DarkWatchMan RAT blog

Sophisticated DarkWatchMan RAT Spreads Through Phishing Sites

Malware Evades Detection by Lurking in Windows Registry

Phishing attacks pose an ongoing and widespread danger to both individuals and organizations. To trick users into divulging sensitive information like passwords and credit card details, Threat Actors (TAs) employ various tactics, including phishing websites. Attackers often use these fraudulent websites to distribute their malicious software, taking advantage of users’ trust in legitimate-looking sites.

Recently, Cyble Research and Intelligence Labs (CRIL) have identified a phishing website that imitated a renowned Russian website, CryptoPro CSP. TAs were using this website to distribute DarkWatchman malware.

DarkWatchman was first detected in 2021, with the primary targets being Russian users. DarkWatchman is a Remote Access Trojan (RAT) type that enables attackers to gain remote control over compromised systems and extract sensitive data. Its malicious capabilities include capturing keystrokes, clipboard data, and system information. Notably, DarkWatchman avoids writing the captured data to disk and instead stores it in the registry, thereby minimizing the risk of detection.

On the phishing website hxxps[:]//cryptopro-download[.]one, users are presented with the option to download a malicious file called “CSPSetup.rar.” To access the contents of this file, a password is provided for extraction.

The figure displayed below depicts the phishing website.

Figure 1 – Phishing Site

Upon extraction, the malicious archive includes two files, CSPSetup.exe, and readme.txt. If executed, CSPSetup.exe installs the DarkWatchman malware. The readme.txt file, which is written in Russian and included in the archive, implies that the malware specifically targets users in Russia.

The figure below shows the files inside the “CSPSetup.rar” archive.

Figure 2 – Extracted Files from the RAR archive

Technical Analysis

The file “CSPSetup.exe” (SHA 256: d439a3ce7353ef96cf3556abba1e5da77eac21fdba09d6a4aad42d1fc88c1e3c) is an SFX archive file.

More information about this file can be seen in the figure below.

Figure 3 – Static File details

Upon execution of CSPSetup.exe, the executable drops the DarkWatchman RAT in %temp% location named “144039266“, which is a JavaScript file. Subsequently, it runs the JavaScript file with the following two commands in sequence via the command prompt.

  • C:\Windows\System32\cmd.exe” /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath “C:”) & (start /MIN wscript.exe /E:jscript 144039266 131 “C:\Users\User Profile\Desktop\CSP\CSPSetup.exe”

The initial command initiates PowerShell to include the “C:\” drive as a path to exclusion for Windows Defender.

The second command uses Windows Script Host (wscript.exe) to execute the JavaScript file named “144039266”, which uses two parameters, numeric value and path of the “CSPSetup.exe.”

In addition, the CSPSetup.exe program drops a file called “291529489” in the same folder, which serves as an encrypted keylogger.

Entry Point

Once the JavaScript is launched successfully, the execution flow starts from this function, which is responsible for initializing global variables, installing a keylogger, and configuring the RAT.

The entry point function is depicted in the figure below.

Figure 4 – entry_point() function with 3 conditions to execute

The entry_point() function triggers three other functions such as init_globals(),start_instance(), and install().

  • init_globals() – Initializes Global Variables
  • install() – Responsible for deploying the RAT, keylogger, and wrapper file in the victim’s machine.
  • start_instance() – This is the main function of DarkWatchman RAT, which is responsible for executing various malicious activities, including keylogging and sending the user’s data to the C&C server.

To proceed with the RAT installation, the entry_point() function evaluates three conditions:

  • First, the JavaScript verifies that the command-line argument has a non-zero length and terminates if it is found to be empty. Otherwise, it will continue execution.
  • Next, it checks whether the first parameter is a numeric value (in this case, it is “131”).
  • Finally, the script checks if the registry value “HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM\< uid + 0 >” exists. If the key does not exist, it calls the install() function to launch the RAT, or the start_instance() function is executed.

The malware saves all its configuration and the keylogger file content in the above-mentioned registry key.

Init Global

This code block initializes a set of global variables that will be utilized throughout the entire execution of the RAT. These variables involve creating objects for performing operations on the Windows Shell, File System, Registry, WMI, and more, which can be shown in the figure below.

Figure 5 – JavaScript code for initializing global variables

The init_globals() function comprises two sub-functions, namely get_uid() and is_admin(), which are extensively used in other parts of JavaScript.


