DarkGate: Opening Gates for Financially Motivated Threat Actors

EclecticIQ analysts report on the DarkGate loader (including version 6.1.6), detailing its capabilities (hVNC, keylogging, rootkit, polymorphic shellcode), evolving delivery methods (LOLBAS, AutoIt scripts, DNS TXT, Google DoubleClick open redirect, MSI/CAB/ZIP distribution, DLL side‑loading), and operational use by financially motivated actors and ransomware affiliates targeting financial institutions; the blog provides technical analysis, IOCs, detection recommendations, and a YARA rule.