Wednesday, May 7, 2025
Homecyber securityDCRat Malware Spreading via YouTube to Steal Login Credentials

DCRat Malware Spreading via YouTube to Steal Login Credentials

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers have identified a renewed wave of attacks involving the Dark Crystal RAT (DCRat), a dangerous remote access Trojan that has resurfaced through a Malware-as-a-Service (MaaS) model.

Attackers are actively targeting gamers by distributing malicious software disguised as gaming cheats and cracks, primarily through YouTube.

Malware Distribution Exploits YouTube Platform

The attackers behind DCRat have turned to YouTube as their primary distribution channel. They create fake or hijacked accounts to upload videos promoting supposed gaming cheats, cracks, bots, and similar software.

- Advertisement - Google News

Each video description contains a download link pointing users to legitimate file-sharing services hosting password-protected archives.

YouTube video ad for a cheat and crack

The password itself is conveniently provided in the same description, making the process appear trustworthy.

However, instead of providing the promised gaming tools, these archives contain the DCRat malware hidden among various junk files and folders designed to distract victims.

DCRat, also known as Dark Crystal RAT, first emerged in 2018 and has since evolved into a sophisticated threat.

The malware operates as a backdoor, allowing attackers remote access to infected devices.

Additionally, DCRat supports modular plugins that significantly enhance its capabilities.

Researchers have identified 34 distinct plugins associated with this malware family, including dangerous functionalities like keystroke logging, webcam spying, file theft, and password exfiltration.

DCRat builder plugins on the attackers’ site

Infrastructure Leveraging Anime-Themed Domains

To host command-and-control (C2) servers, cybercriminals have registered numerous second-level domains—primarily within Russia’s “.ru” domain zone—and created multiple third-level domains for operational use.

Since early 2025 alone, at least 57 new second-level domains have been registered by the attackers.

Interestingly, these domains frequently contain anime-inspired slang terms such as “nyashka,” “nyashkoon,” and “nyashtyan,” which resonate with fans of Japanese pop culture.

C2 server addresses with characteristic naming approach

Telemetry data indicates that Russia is the primary target of this campaign, with approximately 80% of detected infections occurring there.

Additional affected regions include Belarus, Kazakhstan, and China.

Kaspersky security solutions detect this malware as “Backdoor.MSIL.DCRat.”

Experts strongly advise users to download game-related software exclusively from trusted sources to avoid infection risks associated with password-protected archives distributed via unofficial channels.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...