DarkComet
DarkComet is a Win32 remote access trojan/backdoor for Windows NT-based systems, also referred to in the provided content as DarkKomet, Darkkomet, Fynlos, Fynloski, and Krademok. It is designed to remotely control or administer an infected computer, with encrypted connection parameters embedded in the executable. Documented capabilities in the provided content include collecting host information such as the username, controlling processes, interpreting remote commands, listing windows, providing remote desktop access, managing services, modifying the Windows registry, deleting programs, modifying files through a built-in file manager, downloading/sending/executing files, executing remotely supplied JavaScript and VBScript, capturing webcam images and audio/video from webcam or microphone, stealing clipboard contents, acting as a SOCKS proxy, redirecting IP addresses and ports, shutting down or restarting the OS, and logging keystrokes locally in %APPDATA%dclogs using YY-MM-DD.dc filenames, with the ability to send logs to a remote FTP server. The content also notes DarkComet can disable Security Center or antivirus-related functions. In recent reporting cited in the content, DarkComet-family payloads were distributed via malicious Steam Workshop Wallpaper Engine application wallpapers since late 2025, including a sample that dropped a DarkKomet backdoor as Synaptics.exe, alongside a tampered AggregatorHost.dll that searched for Steam, hijacked active Steam sessions, and exfiltrated stolen data to attacker-controlled infrastructure including 120.48.156.17/ey.php; this campaign primarily affected gamers, especially in China and Russia, and also delivered Lumma, Vidar, cryptominers, loaders, and ransomware. The content also associates DarkComet with spearphishing operations by the ModifiedElephant threat actor targeting human rights activists, defenders, academics, journalists, and lawyers in India, where malicious documents delivered DarkComet and NetWire. Additional reporting in the content links DarkComet to Transparent Tribe-related lures targeting Indian diplomatic and military personnel. High-confidence indicators directly tied in the content to DarkComet-related Wallpaper Engine activity include the dropped filename Synaptics.exe, the path C:\ProgramData\Synaptics, the auxiliary file ._cache_GAME1.exe, the malicious library AggregatorHost.dll, the URL hxxp://120.48.156[.]17/ey.php, and the detection name HEUR:Backdoor.Win32.DarkKomet.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice. | The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).
Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice. | The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).
Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice. | The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).
Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice. | The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).
"...spear-phishing emails with malicious RTF files exploiting CVE-2010-3333 or CVE-2012-0158..." | "...off-the-shelf remote administration tools (RATs) and downloaders, such as DarkComet and Bozok."
Groups observed using it
8 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).
The top 10 of the RATs used in Nigerian BEC scams is formed by NetWire, DarkComet, NanoCore, LuminosityLink, Remcos, ImminentMonitor, NJRat, Quasar, Adwind, and Hworm.
google.wwwhost.biz also hosted two DarkComet samples, which communicated with r.ddns.me , which shared IP address 198.105.125.158 with a.ddns.me , which shared IP address 23.229.3.37 with MOLERATS domain test.cable-modem.org .
DarkComet (Backdoor.Breut): Another commodity RAT used to open a backdoor on an infected computer and steal information.
Malware associated with BlueNorOff include: "DarkComet, Mimikatz, Nestegg, Macktruck, WannaCry, Whiteout, Quickcafe, Rawhide, Smoothride, TightVNC, Sorrybrute, Keylime, Snapshot, Mapmaker, net.exe, sysmon, Bootwreck, Cleantoad, Closeshave, Dyepack, Hermes, Twopence, Electricfish, Powerratankba, and Powerspritz"
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Execution
6 techniques
Execution
Researchers discovered dozens of malicious wallpapers on Steam Workshop that abused Wallpaper Engine's Application Wallpaper feature to execute malware on users' PCs.
The program performs the following functions: Running JavaScript / VBScript scripts sent remotely.
The program performs the following functions: Running JavaScript / VBScript scripts sent remotely.
Researchers discovered dozens of malicious wallpapers on Steam Workshop that abused Wallpaper Engine's Application Wallpaper feature to execute malware on users' PCs.
The app supports four wallpaper types, and one of them, the "application wallpaper," is a standalone executable Windows program that runs as the desktop background. That also makes it a pathway for third-party code to execute on a user's machine, which is exactly what attackers exploited.
Persistence
3 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
2 techniques
Stealth
Defense Impairment
1 technique
Defense Impairment
Credential Access
4 techniques
Credential Access
The program performs the following functions: Saving keystrokes to a file ... Sending keystroke logs to a remote FTP server.
That library locates the running Steam app, hunts for account credentials, hijacks the live session, and ships the data to a command-and-control server.
Discovery
4 techniques
Discovery
The program performs the following functions: Obtaining a list of windows.
The program performs the following functions: ... Controlling processes.
Collection
5 techniques
Collection
The program performs the following functions: Saving keystrokes to a file ... Sending keystroke logs to a remote FTP server.
The program performs the following functions: Capturing clipboard contents.
The program performs the following functions: Capturing video and audio from a webcam or microphone.
Command and Control
5 techniques
Command and Control
That library locates the running Steam app, hunts for account credentials, hijacks the live session, and ships the data to a command-and-control server.
The program performs the following functions: Acting as a SOCKS proxy server.
Indicators of Compromise (IOC) List Domain/URL: http://202.144.192.29/download2/Themes2.zip ... http://brightly.to/download2/Themes2.zip ... https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1 ... https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
61 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
67 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor/RAT payload dropped via malicious Steam Wallpaper Engine packages to hijack Steam sessions and support account theft and further propagation.
Remote access trojan/backdoor delivered via malicious Steam Workshop Wallpaper Engine application wallpapers; used to establish backdoor access on infected systems.
Backdoor/RAT family deployed via malicious Wallpaper Engine projects; in the described sample it was installed under the name Synaptics.exe as part of the infection chain.
Backdoor malware used in the malicious Steam Workshop wallpaper campaign to execute on victims' PCs and enable unauthorized access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.