The purpose of the function called get_uid() is to obtain a unique identifier (UID) for the system currently in use. It does so by accessing a specific registry value: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid”.

It retrieves data from the registry value and returns the first eight characters in lowercase as the UID.

This UID with several alphanumeric combinations will be used as the registry value for the RAT operations. For example, the table below contains a few UIDs with their corresponding purpose.

uid+hClear browser history
uid+1Compiling keylogger
uid+zStop rat
uid+cC&C server


This function determines whether the user has administrative privileges on the system by creating a registry value “HKEY_CLASSES_ROOT\WinNT\test” and writing a value of 1 to it using the RegWrite method. It then checks if the value can be read using the RegRead method. If it is 1, it indicates that the user has written permissions and therefore confirms the administrative privileges.

If the value cannot be read or is not 1, the function returns false, indicating that the user does not have administrative privileges. The function ends by deleting the registry value using the RegDelete method.

The below figure shows the function code of is_admin().

Figure 6 – Function to check if the user has administrative privileges

After obtaining the necessary global variables and user permission information, the script proceeds to initiate the installation process of RAT on the victims’ system.


The function is responsible for deploying the DarkWatchman RAT and the keylogger on the system. The below figure shows the beginning code snippet of the Install() function.

Figure 7 – The beginning of the install() function

  • The first step of the function involves verifying whether the command line contains more than one parameter. If the condition is satisfied, the function then tries to remove the “CSPSetup.exe” file from the system.
  • Afterward, the script verifies if the user has administrative privileges. If so, it runs a PowerShell command to add an exclusion path for Windows Defender, specifically excluding the \appdata\local folder from being scanned.
    • powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath “‘ + f.Self.Path + ‘”‘, 0, false
  • Next, the JavaScript file generates a filename by combining the unique identifier “uid” with the string “0.js” and creates a copy of itself in the below location.
    • “C:\\Users\\User Profile\\AppData\\Local\\5d202e6e0.js”
  • If the copying of the file is successful, the script then proceeds to create a task scheduler entry in the system that will run the copied script every time the system starts up.

The figure below shows the Task Scheduler entry created by the DarkWatchman RAT.

Figure 8 – Establishing Persistence Using Task Scheduler

The remaining code within the install() function is shown in the figure below.

Figure 9 – Remaining Code of the install() function

  • The following section of the function checks for the existence of an encoded keylogger file called “291529489” in the %temp% directory. If the file exists, the function reads its contents and removes the file from the disk as shown in the figure below.
Figure 10 – Function Removes Keylogger file and saves the content into Registry

  • After deleting the file “291529489”, The JavaScript file proceeds to write the content of the encrypted file to the registry as Base64 encoded data. To accomplish this, the script extracts a 4-byte key from the first 8 characters of the input string and XORs the remaining characters of the string with the key to obtain the data.

Finally, the decrypted Base64 encoded data is saved to the registry with the registry value of “uid+1”, as shown in the below figure.

Figure 11 – RAT decrypts the keylogger code and stores it in the registry

  • Then, the RAT proceeds to execute the newly copied JS file by passing the below command-line argument through the Windows Management Instrumentation (WMI) service.
    • “C:\\Windows\\SysWOW64\\wscript.exe \”C:\\Users\\User Profile\\AppData\\Local\\5d202e6e0.js\” 131″
  • Next, the function registers the “dynwrapx.dll” library by copying it to the %temp% directory and running the “regsvr32.exe” command with the “/i” and “/s” flags to install the library silently.

The image below shows the code for launching the wrapper file.

Figure 12 – Launching wrapper file

  • Furthermore, the RAT executes a system command to delete all the restore points on the computer silently using the “vssadmin.exe”:
    • wscript_shell.Run(‘vssadmin.exe Delete Shadows /All /Quiet’, 2, false);
  • The final step is a popup message box with the text “Unexpected end of the file.” The popup will be displayed for 30 seconds with the title “Error”.

Start Instance

The start_instance() function is an essential part of the DarkWatchman RAT script, as it performs a set of standard operations every time the RAT runs.

The figure below shows the code snippet of the start_instance() function.

