What is DarkWatchman and how does it operate?

DarkWatchman is a 'fileless' JavaScript Remote Access Trojan (RAT) paired with a C# keylogger. It is notable for its lightweight design, advanced evasion techniques, and use of the Windows Registry to avoid writing files to disk. The JavaScript RAT is under 32kb, and the keylogger is only 8.5kb. DarkWatchman uses LOLbins (Living Off the Land Binaries) and stores configuration and payloads in the registry, making detection difficult. It is capable of executing EXE/DLL files, running PowerShell and WMI commands, uploading files, and updating itself remotely. Source: Cymulate Threat Analysis, Dec 2021.

How was DarkWatchman delivered to its targets?

DarkWatchman was delivered via spearphishing emails, often using spoofed sender addresses and lures such as 'Free storage expiration notification.' The emails contained ZIP attachments with executable files disguised as documents. Upon execution, the malware installed itself using the Windows Registry and scheduled tasks for persistence. Source: Cymulate Threat Analysis, Dec 2021.

What fileless techniques does DarkWatchman use to evade detection?

DarkWatchman avoids detection by storing its configuration, payloads, and keylogger in the Windows Registry instead of writing files to disk. It uses LOLbins for execution, scheduled tasks for persistence, and deletes its installer after execution. These techniques make it difficult for traditional antivirus solutions to detect its presence. Source: Cymulate Threat Analysis, Dec 2021.

What are the main capabilities of DarkWatchman?

DarkWatchman can execute EXE and DLL files, run command-line, WSH, WMI, and PowerShell commands, evaluate JavaScript, upload files to its C2 server, update itself and the keylogger remotely, set autostart scripts, and delete shadow copies if run with admin privileges. Source: Cymulate Threat Analysis, Dec 2021.

How does DarkWatchman achieve persistence on infected systems?

DarkWatchman achieves persistence by creating a scheduled task that executes its JavaScript RAT at every user logon. It also stores its payloads and configuration in the Windows Registry, making it resilient to file-based detection and removal. Source: Cymulate Threat Analysis, Dec 2021.

What is the significance of DarkWatchman's use of the Windows Registry?

By storing its configuration, payloads, and keylogger in the Windows Registry, DarkWatchman avoids creating files on disk, which helps it evade detection by traditional security tools. This fileless approach is a hallmark of advanced malware. Source: Cymulate Threat Analysis, Dec 2021.

How does DarkWatchman use spearphishing for initial access?

DarkWatchman uses spearphishing emails with spoofed senders and convincing lures, such as notifications about expiring free storage, to trick recipients into opening malicious attachments. These attachments contain the malware, which installs itself upon execution. Source: Cymulate Threat Analysis, Dec 2021.

What is the role of the C# keylogger in DarkWatchman?

The C# keylogger is a lightweight component (8.5kb) that records keystrokes and stores them in the Windows Registry. It is deployed and executed by the JavaScript RAT, allowing attackers to capture sensitive information without writing files to disk. Source: Cymulate Threat Analysis, Dec 2021.

How does DarkWatchman remove traces of its installation?

After installation, DarkWatchman deletes its WinRAR SFX installer using the filename passed during execution. It also displays a fake error message to mislead users and avoid suspicion. Source: Cymulate Threat Analysis, Dec 2021.

What is the purpose of the Domain Generation Algorithm (DGA) in DarkWatchman?

The Domain Generation Algorithm (DGA) in DarkWatchman is used to generate new command-and-control (C2) domains, enhancing the malware's resiliency and making it harder for defenders to block its communications. Source: Cymulate Threat Analysis, Dec 2021.

How does Cymulate help organizations defend against fileless malware like DarkWatchman?

Cymulate's Exposure Management Platform enables organizations to simulate advanced threats, including fileless malware like DarkWatchman, across the full attack kill chain. By running continuous, automated attack simulations, Cymulate helps security teams validate their defenses, identify gaps, and prioritize remediation efforts against sophisticated threats. Source: Cymulate Platform Overview.

What are LOLbins and how does DarkWatchman use them?

LOLbins (Living Off the Land Binaries) are legitimate system tools abused by attackers to execute malicious actions without triggering security alerts. DarkWatchman uses LOLbins to execute commands and evade detection by blending in with normal system activity. Source: Cymulate Threat Analysis, Dec 2021.

How does Cymulate validate endpoint security against threats like DarkWatchman?

Cymulate validates endpoint security by simulating known malicious file samples, malicious behaviors, ransomware, worms, trojans, rootkits, DLL side-loading, and code injection techniques. This helps organizations assess their defenses against advanced threats, including fileless malware. Source: Cymulate Endpoint Security Validation.

What is the impact of fileless malware on traditional security controls?

Fileless malware like DarkWatchman can bypass traditional security controls that rely on file-based detection, as it operates primarily in memory and uses the registry for persistence. This makes continuous threat validation and advanced detection techniques essential for defense. Source: Cymulate Threat Analysis, Dec 2021.

