In the ever-shifting landscape of cyber threats, a new player has emerged with a sophisticated phishing campaign spreading the DarkGate malware. Since its inception in September, this campaign has evolved into a formidable force, now also disseminating PikaBot. This alarming development follows closely on the heels of the last observed QakBot activity, mirroring the insidious tactics of the infamous threat actors behind QakBot.

The recent silence of QakBot, following the FBI and Justice Department’s dismantling of its infrastructure in August, has been deafening. Yet, the parallels between QakBot’s methodologies and this new campaign are unmistakable. DarkGate and PikaBot, emerging just after QakBot’s dormancy, bear striking similarities in their deployment strategies, indicating a possible connection to the QakBot affiliates.

The most common infection chain used in the campaign. | Image: Cofense Intelligence

These malware variants are not mere digital nuisances; they are advanced, highly evasive threats capable of delivering a spectrum of malicious payloads. DarkGate, first detected in 2018, is a multifaceted threat capable of crypto mining, credential theft, ransomware, and remote access. PikaBot, a newcomer spotted in 2023, serves as a sinister loader for additional malware, avoiding detection with an array of evasion techniques.

The campaign’s intricacy lies in its deceptive phishing tactics combined with anti-analysis techniques. It begins with hijacked email threads, luring users with URLs that download a JavaScript Dropper. This dropper then fetches and executes either DarkGate or PikaBot malware, marking the successful infection of the user’s machine.

The campaign’s inventiveness extends to its malware delivery mechanisms, featuring JavaScript Droppers, Excel-DNA Loaders, VBS Downloaders, and LNK Downloaders. These varied methods illustrate the campaign’s adaptability and its relentless pursuit of successful infections.

This campaign is a testament to the evolving sophistication of cyber threats. The threat actors behind it possess skills that transcend those of average phishers, making it imperative for employees to stay vigilant. As Cofense Intelligence continues to monitor this threat, the echoes of QakBot in this campaign serve as a stark reminder of the ever-present danger in the digital world.