DarkWatchman is distributed through spam emails disguised as “Free storage expiration notification” for a Russian shipment company. A purported invoice in the form of a ZIP archive is attached to the emails, and that attachment contains the harmful payload that infects the system subsequently. Once installed, the RAT provides a gateway for additional infections, and it can even be used as a prelude for ransomware deployments.
The creator of DarkWatchman remains unknown so far. Yet, there are clues that the threat actor responsible for its appearance is not a native English speaker (typographical errors, victims located in Russia and so on). One of the known victims is a large organization based in Russia.