DarkComet RAT Hides Behind Fake Bitcoin Tools

A newly discovered malware campaign is leveraging one of cybercriminals’ most effective lures cryptocurrency to distribute DarkComet RAT.

This notorious remote access trojan continues to plague users despite being discontinued by its creator years ago. Security researchers have identified a suspicious executable masquerading as a Bitcoin wallet application, which, when executed, silently deploys the full arsenal of DarkComet’s spying and control capabilities.

The cryptocurrency boom has created a fertile hunting ground for attackers. Bitcoin wallets, mining software, and trading tools represent prime targets for malicious repurposing because they appeal to a large, engaged audience of users who are often willing to download tools from unverified sources.

This particular campaign capitalizes on that weakness by packaging a DarkComet RAT variant inside a RAR archive labeled “94k BTC wallet.exe,” complete with deceptive cryptocurrency-related branding.

The attack starts with a RAR archive (MD5: dbedd5e7481b84fc5fa82d21aa20106f) containing a malicious executable. Using a compressed archive helps bypass filters and antivirus, lowers detection rates, and tricks victims into extracting and running the payload.

UPX packing & obfuscation

The RAR contains an executable packed with UPX, a compressor that hides the program’s true structure. The packed file is 318 KB and expands to 725 KB when unpacked (about 43.86% of the original size).

Packing like this helps attackers by:

• hiding code and API calls from scanners and analysts,
• lowering static signature detection, and
• making the payload smaller and easier to distribute.

CFF Explorer shows UPX packing — UPX0 and UPX1 sections replace normal PE sections like .text and .data.

Crypto users should only download wallets from official sources and verify digital signatures before running any tool. After unpacking with UPX, the file revealed itself as a DarkComet RAT—a fully functional backdoor compiled in Borland Delphi (2006).

Once executed, the malware copies itself as “explorer.exe” in the folder %AppData%\Roaming\MSDCSC\ and creates a startup entry in the Windows Registry. This allows it to run automatically on every reboot and maintain persistence.

Further analysis shows its command-and-control (C2) server is hardcoded to kvejo991.ddns.net:1604, the default DarkComet communication port. It also uses a mutex named “DC_MUTEX-ARULYYD” to ensure only one copy runs at a time.

The RAT includes several spying features, such as:

• Keylogging – records user keystrokes and saves them in a “dclogs” folder.
• Process injection – hides inside normal Windows programs like cmd.exe, conhost.exe, and notepad.exe to avoid detection.

This campaign proves one thing: old malware never truly dies. Once source code leaks, variants like DarkComet continue to resurface in new forms.

Organizations should enable application allowlisting and remind users not to download crypto tools from unverified sources.

Indicators of Compromise (IOCs)