September 29, 2023

A new JavaScript based RAT dubbed DarkWatchman propagated via a social engineering campaign has been observed employing sneaky “fileless” techniques as part of its detection evasion methods to elude discovery and analysis.

The RAT utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self updating and recompilation, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.


An interesting consequence of this novel development is that it completely obviates the need for ransomware operators to recruit affiliates, who are typically in charge of dropping the file-locking malware and handling the file exfiltration. Using DarkWatchman as a prelude for ransomware deployments also equips the core developers of the ransomware with better oversight over the operation beyond negotiating ransoms.

Distributed via phishing emails that provides a stealthy gateway for further malicious activity. The emails come attached with a purported invoice in the form of a ZIP archive that, in turn, contains the payload necessary to infect the Windows system.

The novel RAT is both a fileless JavaScript RAT and a C#-based keylogger, the latter of which is stored in the registry to avoid detection. Both the components are also extremely lightweight. The malicious JavaScript code just takes about 32kb, while the keylogger barely registers at 8.5kb.


The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never written to disk; it also means that DarkWatchman’s operators can update the malware every time it’s executed.

Once after installation, DarkWatchman can execute arbitrary binaries, load DLL files, run JavaScript code and PowerShell commands, upload files to a remote server, update itself, and even uninstall the RAT and keylogger from the compromised machine. The JavaScript routine is also responsible for establishing persistence by creating a scheduled task that runs the malware at every user log on.

The keylogger itself does not communicate with the C2 or write to disk,Instead, it writes its keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.


DarkWatchman has yet to be attributed to a hacking group, pointing out the malware’s exclusive targeting of victims located in Russia and the typographical errors and misspellings that were identified in the source code samples, raising the possibility that the operators may not be native English speakers.

Leave a Reply

%d bloggers like this: