DarkComet Malware
Written by: Lizzie Danielson
Published: 4/24/2026
What is DarkComet malware?
DarkComet is a Remote Access Trojan (RAT) designed to stealthily infiltrate systems and provide attackers with complete remote access to compromised devices. Its primary functions include keylogging, file exfiltration, and enabling surveillance through peripherals like webcams. Alternate names for DarkComet include "Backdoor.DarkComet" and "Fynloski." Due to its accessibility and range of capabilities, it is considered highly dangerous, especially to users without robust security defenses.
When was DarkComet first discovered?
DarkComet was first developed and released in 2008 by a developer known as "DarkCoderSc." While originally intended as a legitimate administration tool, its misuse rapidly spread as attackers leveraged it for malicious purposes. Over time, its distribution became more nefarious, leading cybersecurity experts to classify it as harmful malware.
Who created DarkComet?
DarkComet was created by a French developer known as "DarkCoderSc." Although the tool was initially intended for legitimate administrative purposes, the creator later ceased its development and distanced themselves after observing its widespread misuse in malicious campaigns.
What does DarkComet target?
DarkComet primarily targets Windows-based systems. Its victims include individuals, small businesses, and larger organizations. Cyber threat actors have used DarkComet against specific industries, dissidents, journalists, and even during geopolitical conflicts. Notably, it has been exploited in campaigns targeting individuals in the Middle East.
DarkComet distribution method
DarkComet typically spreads via phishing emails, malicious attachments, and infected downloads. Attackers have also been known to deploy it through exploit kits or compromised web pages. Users downloading what they believe to be legitimate tools or software often unintentionally install DarkComet along with it.
Technical analysis of DarkComet malware
DarkComet uses a flexible architecture that enables threat actors to perform a variety of malicious actions. Once installed, the malware creates persistence mechanisms to evade detection, such as registry changes or scheduled tasks. After setting up persistence, it grants remote access to the attacker via a dedicated control panel. It can steal passwords, log keystrokes, hijack webcams, and initiate file downloads or deletions. Advanced evasion techniques allow it to avoid basic antivirus tools.
Tactics, Techniques & Procedures (TTPs)
MITRE ATT&CK mapping includes techniques like T1059 (Command and Scripting Interpreter) and T1105 (Remote File Copy).
Behavior includes establishing persistence through registry entries and masquerading as legitimate software.
Indicators of Compromise (IoCs)
IPs and domains used for Command and Control (C2) communications.
SHA-256 hashes of DarkComet executables.
Network activity to abnormal or suspicious domains.
Malware Guide
Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.
How to know if you’re infected with DarkComet?
Systems infected with DarkComet may exhibit unusual behavior, including significant slowdowns, unexpected modifications to files, unapproved webcam activity, or frequent, unexplained network connections to external servers. Users may also notice suspicious processes running in Task Manager or security alerts from antivirus software.
DarkComet removal instructions
While DarkComet can often be removed manually, relying on professional tools such as Endpoint Detection and Response (EDR) or Huntress remediation services is strongly recommended. Manual removal involves identifying and deleting associated system files and registry keys, then running a full antivirus scan. Isolating impacted systems from the network is crucial to prevent wider damage.
Is DarkComet still active?
DarkComet is no longer actively developed, but variants still circulate online and pose risks. Hackers and cybercriminals continue to launch attacks using modified versions of the malware. Vigilance against trojan infections remains critical in preventing such attacks.
Mitigation & prevention strategies
To mitigate DarkComet risks, organizations should focus on regular system patching, implementing multi-factor authentication (MFA), providing user awareness training against phishing, and maintaining robust endpoint monitoring. Huntress offers 24/7 monitoring and response tools designed specifically to detect and mitigate threats like DarkComet, ensuring systems remain secure.
Related educational articles & videos
DarkComet Frequently Asked Questions
Protect What Matters
