DarkMe RAT
DarkMe RAT is a custom Visual Basic 6 remote access trojan and the signature malware associated with the WaterHydra/DarkCasino APT lineage. In the referenced investigation, seven DarkMe samples shared command-and-control infrastructure with a QuasarRAT deployment, including 91.124.98.29:2626, and additional infrastructure mapping associated 38.57.44.173:4242 with a DarkMe RAT C2 that was offline at the time of reporting. The malware was linked with moderate-to-high confidence to WaterHydra/DarkCasino through shared DarkMe tooling, forex-focused targeting, and reuse of the VB6 developer workspace path C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb, a path previously observed in Evilnum and WaterHydra samples from 2022 and 2024. Nine DarkMe samples from 2023 to 2026 shared the identical VB6 import hash 3e847ec4ad926dd89c2f4cb28d036c11, which was assessed to indicate the same builder.
DarkMe RAT uses reversed UTF-16LE command strings and a SOCKET_WINDOW class for asynchronous C2 communication. Reported command capabilities include shell execution via SHLEXE, file operations, directory mapping, ZIP archive creation, and system reconnaissance. The broader operator infrastructure included Windows servers managed through AnyDesk on TCP port 7070, which were assessed to provide GUI access to hosts running DarkMe RAT, Flask bot relays, and other C2 tooling.
The activity described in the content was associated with an actor using the handle evilgrou-tech and attributed to the WaterHydra/DarkCasino lineage. Targeting noted in the report included forex traders in Italy and cryptocurrency users associated with "Pumpfun." Two DarkMe samples were reported as carrying self-signed certificates impersonating Microsoft under the subjects "Microsoft Corporation" and "Microsoft Windows Publisher."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
DarkMe RAT is the signature malware of the WaterHydra/DarkCasino APT group. Seven DarkMe samples were found sharing the same C2 IP as the QuasarRAT deployment. DarkMe is a custom VB6 RAT with reversed UTF-16LE command strings, a SOCKET_WINDOW class for asynchronous C2 communication, and a command set including shell execution (SHLEXE), file operations, directory mapping, ZIP archive creation, and system reconnaissance.
DarkMe RAT is the signature malware of the WaterHydra/DarkCasino APT group. Seven DarkMe samples were found sharing the same C2 IP as the QuasarRAT deployment. DarkMe is a custom VB6 RAT with reversed UTF-16LE command strings, a SOCKET_WINDOW class for asynchronous C2 communication, and a command set including shell execution (SHLEXE), file operations, directory mapping, ZIP archive creation, and system reconnaissance.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
DarkMe RAT is the signature malware of the WaterHydra/DarkCasino APT group. Seven DarkMe samples were found sharing the same C2 IP as the QuasarRAT deployment. DarkMe is a custom VB6 RAT with reversed UTF-16LE command strings, a SOCKET_WINDOW class for asynchronous C2 communication, and a command set including shell execution (SHLEXE), file operations, directory mapping, ZIP archive creation, and system reconnaissance.
DarkMe RAT is the signature malware of the WaterHydra/DarkCasino APT group. Seven DarkMe samples were found sharing the same C2 IP as the QuasarRAT deployment. DarkMe is a custom VB6 RAT with reversed UTF-16LE command strings, a SOCKET_WINDOW class for asynchronous C2 communication, and a command set including shell execution (SHLEXE), file operations, directory mapping, ZIP archive creation, and system reconnaissance.
DarkMe RAT is the signature malware of the WaterHydra/DarkCasino APT group. Seven DarkMe samples were found sharing the same C2 IP as the QuasarRAT deployment. DarkMe is a custom VB6 RAT with reversed UTF-16LE command strings, a SOCKET_WINDOW class for asynchronous C2 communication, and a command set including shell execution (SHLEXE), file operations, directory mapping, ZIP archive creation, and system reconnaissance.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
4 techniques
Execution
MITRE ATT&CK Mapping Technique ID Technique Usage T1059.001 PowerShell Multi-stage PS1 loaders with AMSI bypass
MITRE ATT&CK Mapping Technique ID Technique Usage T1059.005 Visual Basic DarkMe VB6 RAT, forex.sct COM scriptlet
Persistence
3 techniques
Persistence
DarkMe EXE variants write to HKLM\...\RunOnce\*RD_ via WScript.Shell.RegWrite ... MITRE ATT&CK Mapping Technique ID Usage Modify Registry T1112 COM object persistence, Run keys
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
MITRE ATT&CK Mapping Technique ID Usage Obfuscated Files T1027 AES encryption, reversed strings, steganography
6. MITRE ATT&CK Mapping Technique ID Usage Masquerading T1036 AnyDesk disguised as legitimate remote support
MITRE ATT&CK Mapping Technique ID Technique Usage T1036.001 Invalid Code Signature Fake "Microsoft Corporation" and "Microsoft Windows Publisher" certs
[8] Process Masquerading Drops as: RuntimeBroker.exe, ctfmon.exe, dwm.exe, TextInputHost.exe, chrome_update.exe, edge_update.exe, windows_update.exe
Defense Impairment
2 techniques
Defense Impairment
Credential Access
1 technique
Credential Access
Collection
3 techniques
Collection
Command and Control
5 techniques
Command and Control
MITRE ATT&CK Mapping Technique ID Technique Usage T1071.001 Web Protocols GitHub raw content for payload staging
MITRE ATT&CK Mapping Technique ID Usage Ingress Tool Transfer T1105 GitHub-staged AES-encrypted payloads
6. MITRE ATT&CK Mapping Technique ID Usage Remote Access Software T1219 AnyDesk for persistent operator access to C2 infrastructure
IOCs tracked for this family
19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan with C2 infrastructure observed on port 4242; the report describes AnyDesk being used by the operator to manage Windows servers hosting DarkMe RAT C2 components.
A custom VB6 remote access trojan associated with WaterHydra/DarkCasino. It provides shell execution, file operations, directory mapping, ZIP archive creation, reconnaissance, screenshot capability, and keylogging.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.