How does Cymulate's platform support continuous threat validation?

Cymulate's platform offers 24/7 automated attack simulations, enabling organizations to continuously validate their security posture against the latest threats. This proactive approach helps identify vulnerabilities and improve defenses in real time. Source: Cymulate Platform Overview.

What are the main steps in DarkWatchman's installation routine?

DarkWatchman's installation routine checks the registry for prior installation, deletes its installer, moves the JavaScript RAT to the local app data folder, creates a scheduled task for persistence, copies the keylogger to the registry, and displays a fake error message to the user. Source: Cymulate Threat Analysis, Dec 2021.

How does Cymulate help organizations prioritize remediation efforts?

Cymulate uses AI-powered optimization and exposure analytics to prioritize remediation based on exploitability, business context, and threat intelligence. This ensures that security teams focus on the most critical vulnerabilities. Source: Cymulate Platform Overview.

What types of organizations benefit from Cymulate's platform?

Cymulate's platform is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as financial services, healthcare, retail, transportation, and media. It is suitable for organizations of all sizes, from small businesses to large enterprises. Source: Cymulate Target Audience.

How does Cymulate integrate with existing security tools?

Cymulate integrates with a wide range of security technologies, including EDR, SIEM, cloud security, and network security solutions. Examples include integrations with CrowdStrike Falcon, AWS GuardDuty, Akamai Guardicore, and Check Point CloudGuard. For a full list, visit Cymulate's Partnerships and Integrations page.

What compliance certifications does Cymulate hold?

Cymulate holds several key certifications, including SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to security, privacy, and compliance with international standards. Source: Cymulate Security & Compliance.

How quickly can Cymulate be implemented?

Cymulate is designed for rapid implementation. Customers report being able to deploy and start using the platform within minutes, thanks to its agentless mode and intuitive interface. Minimal resources and technical expertise are required. Source: Cymulate Customer Testimonials.

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a personalized quote, schedule a demo with Cymulate's team. Source: Cymulate Pricing Model.

How does Cymulate compare to other exposure validation platforms?

Cymulate differentiates itself with a unified platform that integrates Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics. It offers the industry's largest attack library, AI-powered optimization, and continuous innovation. For detailed comparisons with AttackIQ, Mandiant, Pentera, Picus, SafeBreach, Scythe, and NetSPI, visit Cymulate's competitor comparison pages.

What measurable outcomes have Cymulate customers achieved?

Cymulate customers have reported a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. These metrics are based on real-world deployments and case studies. Source: Cymulate Customer Success Metrics.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive interface, ease of deployment, and actionable insights. Testimonials highlight the platform's user-friendly dashboard and the quality of support provided. Source: Cymulate Customer Testimonials.

What types of threats can Cymulate validate?

Cymulate validates threats across the full kill chain, including phishing, malware, lateral movement, data exfiltration, and zero-day exploits, using daily updated threat templates and AI-generated attack plans. Source: Cymulate Threat Validation.

How does Cymulate support threat prevention?

Cymulate supports threat prevention by baselining defensive posture, continuously simulating adversarial behaviors, and providing insights into which threats are detected, blocked, or missed. This helps organizations proactively address vulnerabilities. Source: Cymulate Platform Overview.

What is Cymulate's approach to security and compliance?

Cymulate maintains a robust security program with certifications such as SOC2 Type II and ISO 27001. The platform is hosted in secure AWS data centers, uses strong encryption, and undergoes regular third-party audits and penetration tests. Cymulate is also GDPR compliant. Source: Cymulate Security & Compliance.

What is the business impact of using Cymulate?

Organizations using Cymulate typically see a 30% improvement in threat prevention, a 52% reduction in critical exposures, a 60% increase in operational efficiency, and an 81% reduction in cyber risk within four months. These outcomes are based on customer case studies and reported metrics. Source: Cymulate Business Impact.

How does Cymulate address the pain points of security teams?

Cymulate addresses pain points such as overwhelming threat volume, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers by providing a unified, automated, and evidence-based platform for continuous threat validation and exposure management. Source: Cymulate Pain Points.

What is Cymulate's mission and vision?

Cymulate's mission is to revolutionize cybersecurity by fostering a proactive approach to managing security threats. The company empowers organizations to manage their security posture effectively and improve resilience against threats through continuous validation and innovation. Source: Cymulate About Us.

What is the Threat Exposure Validation Summer Series?

The Threat Exposure Validation Summer Series highlights the importance of threat exposure validation in 2025. Watch the video here: Threat Exposure Validation Summer Series: Threat Exposure Validation is a must have in 2025 video .

