Attackers leveraging Dark Utilities "C2aaS" Platform in Malware Campaigns


Thread author
Staff member
Malware Hunter
Jul 27, 2015
In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform.

Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel. The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources. During our analysis, we observed efforts underway to expand OS and system architecture support as the platform continues to see ongoing development activities occurring.

The platform, hosted on the clear internet and Tor network, offers premium access to the platform, associated payloads and API endpoints for 9.99 euros. At the time of writing, the platform had enrolled roughly 3,000 users, which is approximately 30,000 euros in income. Given the relatively low cost compared to the amount of functionality the platform offers, it is likely attractive to adversaries attempting to compromise systems without requiring them to create their own C2 implementation within their malware payloads. Almost immediately, we observed malware samples using this service in the wild as a way to establish C2 communications channels and establish remote access capabilities on infected systems. We've observed malware targeted Windows and Linux systems leveraging Dark Utilities.