Introducing DarkRegin
Our own private offensive framework
Intro, the original Regin
In 2013 and 2014, Kaspersky and Symantec wrote write-ups of an alleged Western Advanced Persistent Threat (APT), malware implant, and modular framework known as Regin. It’s a reversal of “In Reg,” or “In Registry.” In the progress of my Substack blog and development life over just under a year, I just want to point out that while I said that before I was approached for recruitment three times by the NSA, I was never formally employed by the National Security Agency. I was a “hot pick,” but I was never an NSA agent. So you cannot call me a rogue NSA agent, by the way—just to make that clear.
However, VX-Underground—post-Venezuela invasion and kidnapping of Maduro—did mention Regin, and that’s the first time I ever heard of it. And while I cannot tell you the loader strain that I created, it doesn’t necessarily have to fire off ransomware or skimmers. It can also fire persistent implants, depending on how you configure it. It’s very similar to Regin because, in the year 2026, it’s not that hard to create Regin; the original Regin hid in NTFS Alternate Data Streams (ADS), as well as loaders in the registry. That’s why they call it “In Registry,” the reverse version of Regin. Therefore, most Regin-copycats have some variant of Regin, probably not as modular as mine, where it can switch roles or have a persistent callback, or can switch from infostealer to skimmer to ransomware mode using registry key signaling.
My version, DarkRegin
In all due respect, my version is not the official National Security Agency version of Regin; therefore, I have never had access to classified Regin documentation. This is based upon my latest article, “2026: The Year of the Full Compromise Kill Chain” on my Substack.
The way it works is that it can support phishing attacks as well as automated exploitation—usually web or Linux services. For now, the Windows version is a lot more sophisticated than the cross-platform Linux version, which ultimately ransoms its entry point before attempting to pivot into a Windows domain environment.
As I mentioned in my previous article, it chains five exploits, but then it abuses a fairly modern “Skeleton Key” or “Golden Ticket”-like mechanism. Let’s not call it a Golden Ticket, because that is an actual term in Active Directory exploitation, as is a Silver Ticket. Let’s call it a “Golden Skeleton Key.” The idea is to automate Privilege Escalation (PrivEsc) from a non-administrative user into an Administrator, and then utilize Bring Your Own Vulnerable Driver (BYOVD). I combine Bring Your Own Vulnerable App (BYOVA) with BYOVD.
It is frighteningly powerful how a non-standard version of Regin works; it has over seven persistence methods, yet it does not support GSM or mobile device capabilities. I am just one guy; I developed this tool all by myself. Right before it escalates privileges, it uses the Infinite AMSI bypass, which I detailed in my previous article and video tutorial.
Basic overview of DarkRegin
Making a Regin variant in 2026 is not trivial, but it’s also not impossible. At a minimum, you have to be able to write malware in C. You have to be able to perform Dynamic Invocation (D/Invoke) attacks. Also, using tools like a CLR shellcode runner—reflectively loading .NET assemblies with arguments—is essential. Virtual Machine Obfuscation (VMO) is going to be the one that makes your head spin. But personally, all I did was re-crypt my D/Invoke loaders to start up the payloads again, which are pre-programmed to talk to my Cloudflare Workers, and it was quite trivial.
The hardest part, arguably, is Kernel Mode exploitation. I learned this from Sektor7 Malware Development Advanced, Volume 2. I know how to do all of the techniques, including PreviousMode (or “God Mode”) exploitation. However, even the latest patch for Windows 11 22H2/23H2 will stop PreviousMode manipulation, but it does not stop me from avoiding Virtualization-Based Security (VBS).
Research has shown that at least half of all vulnerable drivers on LOLDrivers.io may be abused to locate the base address of physical memory. This is located in the CR3 register (the PML4 base address). If you can locate the original base address via the Low Stub (the PPROCESSOR_START_BLOCK), you can bypass HVCI (Hypervisor-Protected Code Integrity) and VBS. This means you can use any hardware or physical vulnerable driver that grants access to physical memory to read/write directly to the kernel.
https://github.com/Xacone/Eneio64-Driver-Exploits/tree/main/procs
DarkRegin Deeper Dive
So let’s go into the ransomware version of, I guess you could say, DarkRegin (as a single word). I’m just going through my notes and, honestly, there really is no singular command—outside of what VX-Underground calls “Touch Injection”—to manually calculate the resolution of the management panel for Windows Security settings to manually click and disable Tamper Protection to allow you to run and disable antivirus.
However, you can repurpose and rewrite tools such as EDR-Sandblast or EDR-Freeze. Instead of accepting arguments, it was trivial for me to recompile it to locate the Microsoft Malware Protection Engine (MsMpEng.exe). It does not cause Tamper Protection to shut down, but it causes a huge system bottleneck that breaks computer usability.
If you’re in ransomware mode, all you have to do is wrap this around logic where it can query HKCU (HKEY_CURRENT_USER). You can use signaling techniques to allow it to first steal files and credentials; after it’s done doing that, it writes a generic, commonly found registry key. There are a lot of generic naming conventions you can find in HKCU. As a current user—not an escalated user—you can make something up under the Microsoft Edge registry key, for example. Let’s say, “Microsoft Telemetry.” You give it a DWORD (Double Word)—basically a hexadecimal number, although when you set a DWORD, you can enter it as a decimal. So 0x0 is 0, 0x1 is 1, and so on.
You can use this for signaling modes so each stage does something specific, like stealing files before loading the ransomware:
0x0: File Stealer mode.
0x1: Credential Stealer mode (an infostealer or “Auto-Skimmer”).
0x2: Ransomware mode.
You can wrap all of this together using an automated exploitation tool.
DarkRegin is a private tool and has no interest in cellular networks
The only reason why I called it Regin or DarkRegin was not because I ever had any access to the source code of Regin—that would be a classified program. I named it DarkRegin simply because things happen so fast now in the world. I mean, I actually don’t remember when Maduro was kidnapped; I know it was a Friday or a Saturday night.
But the reason why I called it DarkRegin is because it’s been in the research for many years—perhaps even more, if they claim that it goes all the way back to the year 2008. It may have even existed before then. I’d rather not get into it.
Outside of ransomware mode, DarkRegin is very similar to the description in the 2014 Kaspersky write-up of Regin. As I said before, it is not the same thing. It does not support GSM/mobile pivoting. The reason why is that I’m largely uninterested in that; I’m more interested in pivoting through base stations and repeaters for shortwave radio. You can actually abuse METEOR (or meteor burst communications) to create shortwave radio signals to triangulate and achieve an objective—to locate or send a message and have a response time in no longer than 20 minutes, even when we’re talking about interaction between the Northern and Southern hemispheres of the Earth. That was the purpose of this. I just can’t tell you what I am doing, and I will not release DarkRegin.
Why Shortwave Radio
So let’s go to the next part of DarkRegin. DarkRegin is not interested at all in cellular networks, cell towers, or satellite networks because they are owned by billionaires. Not only is it expensive to launch them and keep them in orbit, but an adversary can destroy them with a missile.
So DarkRegin relies on credential transmission via shortwave radio. It is a rough calculation, but it is about four figures per hemisphere. I can talk from the Northern Hemisphere to the Southern Hemisphere for $3,000—so that’s $6,000 for both. This $3,000 setup requires a network of mesh devices with Yagi antennas to act as relays for low-range transmitters. What you do is take the credentials of whatever you’re trying to exfiltrate. It’s resilient because you cannot “delete” the ionosphere, which is how shortwave radio works. If someone destroyed the ionosphere, we would all die from multiple factors—one being UV radiation from the sun. That is why it’s impossible to stop DarkRegin’s shortwave radio platform.
DarkRegin disables or impairs Endpoint Detection and Response (EDR). It then uses a Infinity AMSI bypass through self-injection and reflection to immediately hook and render all malicious commands as “true.” As you saw in my previous attack chain, it chains automated Privilege Escalation tricks through Bring Your Own Vulnerable App (BYOVA), then escalates to Kernel Mode to blind telemetry using Bring Your Own Vulnerable Driver (BYOVD). Using these tricks, DarkRegin finally exfiltrates the data.
Remember, it is designed not to rely on cellular infrastructure paid for by billionaires. It may utilize fiber optics (infrastructure paid for by someone else), but when it installs itself, it is designed to immediately find the closest shortwave-based radio station. We borrow Error Correction Code (ECC) methods from cellular networks because shortwave radio tends to have a lot of interference.
