A new wave of DCRat backdoor attacks has emerged in 2025, leveraging the Malware-as-a-Service (MaaS) model.
Cybercriminals behind this campaign not only distribute the malware but also provide technical support and infrastructure for hosting command-and-control (C2) servers.
This resurgence highlights the growing sophistication of cybercrime targeting unsuspecting users.
The attackers are exploiting YouTube as a distribution platform for the DCRat Trojan.
They create fake accounts or hijack existing ones to upload videos promoting cheats, cracks, gaming bots, and similar software.
These videos include download links in their descriptions, directing victims to password-protected archives hosted on legitimate file-sharing platforms.
However, instead of the promised gaming tools, these archives contain the DCRat Trojan bundled with junk files to distract users.
This deceptive tactic preys on gamers and tech enthusiasts seeking free or pirated software.
DCRat: A Multifunctional Backdoor
DCRat, also known as Dark Crystal RAT, has been active since 2018 and is part of a family of remote access Trojans (RATs).
The malware not only provides backdoor access but can also load additional plugins to enhance its capabilities.
Analysts have identified 34 different plugins associated with DCRat, enabling dangerous functionalities such as keystroke logging, webcam access, file theft, and password exfiltration.
The attackers have also built an extensive infrastructure to support their operations.
They register second-level domains—primarily in the “.ru” zone—and use them to create third-level domains for hosting C2 servers.
Since the beginning of 2025, at least 57 new second-level domains have been registered by the group, with some hosting over 40 third-level domains.
Telemetry data reveals that 80% of DCRat infections have occurred on devices in Russia, with smaller numbers reported in Belarus, Kazakhstan, and China.
Interestingly, the attackers use culturally specific terms like “nyashka” and “nyashtyan” in their domain names—slang words popular among anime and manga fans that mean “cute.”
This strategy could be an attempt to appeal to certain demographics or obscure their malicious intent.
Recommendations
Kaspersky security products have successfully detected these DCRat samples under the name Backdoor.MSIL.DCRat.
However, this campaign serves as a reminder that cybercriminals are increasingly using password-protected archives to distribute various types of malware, including stealers, miners, and loaders.
To stay safe, users are strongly advised to download game-related software only from trusted sources and remain cautious of suspicious links on platforms like YouTube.
 model.){kind=link}