Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi‑Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. [1]

ID: G0012
Aliases: Darkhotel
Version: 1.0

Alias Descriptions


Techniques Used

EnterpriseT1116Code SigningDarkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen.[1]
EnterpriseT1056Input CaptureDarkhotel uses a sophisticated keylogger.[1]
EnterpriseT1060Registry Run Keys / Startup FolderDarkhotel has been known to establish persistence by adding programs to the Run Registry key.[1]
EnterpriseT1091Replication Through Removable MediaDarkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.[1]
EnterpriseT1080Taint Shared ContentDarkhotel uses a virus that propagates by infecting executables stored on shared drives.[1]