DarkKomet, also known as DarkComet, is a well-known remote access trojan originally developed as legitimate remote-administration software but widely repurposed for malicious surveillance and credential theft. Notable for its use in surveillance campaigns against journalists and activists in the early 2010s, DarkComet provides keylogging, webcam capture, file transfer, and remote shell. Its development was officially discontinued in 2012, but the publicly-available builders remain in widespread use.
This family has been observed using the following ATT&CK techniques: T1056.001 T1547.001 T1125
DarkKomet, also known as DarkComet, is a well-known remote access trojan originally developed as legitimate remote-administration software but widely repurposed for malicious surveillance and credential theft. Notable for its use in surveillance campaigns against journalists and activists in the early 2010s, DarkComet provides keylogging, webcam capture, file transfer, and remote shell. Its development was officially discontinued in 2012, but the publicly-available builders remain in widespread use.
DarkKomet (DarkComet) is distributed through cracked-software bundles, malicious email attachments, and underground RAT marketplaces despite its original developer ceasing distribution in 2012.
Webcam or keystroke logging indicators, hidden processes, persistence via Run registry keys, and antivirus alerts for DarkComet or Fynloski are common signs.
If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/darkkomet.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.