Dark Utilities is a Dark Utilities platform that acts as a C2-as-a-Service, enabling threat actors to establish C2, remote access, and other malicious capabilities without building their own infrastructure. It also supports DDoS, cryptomining, and cross-OS payload deployment, with hosting on Tor and IPFS for distributed control. #DarkUtilities #Inplex-sys #CiscoTalos #Lapsus$ #Discord #Tor #IPFS #dark-utilities.xyz
Keypoints
- Dark Utilities is a C2-as-a-Service platform created in 2022, offering C2, remote access, DDoS, and cryptomining to about 3,000 users at low cost.
- It supports multiple architectures (Windows, Linux, ARM64, ARMv7) and is expanding OS/system architecture coverage.
- Payloads are registered via the platform by using code run on victim systems, enabling C2 channels and persistence.
- The service hosts C2 on the Tor network and the open internet, and stores/distributes data via IPFS.
- Administration is managed through a “Manager” panel with modules for DDoS, crypto mining, and command execution, plus a Discord-based authentication flow.
- Persistence is achieved through Windows Registry keys, Crontab entries, or Systemd services, depending on OS.
MITRE Techniques
- [T1071.001] Web Protocols – The platform enables C2 channels over the Tor network and the open internet. Quote: “Dark Utilities provides complete C2 capabilities on the Tor network and the open internet.”
- [T1090.003] Proxy – Use of the Tor network for C2 communications. Quote: “Dark Utilities provides complete C2 capabilities on the Tor network and the open internet.”
- [T1059.001] PowerShell – Command strings generated for Windows payload execution are typically placed into PowerShell scripts. Quote: “The platform generates a command string based on the operating system chosen, which threat actors generally put into PowerShell or Bash scripts to make it easier to retrieve and run the payload on victim systems.”
- [T1059.004] Unix Shell – Command strings also placed into Bash scripts for payload retrieval/run. Quote: “The platform generates a command string based on the operating system chosen, which threat actors generally put into PowerShell or Bash scripts to make it easier to retrieve and run the payload on victim systems.”
- [T1547.001] Registry Run Keys/Startup Folder – Persistence by generating a Registry key on Windows. Quote: “persist… by generating a Registry key on Windows…”
- [T1053.005] Cron – Persistence via Crontab entry on Linux. Quote: “a Crontab entry”
- [T1569.002] Systemd Service – Persistence via Systemd service on Linux. Quote: “a Systemd service on Linux.”
Indicators of Compromise
- [Hash] Hashes – Example hashes observed in the IOs/IoCs context: 09fd574a005f800e6eb37d7e2a3ca640d3ac3ac7dbbde42cbe85aa9e877c1f7f, 0a351f3c9fb0add1397a8e984801061ded0802a3c45d9a5fc7098e806011a464, and other hashes from the referenced repository (many more listed in the article).
- [Domain] Domains – Examples include dark-utilities.xyz, dark-utilities.pw, dark-utilities.me. Onion domain example: ijfcm7bu6ocerxsfq56ka3dtdanunyp4ytwk745b54agtravj2wr2qqd.onion.pet. IPFS-related domain: bafybeidravcab5p3acvthxtwosm4rfpl4yypwwm52s7sazgxaezfzn5xn4.ipfs.infura-ipfs.io.
- [IOC Type] IPFS/Decentralized Hosting – IPFS-based hosting/distribution of payloads; example domains above reference IPFS/IPFS Infura hosting.
Read more: https://socradar.io/dark-utilities-platform-provides-c2-server-for-threat-actors/