Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Stealthy DarkWatchman Malware Hides in the Windows Registry

New Stealthy DarkWatchman Malware Hides in the Windows Registry

A new malware named ‘DarkWatchman’ has emerged in the cybercrime underground, and it’s a lightweight and highly-capable JavaScript RAT (Remote Access Trojan) paired with a C# keylogger.

According to a technical report by researchers at Prevailion, the novel RAT is employed by Russian-speaking actors who target mainly Russian organizations.

The first signs of DarkWatchman’s existence appeared in early November as the threat actor began distributing the malware through phishing emails with malicious ZIP attachments.

Also Read: How ransomware infects a system and ways to prepare against it

Sample of phishing email used in DarkWatchman distribution
Sample of phishing email used in DarkWatchman distribution
Source: Prevailion

These ZIP file attachments contain an executable using an icon to impersonate a text document. This executable is a self-installing WinRAR archive that will install the RAT and keylogger.

Downloaded attachment contents
Downloaded attachment contents
Source: Prevailion

If opened, the user is shown a decoy popup message that reads “Unknown Format,” but in reality, the payloads have been installed in the background.

A stealthy ‘file-less’ RAT

DarkWatchman is a very light malware, with the JavaScript RAT measuring just 32kb in size and the compiled only taking using 8.5kb of space.

It utilizes a large set of “living off the land” binaries, scripts, and libraries, and incorporates stealthy methods to transfer data between modules.

The fascinating aspect of DarkWatchman is its use of the Windows Registry fileless storage mechanism for the keylogger. 

Instead of storing the keylogger on disk, a scheduled task is created to launch the DarkWatchman RAT every time the user logs into Windows.

Scheduled task added for persistence
Scheduled task added for persistence
Source: Prevailion

Once launched, DarkWatchmen will execute a PowerShell script that compiles the keylogger using the .NET CSC.exe command and launches it into memory.

Also Read: PDPA compliance for the healthcare sector

“The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it,” Prevailion researchers Matt Stafford and Sherman Smith explained in their report.

“The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes its keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server.”

Base64 encoded PowerShell that compiles the keylogger
Base64 encoded PowerShell compiling the keylogger
Source: Prevailion

As such, the registry is not only used as a place to hide the encoded executable code, but also as a temporary location to hold stolen data until it’s exfiltrated to the C2.

In terms of the C2 communication and infrastructure, the DarkWatchman actors use DGA (domain generation algorithms) with a seeded list of 10 items to generate up to 500 domains daily.

This gives them excellent operational resilience, and at the same time, makes communication monitoring and analysis very challenging.

DarkWatchman’s functional capabilities are the following:

  • Execute EXE files (with or without the output returned)
  • Load DLL files
  • Execute commands on the command line
  • Execute WSH commands
  • Execute miscellaneous commands via WMI
  • Execute PowerShell commands
  • Evaluate JavaScript
  • Upload files to the C2 server from the victim machine
  • Remotely stop and uninstall the RAT and Keylogger
  • Remotely update the C2 server address or call-home timeout
  • Update the RAT and Keylogger remotely
  • Set an autostart JavaScript to run on RAT startup
  • A Domain Generation Algorithm (DGA) for C2 resiliency
  • If the user has admin permissions, it deletes shadow copies using vssadmin.exe

The ransomware hypothesis

Prevailion theorizes that DarkWatchman may be tailored by/for ransomware groups that need to empower their less capable affiliates with a potent and stealthy tool.

The malware can load additional payloads remotely, so it could be used as a stealthy first-stage infection for subsequent ransomware deployment.

Since DarkWatchman can communicate to actor-controlled domains after the initial foothold, the ransomware operator could take over and deploy the ransomware or handle the file exfiltration directly.

This approach would degrade the affiliate’s role to that of a network infiltrator and simultaneously make RaaS operations more clinical and efficient.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us