Malware.News researchers identified that this campaign operates under a sophisticated Malware-as-a-Service (MaaS) model, with the cybercriminal group offering paid access to the backdoor, comprehensive technical support, and infrastructure setup for Command and Control (C2) servers. Security analysis of 34 different plugins reveals dangerous capabilities including keystroke logging for capturing sensitive information, unauthorized webcam access for surveillance, systematic file theft, and extraction of stored credentials from browsers and applications. Security experts recommend downloading software only from official sources such as developer websites or authorized distribution platforms, as these channels implement verification processes to prevent malware distribution. Users should exercise extreme caution when downloading gaming-related software, especially unofficial cheats, cracks, or bots that promise free access to premium features. This business approach has enabled less technically skilled attackers to deploy advanced malware, significantly expanding the campaign’s reach and impact across gaming communities where users frequently seek unauthorized software modifications. These types of files are frequently used as bait in malware distribution campaigns due to their appeal to gamers seeking advantages or free alternatives to paid software. Telemetry data collected since the beginning of 2025 indicates that approximately 80% of DCRat infections using these distinctive domains have targeted users in Russia, with smaller numbers affecting users in Belarus, Kazakhstan, and China. Cybercriminals create or compromise YouTube accounts to upload videos advertising gaming cheats, cracks, and bots that appeal to gamers looking for advantages or free alternatives. The DCRat builder plugins available on the attackers’ site, illustrating the modular nature of the malware that allows for customized attack capabilities based on the victim profile and the attackers’ objectives. A new wave of cyberattacks utilizing the Dark Crystal RAT (DCRat) backdoor has been targeting users since early 2025 through YouTube distribution channels. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. When users download and extract these archives, they unknowingly install the DCRat Trojan alongside decoy files designed to mask the malicious activity taking place in the background. The DCRat backdoor, known since 2018, provides comprehensive remote access capabilities and supports a plugin architecture for extended functionality. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 12 Mar 2025 14:15:21 +0000