ClickCease DarkGate Malware Campaign Exploits Patched Microsoft Flaw

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

DarkGate Malware Campaign Exploits Patched Microsoft Flaw

Wajahat Raja

March 27, 2024 - TuxCare expert team

The Zero Day Initiative (ZDI) by Trend Micro uncovered a phishing campaign that exploited a patched Microsoft flaw to infect devices with DarkGate malware. CVE-2024-21412 was the Microsoft patch that was exploited by using fake software installers. PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects were used to lure users to download the malicious Microsoft “.MSI” installers. 

Open redirect URLs from Google Ad technologies were used in this phishing campaign for the distribution of face Microsoft “.MSI” installers. A DLL file present in these fake Microsoft Software Installers was used to infect devices with the DarkGate malware. An Advanced Persistent Threat (APT) actor, Water Hydra, is believed to be behind the DarkGate malware campaign.

In this article, we will do a detailed DarkGate malware analysis and see what steps were taken to mitigate DarkGate infection. Let’s begin!


The DarkGate Malware Infection Chain

DarkGate malware campaign is one that’s carried out by threat actors in multiple steps. Learning what happens in each of these steps is essential when it comes to safeguarding against such threats. Let’s take a detailed look at each one. 

Open Redirect: Google DDM

Phishing attacks with DarkGate
were initiated by deploying an open redirect from the domain using a PDF file. The “adurl” parameter redirected the unsuspecting victims to a compromised server. The exploitation of CVE-2024-21412 could not be started without the victim selecting the “Download” button inside the PDF.

CVE-2024-21412 Exploitation

After being redirected to a compromised web server, the victims see the first.URL file. CVE-2014-21412 is exploited when the first.URL internet shortcut file redirects to another.URL file. The
“URL=” parameter is used by the internet shortcut file to direct the victim to the next stage of DarkGate malware infection. An attacker-controlled WebDAV server is the host now. The victims are then pointed to a “.MSI file” which contains a zip archive.

DarkGate Malware Installer

In this stage, a DLL file is sideloaded using a .MSI file. As for the DarkGate payload, it is decrypted and employed by an Autolt script. The
DarkGate malware is disguised as legitimate softwares such as Notion, Apple iTunes, NVIDIA, and other such softwares. 

The victim thinks that he or she is installing normal software on their device but, in fact, they are falling prey to the DarkGate malware campaign. A DLL sideloading technique is employed by DarkGate, through which a malicious DLL file is loaded. 

Patch Fixing by Microsoft

Although Microsoft fixed this zero-day flaw in its February 2024 Patch Tuesday updates, the Windows SmartScreen vulnerability had already been exploited by the APT actors by then in order to attack financial institutions by delivering the
DarkMe malware. Microsoft has asked the users to apply the fix at the earliest in order to protect themselves from the phishing campaign by Water Hydra


DarkGate malware
campaign that exploits a patched Microsoft flaw has rung the alarm bells for cybersecurity experts. It highlights that threat actors can use the cybersecurity risks linked with Google Ads technologies to broaden the scale of their phishing campaigns. It also highlights the importance of fixing such flawed patches as soon as possible to ensure protection and recovery from cyber threats.

The sources for this piece include articles in The Hacker News and TechRadar Pro.


DarkGate Malware Campaign Exploits Patched Microsoft Flaw
Article Name
DarkGate Malware Campaign Exploits Patched Microsoft Flaw
Hackers have exploited a patched Microsoft flaw to infect devices with the DarkGate malware. Learn more about this phishing campaign here!
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter