(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Have questions like this:

• what do you know about the Dark Partners group?
• What are the specific indicators of compromise (IoCs) and detection signatures for Dark Partners’ malware?

Trying to build SEM detections? Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

TL;DR

Key Points

1. • Dark Partners leverages a vast network of fake websites impersonating AI tools, VPNs, crypto wallets, and popular software brands to deliver Poseidon Stealer (macOS) and PayDay Loader (Windows), targeting cryptocurrency assets and credentials globally.
   • Organizations should prioritize advanced endpoint detection, strict certificate validation, and dynamic network controls to disrupt malware delivery and C2 communications.
2. • The group employs sophisticated evasion tactics, including stolen code signing certificates, anti-sandboxing, and modular malware management via the PayDay Panel, enabling rapid adaptation and scalable operations.
   • Continuous monitoring for behavioral indicators, PowerShell persistence, and anomalous certificate usage is critical for early detection and response.
3. • Social engineering and SEO poisoning are primary infection vectors, with campaigns expanding to at least 37 impersonated brands and over 250 malicious domains.
   • Targeted user awareness training and simulated phishing exercises are essential to reduce compromise rates, especially in crypto, tech, and financial sectors.

Executive Summary

Dark Partners is a financially motivated cybercrime group active since at least May 2025, orchestrating large-scale cryptocurrency theft campaigns through a sophisticated infrastructure of fake websites mimicking AI tools, VPN services, crypto wallets, and widely used software brands. Their operations span the US, EU, Russia, Canada, and Australia, with a focus on sectors rich in digital assets and credentials.

The group’s toolset includes Poseidon Stealer (macOS) and PayDay Loader (Windows), both distributed via SEO poisoning and social engineering. Poseidon Stealer uses launch agents and scheduled tasks for persistence on macOS, while PayDay Loader leverages PowerShell scripts and virtual hard disks on Windows. Both employ stolen code signing certificates and anti-sandboxing to evade detection, with centralized management and payload deployment handled through the PayDay Panel.

Infrastructure mapping reveals nearly 250 fake domains and globally distributed C2 servers, with recent disruptions tied to certificate revocations. However, the group is expected to rapidly adapt by acquiring new certificates and expanding their fake site network. No direct links to nation-state actors or other APT groups have been identified.

Mitigation requires a multi-layered approach: advanced EDR with behavioral analytics, strict certificate validation, dynamic IoC-driven network controls, and robust user awareness programs. Organizations should monitor for macOS launch agents, Windows PowerShell persistence, suspicious certificate usage, and network traffic to known C2 infrastructure. Red team exercises simulating Dark Partners’ TTPs are recommended to validate defenses.

Looking forward, Dark Partners is likely to adopt more advanced evasion (e.g., fileless malware, LOLBins), expand targeting to DeFi/NFT platforms, and increase use of AI-generated social engineering. Continuous intelligence sharing, dynamic detection strategies, and user education will be critical to countering this evolving threat.

Research & Attribution

Historical Context

Dark Partners is a financially motivated cybercrime gang active in 2025, specializing in large-scale cryptocurrency theft campaigns. They operate a network of fake websites impersonating AI tools, VPN services, crypto wallets, and popular software brands to distribute malware. Their campaigns, observed from at least May to July 2025, deploy malware families such as Poseidon Stealer (macOS) and PayDay Loader (Windows). The group was named "Dark Partners" by cybersecurity researcher g0njxa, who documented their infection steps and malware operations. Their activities include stealing cryptocurrency wallets, credentials, and sensitive data, which are likely sold on cybercriminal markets. The group employs sophisticated evasion techniques, including stolen code signing certificates and anti-sandboxing measures.

Timeline

• May 2025: Campaigns distributing Poseidon Stealer and PayDay Loader observed.
• June 2025: Expansion of fake websites impersonating at least 37 popular apps and tools, including crypto platforms and VPN services.
• July 2025: Temporary disruption of operations due to invalidated code signing certificates; ongoing monitoring of infrastructure and malware activity.

Origin

Dark Partners is a financially motivated cybercrime gang with no publicly attributed nation-state origin. Their operations focus on cryptocurrency theft worldwide. The group was identified and named by independent cybersecurity researchers based on their unique malware and operational tactics.

Countries Targeted

1. United States – High concentration of cryptocurrency users and tech companies targeted via fake software sites.
2. European Union – Significant targeting of VPN and crypto wallet users.
3. Russia – Active cryptocurrency markets targeted by fake AI and software impersonations.
4. Canada – Targeted for cryptocurrency theft campaigns.
5. Australia – Observed in telemetry as part of global targeting.

Sectors Targeted

1. Cryptocurrency and Blockchain – Primary target for wallet theft and credential harvesting.
2. Technology and Software – Fake websites impersonate popular software brands to lure victims.
3. Financial Services – Indirect targeting through credential theft and wallet compromise.
4. VPN Services – Used as a lure vector and target for impersonation.
5. General Consumer Software – Broad targeting through fake download sites.

Motivation

Financial gain through theft of cryptocurrency assets and sensitive credentials. The group monetizes stolen data via cybercriminal markets and uses the PayDay Panel management platform to control and monetize malware operations efficiently.

Attack Types

• Social engineering via fake websites impersonating AI tools, VPNs, crypto wallets, and software brands.
• Malware delivery through SEO poisoning and fake download sites.
• Use of Poseidon Stealer (macOS) and PayDay Loader (Windows) for data exfiltration.
• Use of stolen code signing certificates to evade detection.
• Complex persistence mechanisms including PowerShell scripts and virtual hard disks.
• Anti-sandboxing and evasion techniques to avoid automated analysis.

Technical Analysis, IoCs, Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)