December 6, 2023

Researchers have come up with a suspicion that that Vietnam-based threat actors s are believed to be behind to attacks using DarkGate malware, which have targeted organizations in the UK, US, and India since 2018.

These attacks attributed to an active cluster of cybercriminals using the Ducktail infostealer, which has been used in recent campaigns targeting Meta business accounts. Both the campaigns have been linked together based on non-technical indicators observations

These include lure files, themes, targeting and delivery methods. For example, the initial vector is frequently a LinkedIn message, which redirects the victim to a malicious file on Google Drive.


Ducktail is an infostealer, and upon execution, it rapidly steals credentials and session cookies from the local device and sends them back to the attacker. It also has an additional Facebook-focused functionality, whereby if it locates a Facebook Business account session cookie, it will attempt to add the attacker to the account as an administrator.

DarkGate is a remote access trojan with infostealer functionality. Unlike Ducktail, it is stealthy, trying to achieve persistence. It is also used for a variety of purposes, including to deploy Cobalt Strike and ransomware. DarkGate also appears to be used by multiple unrelated actors.

However, the DarkGate behavior which most closely resembles and overlaps with the Ducktail campaigns is likely to be the same Vietnamese threat actor cluster. Researchers have analyzed associated metadata, including LNK File metadata, PDFs created using the Canva design service/tool and MSI files created using an unlicensed version of EXEMSI. The functions of both the payloads differs significantly.

The researchers have also linked the Lobshot and Redline Stealer malware to the same Vietnam-based threat actors. The growth of cybercrime-as-a-service (CaaS) industry is exponential and has made it harder to identify the groups behind specific campaigns.


DarkGate has been around for a long time and is being used by many groups for different purposes, and not just this group or cluster in Vietnam. The flip side of this is that actors can use multiple tools for the same campaign, which could obscure the true extent of their activity from purely malware-based analysis.

This research was documented by the researchers from WithSecure

Indicators of Compromise

  • hxxp://80.66.88[.]145:7891/
  • hxxp://80.66.88[.]145:9999/
  • hxxp://162.243.71[.]6/no_halt_7891.msi
  • hxxp://162.243.71[.]6/no_sec_no_startup51.msi
  • hxxp://162.243.71[.]6/persist.msi
  • hxxp://162.243.71[.]6/startup_persist_no_halt2840.msi
  • hxxp://80.66.88[.]145:2840/
  • hxxp://162.243.71[.]6/ais_to_sign.msi
  • hxxp://80.66.88[.]145:2351/
  • hxxp://80.66.88[.]145:2841/
  • hxxp://162.243.71[.]6/error_no_decoy_2840.msi
  • hxxp://162.243.71[.]6/all_enabled_vm_enabled7891.msi
  • hxxp://162.243.71[.]6/ais_binded_moderate_halt_vm_enabled_2840.msi
  • hxxp://5.34.178[.]21:2351/
  • hxxp://5.34.178[.]21:81/files/twitter.msi
  • hxxp://5.34.178[.]21:9999/
  • hxxp://149.248.0[.]82:2351/
  • hxxp://149.248.0[.]82:9999/
  • hxxp://162.243.71[.]6/no_halt_opts_enabled.msi
  • hxxp://179.60.149[.]3:9999/
  • hxxp://179.60.149[.]3:2351/
  • hxxp://185.143.223[.]64:2351/
  • hxxp://sanibroadbandcommunicton.duckdns[.]org:5864/
  • hxxp://sanibroadbandcommunicton.duckdns[.]org:9999/
  • hxxps://alianzasuma[.]com/wzxfh
  • hxxp://alianzasuma[.]com/wzxfh
  • 2c6af12f603743fcc3effdc24783c969c906816960fbfbf012974fc04722a679
  • e0d1b1b166ba025c918335b3733d908bb89ecbce776ee273941bfa38acbba765
  • e877f6398a85e428256352d6a82f4219eed939404a00aaeec9a98eb35a3e518f
  • 810e332e43e812aeb8aabca6bd0d00b693d20cbb61f486be28ce1287a337a4fa
  • e5b8de9d983f635947c25183efc9b490cf185388634cf937426e3cd1235b250e
  • ed362c7417996deec5ba3b2f41e0b0f907d701aea8b403cf3fa4050cbe3a21b6
  • 86717824da845b1537fb24583dd9825be1ea8e032d3f5758357d1da615e82567
  • 12b5711ace38966a9a6767fc331f835a3ee5b68d0f901aabf2c5d069d46f7b44
  • a959814cc4017c5c14969addb80c6967c8ad20650896005e4dd22d5dc54da614
  • 876ec4b014e5779d81af67d04fbb50ccfd965dcb8ea3283cdcb3817e8543c593
  • d80213cf11a387d8a443c022a8e46e1c881f319c966113a2d3cc565af665ca2c
  • cfc2a67960e2195ec06fc923122bf4a4ce6f4c734801914b1ff250abb564b398
  • f7cdbc96f1841f378706d0d609b29999d202801403807c23ac89c63224314d09
  • 2f2f9dc5b8dcce5c9f1261b8d693218017cf348240284820359cd8e86794b282
  • 117.0.194[.]195
  • 149.248.0[.]82
  • 158.160.81[.]26
  • 162.243.71[.]6
  • 167.114.199[.]65
  • 178.33.94[.]35
  • 179.60.149[.]3
  • 185.141.60[.]18
  • 185.143.223[.]64
  • 46.173.215[.]132
  • 5.188.87[.]58
  • 5.34.178[.]21
  • 66.42.63[.]27
  • 80.66.88[.]145
  • 82.117.252[.]140
  • 89.248.193[.]66
  • 94.228.169[.]123
  • 94.228.169[.]143

1 thought on “DarkGate Malware Attributed to Vietnam

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.