Cyber Threat Actor: DarkGate
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Viet Nam
|
2 incidents |
|---|
Profile
DarkGate is an alias used by a threat actor whose known location is Viet Nam. The actor first came to public attention through a cyberattack against VNDirect, a Vietnamese financial market entity, reported on March 24, 2024. This incident was noted as the first such cyberattack reported in Vietnam's financial sector. No further technical details about the attack were disclosed in the available sources.
A second publicly reported operation attributed to DarkGate occurred on December 20, 2022, targeting Thyssenkrupp's Materials Services division and parts of its Essen headquarters in Germany. At the time of disclosure, the intrusion was described as ongoing, with the company's IT security team detecting the breach and initiating containment via an interdisciplinary crisis team. The attack was explicitly attributed to organized criminal actors, although no immediate operational damage was confirmed. Other business units within the Thyssenkrupp conglomerate were reported to remain unaffected.
The available reporting does not specify any particular malware families, initial access vectors, or tooling styles associated with DarkGate's operations. Consequently, no concrete TTP themes can be derived from the supplied information. The lack of disclosed technical details limits insight into the actor's preferred methods or infrastructure. This absence of detail should be noted when assessing the actor's known capabilities.
Regarding attribution, the Thyssenkrupp incident provides a clear public link to organized criminal activity, while the VNDirect incident lacks any explicit attribution in the cited sources. No state nexus or affiliation with a larger criminal consortium is mentioned in the available material. Therefore, the actor's affiliations remain partially defined, with only the organized criminal label evident for one of the two known incidents.
The two incidents described— the VNDirect financial market breach and the Thyssenkrupp Materials Services intrusion—represent the only publicly reported operations linked to DarkGate in the provided context. These examples illustrate the actor's activity across different geographic regions and industry sectors, namely finance in Southeast Asia and manufacturing in Western Europe. No additional campaigns or date‑spanning series are referenced in the source material. This concludes the factual profile based solely on the information given.
