Cybercriminals are constantly looking for new ways to steal money, and the world of cryptocurrency, especially Bitcoin, has become a major target. Recently, a new piece of old computer spyware, known as DarkComet RAT, was found cleverly hidden inside a file that looked exactly like a legitimate Bitcoin wallet or trading program.
The malware was discovered and analysed by Point Wild’s Lat61 Threat Intelligence Team. This particular software is a Remote Access Trojan (RAT), which allows a hacker to take full, secret control of a victim’s computer. It’s a highly capable tool, offering features that range from recording every single keystroke you make (keylogging) to stealing files, watching you through your webcam, and even controlling your desktop remotely.
Disguised and Dangerous
The DarkComet RAT, which was originally developed back in 2008 but later discontinued by its creator, is still widely available to criminals. The spyware was also mentioned in WikiLeaks’ Vault 7 data leak, which revealed that the American CIA and the Syrian government under President Bashar al-Assad had both used DarkComet to hack the devices of their own citizens.
The latest sample analysed was delivered inside a compressed RAR file, which is a common trick used by attackers to evade security filters and encourage users to open the file themselves. Upon extraction, the file was revealed as an application named “94k BTC wallet.exe”.
Further probing revealed a key detail: the file was “packed” using a technique called UPX. This technique helps the malware remain disguised and much smaller in size, making it harder for simple security tools to detect it before it runs. As we know it, hiding the malicious code this way is a major challenge for computer defences.
The Attackers’ Goal
Once a victim is tricked into running the file, the DarkComet RAT immediately begins its attack. It copies itself into a hidden system folder and creates an autostart entry to ensure it loads every time the computer is turned on, successfully achieving persistence.
The malware then attempts to connect to a specific remote location (kvejo991.ddns.net over port 1604) to communicate with the attacker and receive commands. It is worth noting that the central goal of DarkComet was clearly seen in its keylogging activity, where it recorded all of the victim’s keystrokes and saved them in a local folder called dclogs. This is a huge risk, as these logs could easily contain passwords, bank details, or, most critically, the credentials to access Bitcoin wallets, leading directly to financial losses.
This research was shared with Hackread.com. It clearly shows how old malware is being repurposed with modern lures, emphasising the need for all cryptocurrency users to download wallets and trading tools only from verified and trusted sources.
The findings offer a critical warning for anyone involved in digital currency. As Dr. Zulfikar Ramzan, CTO of Point Wild, and Head of the Lat61 Threat Intelligence Team, explains: “Old malware never truly dies – it just gets repackaged. DarkComet’s return inside a fake Bitcoin tool shows how cybercriminals recycle classic RATs to exploit modern hype.”