The emergence of cryptocurrency has inadvertently opened doors for cybercriminals, who are now capitalizing on the enthusiasm of unsuspecting users. A recent malware campaign has revealed that attackers are cleverly masking the infamous DarkComet remote access trojan as applications related to Bitcoin, specifically targeting cryptocurrency aficionados who may download tools from unverified sources.
This campaign underscores a troubling trend: the resurgence of longstanding threats, now enhanced by modern social engineering tactics. DarkComet RAT, a well-known remote access trojan, grants attackers comprehensive control over compromised systems. Although its original creator discontinued it years ago, the malware continues to thrive in underground forums, proving to be remarkably effective.
DarkComet offers a range of capabilities that pose significant risks, especially for cryptocurrency users. Features such as keystroke logging, file theft, webcam surveillance, and remote desktop control can lead to devastating financial losses when credentials are stolen. In this particular campaign, the malicious file was distributed as a compressed RAR archive, cleverly disguised as “94k BTC wallet.exe.”
This method of delivery allows attackers to circumvent email filters, thereby reducing detection rates. To further obscure its true nature from security analysis, the executable was packed using UPX (Ultimate Packer for Executables).
Security analysts at Point Wild identified the malware while investigating suspicious Bitcoin-related applications. Their research revealed that once the fake Bitcoin tool is extracted and executed, it activates DarkComet’s full range of capabilities. Rather than offering any legitimate cryptocurrency functionality, the malware establishes persistence on the infected system and attempts to connect with its command-and-control server.
Technical Breakdown and Infection Mechanism
The malware ensures its persistence by copying itself to %AppData%RoamingMSDCSCexplorer.exe and creating a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. This tactic guarantees that the malware executes automatically with each system restart.
Further analysis revealed critical operational details embedded within the sample’s configuration. The malware employs a mutex named DC_MUTEX-ARULYYD to prevent multiple instances from running concurrently. Network analysis indicated attempts to connect to the command-and-control server at kvejo991.ddns.net over TCP port 1604. Although the server was offline during testing, the repeated connection attempts confirmed active beaconing behavior typical of DarkComet operations.
The unpacked executable displayed multiple standard PE sections, including .text, .data, and .idata. To perform keylogging and screen capture while remaining undetected, the malware injects its payload into legitimate Windows processes, such as notepad.exe. Captured keystrokes are stored in log files with names like “2025-10-29-4.dc” before being exfiltrated through the command-and-control channel.
For those concerned about their cybersecurity, it is crucial to avoid downloading cryptocurrency tools from untrusted sources and to maintain updated security software to effectively detect such threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
