The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen

McAfee Labs documents an active DarkGate RAT campaign delivering a Delphi payload via HTML/.url and XLS lures that exploit SmartScreen bypass vulnerabilities; the chain uses VBScript/PowerShell to download an AutoHotkey executable and script which loads shellcode from a text file, leading to DarkGate execution, persistence via a startup LNK, and data exfiltration to identified C2 IPs. The report includes detailed technical analysis of the loader and shellcode stages, behavioral artifacts, mitigation advice, and a table of IoCs (file hashes and IPs).