A new wave of cyberattacks utilizing the Dark Crystal RAT (DCRat) backdoor has been targeting users since early 2025 through YouTube distribution channels.
Cybercriminals create or compromise YouTube accounts to upload videos advertising gaming cheats, cracks, and bots that appeal to gamers looking for advantages or free alternatives.
.webp)
These videos include description links to legitimate file-sharing services hosting password-protected archives, with the passwords also provided in the description to create a false sense of legitimacy.
When users download and extract these archives, they unknowingly install the DCRat Trojan alongside decoy files designed to mask the malicious activity taking place in the background.
.webp)
Malware.News researchers identified that this campaign operates under a sophisticated Malware-as-a-Service (MaaS) model, with the cybercriminal group offering paid access to the backdoor, comprehensive technical support, and infrastructure setup for Command and Control (C2) servers.
This business approach has enabled less technically skilled attackers to deploy advanced malware, significantly expanding the campaign’s reach and impact across gaming communities where users frequently seek unauthorized software modifications.
The DCRat backdoor, known since 2018, provides comprehensive remote access capabilities and supports a plugin architecture for extended functionality.
Security analysis of 34 different plugins reveals dangerous capabilities including keystroke logging for capturing sensitive information, unauthorized webcam access for surveillance, systematic file theft, and extraction of stored credentials from browsers and applications.
The infrastructure supporting these attacks reveals a distinctive pattern in domain naming that provides a fingerprint for the campaign.
Attackers register second-level domains, predominantly in the .RU zone, featuring terms like “nyashka,” “nyashkoon,” and “nyashtyan” – slang words recognizable to fans of Japanese pop culture meaning “cute” or “hon.”
Since January 2025, the group has registered at least 57 new second-level domains, with five already hosting more than 40 third-level domains for C2 servers.
Telemetry data collected since the beginning of 2025 indicates that approximately 80% of DCRat infections using these distinctive domains have targeted users in Russia, with smaller numbers affecting users in Belarus, Kazakhstan, and China.
.webp)
The DCRat builder plugins available on the attackers’ site, illustrating the modular nature of the malware that allows for customized attack capabilities based on the victim profile and the attackers’ objectives.
Protection Measures
Users should exercise extreme caution when downloading gaming-related software, especially unofficial cheats, cracks, or bots that promise free access to premium features.
These types of files are frequently used as bait in malware distribution campaigns due to their appeal to gamers seeking advantages or free alternatives to paid software.
Security experts recommend downloading software only from official sources such as developer websites or authorized distribution platforms, as these channels implement verification processes to prevent malware distribution.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
