Unit 42 researchers have observed changes in the distribution and obfuscation techniques of DarkCloud Stealer. The new infection chain, first seen in April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with a phishing email containing an archive file, which leads to the download and execution of a PowerShell script. This script then drops an executable protected by ConfuserEx, which ultimately injects the DarkCloud Stealer payload into a legitimate process. The malware employs various anti-analysis techniques, including encryption and obfuscation of strings. These changes highlight the evolving evasion strategies of cybercriminals and underscore the need for advanced, behavior-based threat detection approaches. Author: AlienVault
Related Tags:
visual basic 6
DarkCloud Stealer
process hollowing
T1553.002
infection chain
anti-analysis
T1573.001
T1036.005
T1027.002
Associated Indicators:
F6D9198BD707C49454B83687AF926CCB8D13C7E43514F59EAC1507467E8FB140
9588C9A754574246D179C9FB05FEA9DC5762C855A3A2A4823B402217F82A71C1
FA598E761201582D41A73D174EB5EDAD10F709238D99E0BF698DA1601C71D1CA
24552408D849799B2CAC983D499B1F32C88C10F88319339D0EEC00FB01BB19B4
6B8A4C3D4A4A0A3AEA50037744C5FEC26A38D3FB6A596D006457F1C51BBC75C7
2BD43F839D5F77F22F619395461C1EEAEE9234009B475231212B88BD510D00B7
CE3A3E46CA65D779D687C7E58FB4A2EB784E5B1B4CEBE33DBB2BF37CCCB6F194
72D3DE12A0AA8CE87A64A70807F0769C332816F27DCF8286B91E6819E2197AA8
1D30C31016760D6A14FEDE26F36BA97EF4B65A92