EXECUTIVE SUMMARY:
A newly analyzed malware variant known as DarkCloud has been observed in phishing campaigns targeting organizations through banking-themed lures. Delivered via malicious ZIP attachments, DarkCloud positions itself as a potent information stealer with broad targeting capabilities, ranging from browser-stored credentials and cookies to FTP logins, email accounts, clipboard data, and cryptocurrency wallets. What distinguishes this malware is its shift from .NET development to a Visual Basic 6 rewrite, signaling an attempt to evade conventional detection methods and complicate analysis. Its campaigns leverage social engineering techniques—carefully crafted subject lines, plausible sender identities, and disguised executables—demonstrating how attackers combine technical sophistication with psychological manipulation to achieve initial access. DarkCloud highlights the growing risk of phishing-driven intrusions where attackers blend convincing communication with powerful data theft tools.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A newly analyzed malware variant known as DarkCloud has been observed in phishing campaigns targeting organizations through banking-themed lures. Delivered via malicious ZIP attachments, DarkCloud positions itself as a potent information stealer with broad targeting capabilities, ranging from browser-stored credentials and cookies to FTP logins, email accounts, clipboard data, and cryptocurrency wallets. What distinguishes this malware is its shift from .NET development to a Visual Basic 6 rewrite, signaling an attempt to evade conventional detection methods and complicate analysis. Its campaigns leverage social engineering techniques—carefully crafted subject lines, plausible sender identities, and disguised executables—demonstrating how attackers combine technical sophistication with psychological manipulation to achieve initial access. DarkCloud highlights the growing risk of phishing-driven intrusions where attackers blend convincing communication with powerful data theft tools.[emaillocker id="1283"]
The malware incorporates multiple technical layers to ensure persistence and avoid detection. It employs optional string encryption using VB6’s pseudo-random routines, hiding critical strings such as exfiltration endpoints from straightforward analysis. DarkCloud performs rigorous system checks before execution, scanning for sandbox traits like low disk capacity, limited memory, or known analysis processes, and will abort if suspicious conditions are detected. Its modular functions include persistence via registry RunOnce keys, selective file harvesting, and customized targeting of crypto wallets by searching for directories associated with platforms such as MetaMask and Electrum. For data exfiltration, it offers flexible channels, including SMTP, Telegram bots, FTP uploads, and web panels, allowing attackers to tailor campaigns to their infrastructure. Its builder tool enables customization of payload stubs, ensuring adaptability and scalability, even though reliance on VB6 presents operational risks for its authors.
DarkCloud reflects a blend of technical adaptability and strategic design. Its ability to evade analysis, selectively harvest high-value data, and use varied exfiltration channels ensures maximum impact while maintaining operational flexibility for attackers. The use of realistic phishing lures makes it particularly dangerous, as user interaction remains the weak link in most organizations. Its evolution from .NET to VB6 illustrates how threat actors repurpose outdated technologies to bypass modern defenses. Defenders are advised to focus on layered protections: filtering high-risk attachments, training staff to spot phishing attempts, and deploying behavior-based endpoint defenses capable of detecting runtime anomalies. DarkCloud exemplifies the evolution of commodity infostealers into modular, evasive threats that blur the line between opportunistic malware and sophisticated campaigns.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1204.002 | User Execution | Malicious File |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 | Obfuscated/Encrypted Files | - |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1082 | System Information Discovery | - |
| T1057 | Process Discovery | - | |
| Collection | T1113 | Screen Capture | - |
| T1005 | Data from Local System | - | |
| Exfiltration | T1041 | Exfiltration over C2 Channel | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Execution | E1203 | Exploitation for Client Execution |
| Privilege Escalation | E1055 | Process Injection |
| Defense Evasion | E1014 | Rootkit |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | F0015 | Hijack Execution Flow |
| Communication Micro-objective | C0001 | Socket Communication |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]