Skip to main content

Home DarkGate


Also known as: Meh, MehCrypter

Category: Malware

Type: Remote access trojan, loader, password-stealing virus, spyware, ransomware, crypto miner

Platform: Windows


Damage potential: Data theft, keylogging, crypto hijacking, financial loss, identity theft, chain infection


DarkGate is a malware family with several damage capabilities: it can extract sensitive data (saved credentials, passwords, or cookies) from browsers, record keystrokes, control the infected device remotely, download additional malware, or even mine cryptocurrency. DarkGate was first spotted in 2018 and has developed new infection techniques since then.

Possible symptoms

Here are the most common symptom of a DarkGate infection:

  • Unauthorized computer access or changes in system settings.
  • Unfamiliar programs or files.
  • A noticeable increase in browser redirects and pop-ups.
  • System slowdown.
  • Messages from external users on Skype or Microsoft teams with the attachments “Employees_affected_by_transition.Pdf.Lnk”, “Company_transformations.Pdf.Lnk”, or “C_onfidential Sign_ificant Company

Sources of infection

Initial versions of DarkGate spread through phishing emails and peer-to-peer networks. Over time, the malware adopted new techniques such as malvertising and SEO poisoning. In 2023, DarkGate also started sending phishing messages on Microsoft Teams and Skype.


Always browse with caution and keep your software updated to protect yourself from DarkGate.

  • Do not click on suspicious links or attachments from unknown senders.
  • Do not download software from unofficial sources.
  • Scan downloads for malware and block malicious ads with NordVPN’s Threat Protection.
  • Install reliable antivirus software and keep it updated.
  • Create strong and unique passwords for your online accounts.
  • Do not save passwords on browsers, use a password manager instead.
  • Enable MFA (multi-factor authentication) to prevent attackers from accessing your accounts, even if they have your login credentials.


If you think you might have DarkGate on your device, you need to act promptly:

  • Disconnect your device from the internet to stop the malware from communicating with its command and control server.
  • Boot into safe mode.
  • Run a full system scan using a reputable antivirus solution.
  • Follow the instructions provided by your antivirus software to remove the malware.
  • Reset browser settings to the default version, especially if you suspect DarkGate compromised your browser.
  • Change passwords for online services and monitor accounts for suspicious activity.

If you don’t feel confident handling the removal yourself, consider getting help from IT professionals.