A new campaign has surfaced in which cybercriminals are exploiting Bitcoin’s popularity to spread a repackaged version of the infamous DarkComet remote access trojan (RAT).
The malicious program disguises itself as a legitimate cryptocurrency wallet, luring victims with promises of mining or trading features. Once executed, the application silently installs a powerful espionage tool capable of complete system compromise.
DarkComet, despite being discontinued by its original developer years ago, continues to reappear in underground malware kits, proving that old threat families never truly die when source code is publicly leaked or shared.
Unpacking the Malicious Bitcoin Executable
Researchers discovered the sample masquerading as “94k BTC wallet.exe,” delivered inside a compressed RAR archive designed to evade filters and lower suspicion.
Static analysis revealed that the executable was packed with the Ultimate Packer for Executables (UPX), a technique commonly used to hide malicious payloads and evade signature-based scanners.
Examination in CFF Explorer revealed typical UPX sections, such as UPX0 and UPX1, confirming the malware’s compression.
After successful unpacking with the UPX decompression tool, the binary expanded from 325 KB to 742 KB, restoring the original Portable Executable sections, such as .text, .data, and .rdata.
The unpacked file, built using Borland Delphi 2006, was identified as a DarkComet RAT variant. File integrity checks yielded a SHA256 hash of 58c284e7bbeacb5e1f91596660d33d0407d138ae0be545f59027f8787da75eda.
Once installed, the malware copied itself as “explorer.exe” inside the user’s AppData\Roaming\MSDCSC directory and created a persistence entry in the Windows registry under the Run key, ensuring automatic execution during system startup.
DarkComet Behavior and Command Control Operations
Behavioral analysis revealed that this variant employs a mutex labeled DC_MUTEX-ARULYYD to prevent multiple instances from running simultaneously.
Network monitoring showed repeated attempts to connect to its command-and-control (C2) server at kvejo991.ddns.net on TCP port 1604, consistent with known DarkComet communication protocols.
The malware initiated several cmd.exe and conhost.exe processes before spawning notepad.exe as a decoy, injecting its payload into the legitimate process to mask malicious activity.
In parallel, it activated a keylogger that recorded keystrokes and stored them in the dclogs folder, later exfiltrating sensitive data, such as credentials and wallet details, to the remote server.
This campaign highlights how outdated but functional malware is recycled through new lures and social engineering schemes.
By combining classic Windows persistence methods with cryptocurrency-themed deception, the attackers effectively targeted digital currency enthusiasts.
Security analysts recommend avoiding unverified downloads of Bitcoin wallets or trading software, and scanning compressed files before execution to prevent infection from resurgent threats like the DarkComet RAT.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
