DarkComet (often detected as DarkKomet) is one of the most infamous and widely used Remote Access Trojans (RATs) in history. Originally developed in 2008 as a legitimate Remote Administration Tool, its powerful surveillance capabilities, ease of use, and free availability led to its massive adoption by cybercriminals, script kiddies, and APT groups. It provides an attacker with complete, stealthy, interactive control over a victim's Windows machine.
Infection Vector and Technical Capabilities
DarkComet is distributed via virtually every known vector: spear-phishing emails, malicious torrents (disguised as game cracks or software), malicious links in Discord/Skype, and drive-by downloads.
Once installed, it operates as a full-featured espionage platform:
Total Surveillance: The RAT allows the attacker to secretly view the victim's webcam, listen to the microphone, capture the desktop screen in real-time, and log every keystroke (keylogger).
System Administration: The attacker has full GUI-based control over the file system (upload/download/execute), can edit the Windows Registry, manage running processes, and open remote command shells (cmd.exe).
DDoS and Network Abuse: DarkComet clients can be clustered together by the "botmaster" to launch coordinated Distributed Denial of Service (DDoS) attacks, or utilized as proxy nodes to mask the attacker's true IP address when attacking other targets.
Threat Assessment
A DarkComet infection represents a total and catastrophic compromise of the endpoint. The attacker possesses the same level of access as the logged-in user (often SYSTEM level) and can steal any data, deploy ransomware, or pivot to attack the rest of the corporate network.
Incident Response and Remediation
Immediate Network Severance: The endpoint must be physically disconnected from the network immediately to kill the active remote session and halt the live exfiltration of video, audio, and files.
Incident Containment (Lateral Movement): Incident responders must assume the attacker used the DarkComet beachhead to move laterally. Scrutinize Active Directory authentication logs and internal firewall traffic to ensure the attacker did not compromise other servers.
Total Re-imaging and Credential Wipe: The machine is completely untrusted and must be wiped to bare metal. All credentials used on that machine must be reset globally.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1071.001T1056.001T1125
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.