A new campaign involving the DCRat backdoor has recently been uncovered, leveraging YouTube as a primary distribution channel.
Since the beginning of the year, attackers have been using the popular video-sharing platform to target users by creating fake or stolen accounts.
These malicious actors upload videos that appear to offer cheats, cracks, game bots, and other illicit software, enticing viewers to download these tools.
.png
)
However, the downloads instead contain a password-protected archive housing the DCRat Trojan.
How the Malware is Spread
The attackers post videos on YouTube with enticing titles and descriptions that advertise cheats and cracks for popular games.
The video descriptions include a link to a legitimate file-sharing service where the malicious software is hosted.
Once downloaded, the user finds a password-protected archive with junk files and folders designed to convince the victim that the download is legitimate. However, upon extraction, the archive reveals the DCRat backdoor alongside decoy files.
DCRat Backdoor Details
DCRat, also known as Dark Crystal RAT, is a remote access Trojan (RAT) that has been in circulation since 2018.
This malware is capable of downloading additional modules, significantly expanding its capabilities.
According to the SecureList report, Researchers have identified 34 plugins for DCRat, which include dangerous features such as keystroke recording, webcam access, file downloading, and password exfiltration. These functionalities pose a significant threat to user privacy and security.
To support their operations, the attackers register second-level domains, primarily in the RU zone, and create third-level domains that function as command and control (C&C) servers.
Notably, these domains often include words like “nyashka” or “nyashkoon,” terms popular in anime and manga fan communities.
Since the start of 2025, the group has registered at least 57 new second-level domains, with five of them hosting more than 40 third-level domains as C&C servers.
Victim Demographics
Based on telemetry data, Russian users have been the most affected, with DCRat samples downloaded to their devices in 80% of cases.
A smaller number of users from Belarus, Kazakhstan, and China have also encountered the malware.
Kaspersky Lab products successfully detect the DCRat samples with the verdict “Backdoor.MSIL.DCRat.”
It is crucial for users to exercise caution when downloading software, especially from untrusted sources, as this campaign illustrates the growing trend of using legitimate platforms for malicious activities.
Users are advised to download game products only from trusted sources to avoid falling victim to such malware distribution tactics.
Moreover, the involvement of password-protected archives in spreading malware highlights the sophistication and adaptability of attackers in evading detection.
Besides DCRat, other malware types such as stealers, miners, and downloaders are also distributed via similar methods, emphasizing the need for vigilance and the use of reliable security software.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