Figure 13 – start_instance() function

The script performs the following actions:

  • The RAT checks whether an autostart JavaScript file exists in the system registry and executes it if found.
  • Then, it retrieves the converted keylogger code stored in the registry and passes it to PowerShell via the “StartProcessViaWMI” function to execute. The command line is as follows:
    • ‘powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc ‘ + Base64 Encode data (stored in the registry)

The keylogger records keystrokes, clipboard data, and smart card information in the registry to minimize the risk of detection. The keylogger in DarkWatchman does not have any direct communication with the Command-and-Control (C&C) server or write any data to the disk. Instead, it stores its captured data in the registry value that is used as a buffer.

The RAT regularly retrieves and clears the buffer before transmitting the collected keystrokes to the C&C server.

The figure below shows the captured clipboard content stored in the registry.

Figure 14 – Captured clipboard content stored in the registry

  • Next, the function attempts to connect to a C&C URL retrieved from the registry key uid + ‘c’.

The below figure shows the registry value containing the URL.

Figure 15 – Retrieving C&C url from the registry

If the C&C connection fails, it generates a new URL using the hardcoded domains, salt value, and zones that are present in the JavaScript file. The below image shows the list of seeded domains, salt values, and zones used by DarkWatchman RAT.

Figure 16 – C&C Server List

  • After that, the RAT collects the victim’s system information, such as operating system version, locale, computer name, username, domain role, and antivirus software. It then formats this information into a string and sends it to the C&C server. Then it goes into sleep mode for 60 seconds.

The below figure shows the data to be captured in the victim’s machine

Figure 17 – Data Exfiltration

The following are descriptions of the remaining the start_instance() function:

Figure 18 – Remaining code snippet of the start_instance() function

  • The RAT checks if the registry value with the name “uid + ‘h’ exists and if the system uptime is less than 600 seconds. If not, it terminates processes and deletes browsing history for web browsers such as Internet Explorer, Firefox, Chrome, and Yandex.

Once the browser history has been cleared successfully, the uid + ‘h’ registry value is updated to 1 to avoid repeating the process during the same session.

The following figure displays the updated registry key after clearing the browser history.

Figure 19 – C&C communication

  • The loop checks the existence of registry values such as uid + ‘t’ and uid +’z’.

If the registry key contains uid+’z’, the script will terminate, and the RAT operation will be stopped. If the registry key contains uid + ‘t’, it sleeps for 300,000 milliseconds (5 minutes) before reconnecting to the server.

  • After gathering the captured stolen information, the RAT sends it to the C&C server.

The code and the corresponding values sent to the server are displayed in the figure below.

Figure 19 – C&C communication


DarkWatchman RAT showcases a new spreading technique through phishing sites, indicating that TAs are constantly innovating and using new methods to compromise systems. With the rise in the number of DarkWatchman samples being detected in the wild, the malware may be increasingly used in future cyberattacks.

Furthermore, using the Windows Registry as a storage mechanism for fileless malware is noteworthy, as it can evade detection by traditional antivirus software that relies on scanning files. DarkWatchman’s keylogger is an example of such fileless malware to avoid detection.

Cyble Research and Intelligence Labs continue to monitor the activity of DarkWatchman RAT and other malware and will provide timely updates to our readers.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

Safety Measures Needed to Prevent Malware Attacks

  • Do not open suspicious links in emails
  • Do not download the software from untrusted sources
  • Use a reputed antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity

Users Should Take the Following Steps After the Malware Attack

  • Detach infected devices on the same network 
  • Disconnect external storage devices if connected 
  • Inspect system logs for suspicious events 

Impact And Cruciality of Malware

  • Additional malware can be dropped into the system
  • Infected systems could attack other systems
  • Loss of valuable data 
  • Loss of the organization’s reputation and integrity 
  • Loss of the organization’s sensitive business information 
  • Disruption in organization operation 
  • Monetary loss 

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Initial AccessT1566Phishing
Command and Scripting Interpreter
User Execution
Defense EvasionT1140
Deobfuscate/Decode Files or Information
Hidden Window
PersistenceT1053Scheduled Task/Job
Query Registry  
Account Discovery  
System Information Discovery
Input CaptureT1056/001Input Capture: Keylogging
Command and Control  T1071 Application Layer Protocol  

Indicators of Compromise (IOCs)

Indicators Indicator  
.rar file
Obfuscated JS file
 DynamicWrapper dll

Comments are closed.

Scroll to Top