DarkComet is a freely available remote access trojan (RAT) developed by independent programmer, “DarkCoderSC,” first observed in 2011, and is still considered to be one of the most common RATs used. It is marketed as a “tool” as opposed to a “trojan” as it is claimed to be for network administrator use; however, its functionality attracts hackers. The trojan uses Crypters to evade antivirus tools and can disable Task Manager, Registry Editor, Folder Options, Windows Firewall, and Windows User Account Control (UAC). DarkComet is also able to log keystrokes, provide file system access and remote control – including control of devices such as microphones and webcams, and has a distributed denial-of-service (DDoS) capability. Additionally, the trojan has a number of “fun functions” including, the Fun Manager – different types of fun functions, including: hiding the desktop, lock, task icons, sys tray icons, taskbar, start button, task manager, and open/close the CD tray. The remote desktop capability allows the attacker to see the active screen of the infected user as well as take control of the mouse and keyboard. DarkComet is most commonly spread through drive-by attacks and links on social networking sites. Systems can be protected by keeping them updated and using antivirus software.


  • January 2015: Hackers are using the hashtag #JeSuisCharlie to spread the DarkComet RAT. (Forbes)
  • March 2015: DarkComet RAT used against architecture companies in Denmark. (Softpedia)
  • August 2018: Fake "Shipping Docs" Malspam Distributing DarkComet. (BleepingComputer)

Technical Analysis

  • Trendmicro provides technical analysis, available here.
  • Malwarebytes provides additional technical details, available here.

One example of the DarkComet variant. Image Source: DarkCoder SC