Skip to content

DarkGate spreads to 30+ countries via novel HTML phishing

  • by
  • 4 min read

Illustration: Suttipun | Shutterstock

A novel Darkgate cyberattack is spreading globally through an HTML phishing page exploiting the AutoHotkey utility. The malware is designed to exfiltrate sensitive information like credentials, financial data, or intellectual property, leading to severe consequences for affected individuals or organisations.

The countries affected include the US, Canada, Brazil, the UK, Spain, Turkey, India, China, Australia, Colombia, Peru, Argentina, Chile, Mexico, Morocco, Ghana, Ethiopia, South Africa, Norway, Finland, Germany, Poland, Netherlands, Switzerland, Italy, Romania, Denmark, United Arab Emirates, Myanmar, Cambodia, Japan, Brunei, Indonesia, Philippines, and Tasmania.

The initial phase begins with a phishing campaign using an HTML page masquerading as a legitimate document, often a Word file. Users are enticed to open this HTML page through social engineering tactics or deceptive email.

Malicious HTML page. | Source: McAfee

Upon opening the HTML page, users are prompted to view the content in a mode like ‘Cloud View,’ creating a false sense of security and encouraging further interaction with the malicious content. Once users opt for ‘Cloud View,’ DarkGate initiates a redirection process that leads to the opening of Windows Explorer or a similar file browsing interface. This redirection is critical as it paves the way for subsequent malicious actions.

Upon scrutiny, experts identified complex encoding and decoding mechanisms embedded within the HTML code, indicating DarkGate’s sophisticated evasion techniques. The analysis uncovered a string encoded in reverse Base64 format and a JavaScript function designed to reverse strings, suggesting an attempt to decode or manipulate encoded data for malicious purposes.

DarkGate infection chain. | Source: McAfee

“In our investigation, we sought to trace the origin of the described phishing scheme back to its parent HTML file. Upon inspection, the image’s highlighted content may be a string encoded in reverse Base64 format. This suspicion arises from the presence of a JavaScript function (shown in the figure below) designed to reverse strings, which suggests an attempt to decode or manipulate encoded data,” noted researchers from McAfee.

Within the manipulated Windows Explorer interface, users encounter files or folders that mimic legitimate platforms such as ‘,’ adding a layer of deception to the malicious activity.

Malicious content often includes an Internet Shortcut (.url) file designed to exploit vulnerabilities or bypass security measures, enabling the execution of malicious scripts or actions on the users’ system.

Upon interaction with the malicious .URL file, DarkGate triggers the execution of a VBScript file, serving as a trigger for its payload delivery mechanism and facilitating more advanced malicious actions.

DarkGate leverages PowerShell, a powerful scripting language, to download and execute additional scripts or commands from remote locations. This enables the malware to establish command and control (C2) communications, download further payloads, and execute various malicious activities.

Affected countries. | Source: McAfee

In certain cases, DarkGate utilises the AutoHotkey utility, which automates tasks in Windows, to carry out specific actions such as keystroke simulation, mouse movements, or system settings manipulation to advance its malicious objectives.

The malware exploits vulnerabilities like CVE-2023-36025 and CVE-2024-21412 to evade security mechanisms like Microsoft Defender SmartScreen, ensuring its activities go undetected and allowing it to execute malicious actions without triggering alarms

To persist on compromised systems, DarkGate may drop files or create shortcuts in startup folders, establishing communication with command and control (C2) servers for data exfiltration, command reception, and ongoing malicious activities.

DarkGate, identified as a Remote Access Trojan (RAT) built using Borland Delphi, has been operating since at least 2018. It is promoted as a Malware-as-a-Service (MaaS) offering on a Russian-language cybercrime forum. It boasts a range of malicious capabilities, such as process injection, file download and execution, data theft, shell command execution, and keylogging.

Researchers have urged users to verify sender information, exercise caution with links, use email filters, and stay updated by following the latest cybersecurity news to mitigate the threat.

In the News: Verizon, T-Mobile and others fined $200M for illegal data sharing

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: