ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > DarkCasino

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: DarkCasino

NamesDarkCasino (NSFOCUS)
MotivationFinancial gain
First seen2021
Description(NSFOCUS) In 2022, NSFOCUS Research Labs revealed a large-scale APT attack campaign called DarkCasino and identified an active and dangerous aggressive threat actor. By continuously tracking and in-depth study of the attacker’s activities, NSFOCUS Research Labs has ruled out its link with known APT groups, confirmed its high-level persistent threat nature, and following the operational name, named this APT group DarkCasino.

In August 2023, security vendor Group-IB followed up and disclosed a DarkCasino activity against cryptocurrency forum users, and captured a WinRAR 0-day vulnerability CVE-2023-38831 used by the APT threat actor DarkCasino in this attack.

NSFOCUS Research Labs analyzed the APT group DarkCasino’s attack activities in WinRAR vulnerability exploitation and confirmed its techniques and tactics; At the same time, NSFOCUS Research Labs also found a large number of attacks by known APT organizations and unconfirmed attackers when tracking the exploitation of WinRAR vulnerabilities. Most of these attacks targeted national governments or multinational organizations.
ObservedCountries: Armenia, Canada, Cyprus, France, Ireland, Malta, Philippines, Poland, Singapore, Spain, Switzerland.
Tools usedDarkMe, GuLoader, PikoloRAT.

Last change to this card: 30 November 2023

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]