Threat Advisory

DarkCloud Infostealer Expands Capabilities with Evasion and Data Theft Features

Threat: Malware
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A newly analyzed malware variant known as DarkCloud has been observed in phishing campaigns targeting organizations through banking-themed lures. Delivered via malicious ZIP attachments, DarkCloud positions itself as a potent information stealer with broad targeting capabilities, ranging from browser-stored credentials and cookies to FTP logins, email accounts, clipboard data, and cryptocurrency wallets. What distinguishes this malware is its shift from .NET development to a Visual Basic 6 rewrite, signaling an attempt to evade conventional detection methods and complicate analysis. Its campaigns leverage social engineering techniques—carefully crafted subject lines, plausible sender identities, and disguised executables—demonstrating how attackers combine technical sophistication with psychological manipulation to achieve initial access. DarkCloud highlights the growing risk of phishing-driven intrusions where attackers blend convincing communication with powerful data theft tools.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A newly analyzed malware variant known as DarkCloud has been observed in phishing campaigns targeting organizations through banking-themed lures. Delivered via malicious ZIP attachments, DarkCloud positions itself as a potent information stealer with broad targeting capabilities, ranging from browser-stored credentials and cookies to FTP logins, email accounts, clipboard data, and cryptocurrency wallets. What distinguishes this malware is its shift from .NET development to a Visual Basic 6 rewrite, signaling an attempt to evade conventional detection methods and complicate analysis. Its campaigns leverage social engineering techniques—carefully crafted subject lines, plausible sender identities, and disguised executables—demonstrating how attackers combine technical sophistication with psychological manipulation to achieve initial access. DarkCloud highlights the growing risk of phishing-driven intrusions where attackers blend convincing communication with powerful data theft tools.[emaillocker id="1283"]

 

The malware incorporates multiple technical layers to ensure persistence and avoid detection. It employs optional string encryption using VB6’s pseudo-random routines, hiding critical strings such as exfiltration endpoints from straightforward analysis. DarkCloud performs rigorous system checks before execution, scanning for sandbox traits like low disk capacity, limited memory, or known analysis processes, and will abort if suspicious conditions are detected. Its modular functions include persistence via registry RunOnce keys, selective file harvesting, and customized targeting of crypto wallets by searching for directories associated with platforms such as MetaMask and Electrum. For data exfiltration, it offers flexible channels, including SMTP, Telegram bots, FTP uploads, and web panels, allowing attackers to tailor campaigns to their infrastructure. Its builder tool enables customization of payload stubs, ensuring adaptability and scalability, even though reliance on VB6 presents operational risks for its authors.

 

DarkCloud reflects a blend of technical adaptability and strategic design. Its ability to evade analysis, selectively harvest high-value data, and use varied exfiltration channels ensures maximum impact while maintaining operational flexibility for attackers. The use of realistic phishing lures makes it particularly dangerous, as user interaction remains the weak link in most organizations. Its evolution from .NET to VB6 illustrates how threat actors repurpose outdated technologies to bypass modern defenses. Defenders are advised to focus on layered protections: filtering high-risk attachments, training staff to spot phishing attempts, and deploying behavior-based endpoint defenses capable of detecting runtime anomalies. DarkCloud exemplifies the evolution of commodity infostealers into modular, evasive threats that blur the line between opportunistic malware and sophisticated campaigns.

THREAT PROFILE:

Tactic Technique ID Technique Sub-Technique
Initial Access T1566.001 Phishing Spearphishing Attachment
Execution T1204.002 User Execution Malicious File
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Defense Evasion T1027 Obfuscated/Encrypted Files -
Credential Access T1555.003 Credentials from Password Stores Credentials from Web Browsers
Discovery T1082 System Information Discovery -
T1057 Process Discovery -
Collection T1113 Screen Capture -
T1005 Data from Local System -
Exfiltration T1041 Exfiltration over C2 Channel -

MBC MAPPING:

Objective Behavior ID Behavior
Execution E1203 Exploitation for Client Execution
Privilege Escalation E1055 Process Injection
Defense Evasion E1014 Rootkit
Anti-Static Analysis B0032 Executable Code Obfuscation
Collection F0015 Hijack Execution Flow
Communication Micro-objective C0001 Socket Communication

 

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu