The rise of cryptocurrency has created new opportunities for cybercriminals to exploit unsuspecting users.
Attackers are now disguising the notorious DarkComet remote access trojan as Bitcoin-related applications, targeting cryptocurrency enthusiasts who download tools from unverified sources.
This malware campaign demonstrates how old threats continue to resurface with modern social engineering techniques.
DarkComet RAT is a well-known remote access trojan that allows attackers to gain complete control over infected systems.
Despite being discontinued by its creator years ago, the malware continues to circulate in underground forums and remains highly effective.
It provides attackers with extensive capabilities including keystroke logging, file theft, webcam surveillance, and remote desktop control.
These features make it particularly dangerous for cryptocurrency users, as stolen credentials can lead directly to financial losses.
The malicious file analyzed in this campaign was distributed as a compressed RAR archive containing an executable disguised as “94k BTC wallet.exe.”
This delivery method helps attackers bypass email filters and reduces detection rates. The executable was packed with UPX (Ultimate Packer for Executables) to further evade antivirus software and hide its true nature from security analysis.
Point Wild security analysts identified the malware after investigating suspicious Bitcoin-related applications. The research team discovered that once extracted and executed, the fake Bitcoin tool immediately activates DarkComet’s full capabilities.
Instead of providing any legitimate cryptocurrency functionality, the malware begins establishing persistence on the infected system and attempts to communicate with its command-and-control server.
Technical Breakdown and Infection Mechanism
The malware establishes persistence by copying itself to %AppData%RoamingMSDCSCexplorer.exe and creating a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.
.webp "Beware of Fake Bitcoin Tool That Hides DarkComet RAT Malware With it 2")
This ensures the malware executes automatically every time the system restarts. This shows the file information of the compressed RAR archive, while the one below shows the UPX packing structure visible in CFF Explorer.
.webp "Beware of Fake Bitcoin Tool That Hides DarkComet RAT Malware With it 3")
Analysis revealed the sample’s embedded configuration containing critical operational details.
The malware uses a mutex named DC_MUTEX-ARULYYD to prevent multiple instances from running simultaneously.
Network analysis showed attempted connections to the command-and-control server at kvejo991.ddns.net over TCP port 1604.
Although the C2 server was offline during testing, the repeated connection attempts confirmed active beaconing behavior consistent with DarkComet operations.
The unpacked executable revealed multiple standard PE sections, including .text, .data, and .idata.
The malware injects its payload into legitimate Windows processes like notepad.exe to perform keylogging and screen capture while remaining hidden.
Captured keystrokes are stored in log files with names like “2025-10-29-4.dc” before being exfiltrated through the C2 channel.
File hashes for detection include SHA256: 11bf1088d66bc3a63d16cc9334a05f214a25a47f39713400279e0823c97eb377 for the compressed archive and SHA256: 5b5c276ea74e1086e4835221da50865f872fe20cfc5ea9aa6a909a0b0b9a0554 for the packed executable.
Users should avoid downloading cryptocurrency tools from untrusted sources and maintain updated security software to detect such threats effectively.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