The reason we have 5G is because of Polar Codes. A Polar Code is a relative error correction code algorithm, meaning it allows the message through if it “looks” right, rather than verifying it is absolutely right. This is unlike 4G’s Turbo Code. They named it a Turbo Code after turbochargers, but the idea is to use error correction and “corner-cutting” to send messages faster through multiplexing methods. However, a Turbo Code is more accurate than a Polar Code, and we don’t need messages to be that fast. Shortwave is fast enough, but it is loaded with errors.
If a credential dump (passwords, hashes, tokens) is about 2 to 8 KB, and you combine a shortwave radio network with Meteor Burst Communications, the implant, and your own base station nearby with a Yagi antenna, you can collect data from the base station. You just need people to protect one shortwave base station for each hemisphere—that’s $12,000 total. Using Turbo Codes to transmit stolen credentials is relatively simple and much cheaper—five figures at most—compared to launching satellites for hundreds of millions of dollars. That is how DarkRegin works: it abuses existing infrastructure and exfiltrates via shortwave radio.
Example of DarkRegin Exfiltration via Shortwave Radio
So let’s do a simple credit card theft. It’s the 16-digit PAN plus Track 1 and Track 2 data (unless you’re in another country that also includes Track 3 data). Track 1 and Track 2 include the name and other critical elements, except for your CVV2. Well, the magstripe actually does have CVV1, but for people that skim from RAM on online machines—like an actual user’s computer via a browser—you don’t get a CVV2 out of it, by the way.
But let’s say a network of skimmers is somewhere in the Eastern Hemisphere. They use short-range transmissions to reach a parabolic antenna at a tiny, low-power station about 25 feet away. This station has three parabolic antennas pointing in every direction. Those antennas point to a slightly stronger station, which eventually sends the data to the nearest Shortwave Base Station in the Eastern Hemisphere.
That base station creates a huge burst of all the stolen credit card data. Using Turbo Codes to validate the transmission and ensure it is “good,” the signal then bounces off the ionosphere and into the Western Hemisphere.
I might have an “evil James Bond” kind of mansion that I paid only $150,000 for, located next to a shoreline on some beach—hypothetically, of course. This is DarkRegin. Next to my house, there are mountains. That mountain has three more parabolic antennas pointing in every direction. One antenna points to a very discreet panel antenna, patch antenna, Yagi, or parabolic antenna on my house. I’m just paying off two engineers to make sure it keeps working.
The chain of attribution effectively breaks when the signal hits the ionosphere. Once the data leaves the Eastern Hemisphere’s shortwave station and fires into the sky, attribution is nearly impossible until it lands back in the Western Hemisphere—where only three people in the world know about this chain of antennas pointing directly to my house. And they probably don’t know anything about the data I’m receiving.
State Machine Design, new features being added to DarkRegin
Both VX-Underground and John Hammond introduced a technique that was actually decades old, involving the NTUSER.MAN file. The .man extension refers to a Mandatory Registry Hive. John Hammond walked through how to do this because you can’t simply export the HKEY_CURRENT_USER (HKCU) hive or registry in plaintext and then recompile it back into binary format. Additionally, exporting the binary format often requires Administrator privileges, which we may not have achieved yet.
However, John Hammond did find a GitHub repo called HiveSwarming (HiveSwarming.exe). Using this technique, you can replace the hive—whether it be the local user or admin—with a mandatory hive that is loaded at runtime. Due to this technique, you can create persistence methods, such as on-run, or use other more discrete methods. There are multiple registry keys that can create “on-run” profiles, including those triggered by exiting a previous command.
Looking through my notes—lots and lots of notes—you can use:
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Userinit
What you do is first call Userinit, then exit out of that call and run a PowerShell command. I actually implemented that into DarkRegin. Another feature I’m implementing in DarkRegin soon is a state machine, because you don’t want to be ransoming a machine when you are still collecting files or stealing credentials.
First, it will escalate to Administrator, then use kernel driver exploits. It will steal credentials first and send them to a Cloudflare Worker, which then proxies to a OneDrive instance from a sock account. Then it steals the critical files and exfiltrates them back to the OneDrive instance. Using the state machine in HKCU registry keys, it will finally execute the rest of the attack.
While doing this, it is also collecting credentials from memory in an attempt to attack the Domain Controller (DC). Once it reaches the DC, it iterates through all the identities on the domain—regardless of Tier 0, Tier 1, or Tier 2—attempting to ransom the whole domain. Hopefully, it reaches an account that can connect this Forest to another Forest to ransom that one, too.