from running simultaneously on the same system.
4. Command-and-Control (C2) Communication
Network monitoring showed repeated attempts to connect to the attacker-controlled C2 server:
kvejo991.ddns.net
TCP port 1604
Although the server appeared offline during analysis, these persistent outbound requests clearly indicated DarkComet’s beaconing behavior.
5. Process Injection for Stealth
To avoid detection, the malware injects its malicious components into legitimate Windows processes such as:
notepad.exe
From there, it performs keylogging, screen capturing, and file manipulation.
Captured keystrokes are logged into files resembling:
“2025-10-29-4.dc”
These logs are later exfiltrated to the attacker’s server.
Known File Hashes for Detection
Compressed RAR Archive (SHA256):11bf1088d66bc3a63d16cc9334a05f214a25a47f39713400279e0823c97eb377
Packed Executable (SHA256):5b5c276ea74e1086e4835221da50865f872fe20cfc5ea9aa6a909a0b0b9a0554
Security tools and threat intelligence platforms can use these hashes to identify the malicious files and block infection attempts.
How Users Can Protect Themselves
Cryptocurrency users are high-value targets for cybercriminals. To stay safe:
✔ Avoid downloading Bitcoin tools from unknown websites
Use official wallet apps, trusted exchanges, and reputable crypto software only.
✔ Keep security software updated
Modern antivirus platforms can detect DarkComet variants—if they’re up to date.
✔ Treat “too good to be true” crypto tools as suspicious
Anything offering massive Bitcoin returns or exclusive wallets is a red flag.
✔ Disable macros and block unknown executables
Basic system hygiene can prevent trojans from launching.
✔ Watch for unusual system behavior
Unexpected pop-ups, slow performance, or unknown processes can indicate an infection.
Final Thoughts
This malware campaign highlights a growing trend: old threats repackaged with new lures. Cybercriminals understand the value of cryptocurrency and are exploiting user curiosity, greed, and inexperience to deploy powerful remote-access trojans like DarkComet.
As crypto adoption expands, so does the need for cybersecurity awareness. Only download tools from trusted sources—and stay alert for suspicious files disguised as Bitcoin apps.