DarkWatchman - A new evolution in fileless techniques

December 19, 2021

PACT chose to base the investigation partially on the timestamps of VirusTotal submissions of the samples and relationships to the observed web infrastructure. Timeline analysis did indeed prove to be valuable, as full email messages were identified that included intact headers that allowed PACT analysts to identify a spoofed sender, what is likely the true sender, the intended recipient, the attachment that was identified as the ZIP file containing the malicious logic that functions as a dropper for the RAT, and Russian-language subject and body of the email. Taken together, these observations indicate it is likely that this email is a targeted lure used to spearphish the recipient. The email's subject was "Free storage expiration notification" and was designed to appear as if it came from "ponyexpress[.]ru" The body of the email, machine translated from the original Russian and included in full later in this report, contained additional lure material that one would likely anticipate after reading the subject. DarkWatchman is a 'fileless' JavaScript RAT paired with a C# keylogger. Both parts of the malware are lightweight, with the JavaScript coming in at just under 32kb and the compiled keylogger only taking up 8.5kb total. It contains several advanced, and notable, features that set it apart from most commodity malware. DarkWatchman heavily utilizes LOLbins and some novel methods of data transfer between modules to avoid detection. Various parts of DarkWatchman, including configuration strings and the keylogger itself, are stored in the registry to avoid writing to disk. The initial sample that PACT analyzed appears to be targeting a Russian-speaking person or organization, but the script itself is written with English variable and function names. Based on some of the features, PACT assesses with moderate confidence that this is an initial access tool for use by ransomware groups or affiliates. PACT acquired the initial DarkWatchman sample from a Virustotal API upload of an email message. The message was written in Russian and purported to be PonyExpress with an attached invoice. The email headers revealed that it was spoofed and sent from rentbikespb[.]ru. Scans from Shodan and other sources indicate that this domain was updated to point at a server instance hosted at OpenStack running Postfix and changed back to the original IP shortly after the email was sent. The email indicates that the target has a package that is being held for them and will exceed the free storage period soon, and instructs them to see the attached scanned copy of the "consignment note" This letter is to inform you that on November 16, 2021, the free storage period for consignment note #12-6317-3621 is about to expire. Since the recipient's phone number indicated in the shipment is not available, please contact us at +7-495-937-77-77 (multichannel). Please note that in case the item cannot be delivered and the receiver can not be reached by November 16, 2021 the item will be returned to the sender. A scanned copy of the consignment note completed by the sender is attached to this letter. Respectfully, Michael, PONY EXPRESS Account Manager, +7-495-937-77-77 ext. 308. The email attachment is a zip archive named 'Накладная №12-6317-3621.zip' (translated: Invoice #12-6317-3621) which contains an executable with the same name. The executable's icon is set to appear to be a basic text document. This executable is a WinRAR SFX self installing archive that contains two files: '134121811.js' (the JavaScript RAT) and '2204722946' (the C# source code for the keylogger). The WinRAR SFX configuration file contains comments in Russian and instructions to drop both files in %TEMP% before executing the .JS file with the name of the WinRAR SFX executable as a command line argument. Upon initial execution, the Windows Registry is checked to determine if DarkWatchman has already been installed. The malware stores its configuration in '\HKCUSoftwareMicrosoftWindowsDWM', using registry keys that consist of a uid generated from the serial number of the C: drive and appended with a single digit or character. Installation is denoted by uid + 0 (eg: abc1230) – if the malware does not find a '1' flag in this key, it runs its install function. The install function proceeds to delete the WinRAR SFX executable using the filename passed to it during execution. It also moves the JS file to 'Shell.NameSpace(28)' ('ssfLOCALAPPDATA' – 'AppDataLocal') and creates a scheduled task to use WScript to execute the file at every user log on. The installation routine then copies the keylogger to the registry, sets the uid + 0 flag to 1 to indicate that installation was completed, and executes the scheduled task it created. The last step is a popup that informs the user "Unknown Format", giving the indication that the file is unreadable by the system to deflect from the 'scanned document' not opening. When DarkWatchman is run and detects the presence of the "installed" flag, it begins regular operation. DarkWatchman is capable of most basic RAT functionality: Execute EXE files (with or without the output returned) Load DLL files Execute commands on the command line Execute WSH commands Execute miscellaneous commands via WMI Execute PowerShell commands Evaluate JavaScript Upload files to the C2 server from the victim machine Remotely stop and uninstall the RAT and Keylogger Remotely update the C2 server address or call-home timeout As well as some notable functionality: Update the RAT and Keylogger remotely Set an autostart JavaScript to run on RAT startup A Domain Generation Algorithm (DGA) for C2 resiliency If the user has admin permissions, it deletes shadow copies using vssadmin.exe

Featured Resources

View More Resources

blog

The Race to Ship AI Tools Left Security Behind. Part 1: Sandbox Escape

Ilan Kalendarov, Security Research Team Lead Ben Zamir, Security Researcher Elad Beber, Security Researcher Cymulate Research Labs uncovered a range of vulnerability classes