HomeWinBuzzer NewsDarkGate Malware Campaign Targets Microsoft Windows Zero-Day Vulnerability

DarkGate Malware Campaign Targets Microsoft Windows Zero-Day Vulnerability

Hackers exploited a Windows zero-day (CVE-2024-21412) to deliver DarkGate malware via fake software installers.


The Zero Day Initiative (ZDI) has identified a sophisticated cyber campaign exploiting a zero-day vulnerability in Windows, CVE-2024-21412. The exploit has been utilized in a series of attacks orchestrated by the Advanced Persistent Threat (APT) group Water Hydra, targeting users with fake software installers. Microsoft has addressed the vulnerability in its February 2024 Patch Tuesday security updates, and the U.S. and Infrastructure Security Agency (CISA) has subsequently added the flaw to its Known Exploited Vulnerabilities catalog.

The Exploit Mechanism and DarkGate Malware Deployment

The campaign leverages PDF documents containing Google DoubleClick Digital Marketing (DDM) open redirects. These redirects lead victims to compromised sites that host the exploit for CVE-2024-21412, effectively bypassing SmartScreen protections. It is worth noting that Microsoft sent out a patch for Windows SmartScreen last month. The exploit facilitates the delivery of malicious Microsoft (.MSI) installers, which are disguised as legitimate software applications, including iTunes, Notion, and , among others. These installers contain a sideloaded DLL file that decrypts and deploys the DarkGate malware onto the victims' systems.

DarkGate, a Remote Access Trojan (RAT) written in Borland Delphi, has been active since at least 2018. It is known for its wide array of capabilities, including process injection, file download and execution, information theft, shell command execution, and keylogging. The malware employs multiple evasion techniques to avoid detection and has been used by financially motivated threat actors in attacks across North America, Europe, Asia, and Africa. One such attack was an exploit of Microsoft Teams that was leveraging DarkGate for a phishing campaign. 

Implications and Recommendations

The use of open redirects and masqueraded installers in this campaign underscores the sophistication of the tactics employed by cybercriminals. The Zero Day Initiative emphasizes the importance of vigilance and advises users against trusting software installers received from unofficial channels. The discovery of this campaign highlights the ongoing risk posed by zero-day vulnerabilities and the necessity for prompt patching and updates to mitigate potential threats.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News