Darkkomet

Category: rat · Aliases: RAT.DarkComet, Backdoor.Win32.DarkKomet, Trojan.DarkComet · Sample count (EMBER 2018): 801 · Enrichment: curated_sourced · Updated: 2026-07-02T07:47:42Z

Overview

Executive Summary

DarkComet (often detected as DarkKomet) is one of the most infamous and widely used Remote Access Trojans (RATs) in history. Originally developed in 2008 as a legitimate Remote Administration Tool, its powerful surveillance capabilities, ease of use, and free availability led to its massive adoption by cybercriminals, script kiddies, and APT groups. It provides an attacker with complete, stealthy, interactive control over a victim's Windows machine.

Infection Vector and Technical Capabilities

DarkComet is distributed via virtually every known vector: spear-phishing emails, malicious torrents (disguised as game cracks or software), malicious links in Discord/Skype, and drive-by downloads. Once installed, it operates as a full-featured espionage platform:

Threat Assessment

A DarkComet infection represents a total and catastrophic compromise of the endpoint. The attacker possesses the same level of access as the logged-in user (often SYSTEM level) and can steal any data, deploy ransomware, or pivot to attack the rest of the corporate network.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1071.001 T1056.001 T1125

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_DARKKOMET {
    meta:
        description = "Detects Darkkomet (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "darkkomet" ascii wide nocase
        $s2 = "rat.darkcomet" ascii wide nocase
        $s3 = "backdoor.win32.darkkomet" ascii wide nocase
        $s4 = "trojan.darkcomet" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Darkkomet Activity
id: cb98c6f555081694a46320ba8ebb6df6
status: experimental
description: Detects generic indicators of the darkkomet malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*darkkomet*"
            - "*rat.darkcomet*"
            - "*backdoor.win32.darkkomet*"
            - "*trojan.darkcomet*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is DarkComet?

A Windows remote administration tool and backdoor used to fully control and surveil an infected computer.

Is DarkComet still developed?

Official development stopped, but leaked versions continued to be used by various actors.

What can DarkComet do?

Remote control, keylogging, webcam capture, and credential theft.

What are DarkComet's other names?

Detection names include Fynloski and Krademok.

How does DarkComet spread?

Through phishing, malicious downloads, and bundling with other files.

Where is the authoritative reference?

MITRE ATT&CK's DarkComet entry (S0334), linked on this page.

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/darkkomet.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.