In July 2025, a new DarkCloud malware campaign was observed, reflecting its ongoing evolution as a stealthy Windows-based information stealer. Delivered through phishing emails with malicious RAR archives disguised as urgent quote requests, it used an obfuscated JavaScript and PowerShell chain to download an encrypted .NET DLL executed entirely in memory. The malware established persistence, injected into MSBuild.exe via process hollowing, and employed advanced anti-analysis techniques, including sandbox evasion and extensive string encryption. Its goal was to steal credentials, financial data, and email contacts from popular applications, exfiltrating them via SMTP. The stolen information could be used for fraud, espionage, or resale on underground markets, causing financial and reputational damage. By leveraging phishing, fileless execution, and obfuscation, DarkCloud remains a serious threat requiring strong, layered defenses and proactive detection.
A fresh wave of activity involving the DarkCloud malware surfaced, signaling yet another advancement in this stealth-oriented, Windows-based information stealer that first came to light in 2022. Renowned for its covert capability to siphon sensitive data including account credentials, financial records, and email address books DarkCloud has repeatedly evolved its tactics to evade detection and optimize its data theft operations.
The latest operation employed a familiar but highly effective delivery strategy: a phishing email carrying a malicious RAR archive, disguised as an urgent quotation request. Intriguingly, the email contained no message body, relying solely on the target’s curiosity or perceived urgency to prompt interaction.
Inside the compressed archive, recipients found what appeared to be a harmless JavaScript file. When opened, it triggered Windows Script Host to run heavily obfuscated code, which decoded and executed PowerShell commands. These commands fetched a JPEG file containing an encrypted .NET DLL, disguised as an image. Once decrypted directly in memory, the DLL posing as a legitimate Task Scheduler component initiated the infection chain. Persistence was achieved by duplicating the JavaScript file into a publicly accessible folder and adding an autorun registry entry, ensuring execution upon every reboot.
The DLL then contacted a remote command-and-control server to obtain the core DarkCloud payload. The payload was decrypted and loaded entirely into memory, bypassing conventional file-based antivirus scans. Through process hollowing, it injected itself into the trusted MSBuild.exe process, enabling it to operate under the guise of legitimate system activity. This fileless deployment method greatly hampers forensic investigations and detection efforts.
Once active, the VB6-compiled payload launched its primary functions. It incorporated extensive anti-analysis mechanisms, including constant string encryption over 600 unique instances and a sandbox evasion method that waited for evidence of genuine keyboard and mouse use before proceeding. Its core mission was to harvest sensitive information, including browser-saved passwords, payment card details, FTP client credentials, and email contact lists. Targeted applications included Google Chrome, Microsoft Edge, Mozilla Firefox, Microsoft Outlook, FileZilla, and Thunderbird. Data was directly extracted from SQLite databases, with encrypted entries decrypted using keys obtained via a secondary executable.
All collected data was compiled into text files and exfiltrated through SMTP. Outgoing messages to the attacker included identifiers such as the victim’s computer name, username, and public IP address, allowing the stolen records to be linked to specific systems.
This campaign underscores DarkCloud’s persistent enhancement of its methods—merging phishing, multilayered obfuscation, memory-only execution, process hollowing, and anti-analysis techniques to bypass modern security defenses. By embedding itself within trusted processes and targeting a wide spectrum of software, DarkCloud continues to pose a severe risk to both organizations and individuals, reinforcing the need for swift detection and proactive countermeasures.
Conclusion:
DarkCloud’s July 2025 campaign demonstrates its ongoing evolution, blending phishing, obfuscation, and fileless execution to evade modern defenses. By exploiting trusted processes and targeting widely used applications, it achieves broad data theft capabilities. It employs advanced anti-analysis measures that significantly hinder detection and forensic efforts, making proactive monitoring, layered defenses, and timely patching critical to mitigating this threat.
This DarkCloud operation poses a high risk of significant data compromise, potentially revealing corporate login credentials, financial records, and confidential communications. Breached accounts could facilitate deeper network penetration, lateral movement, and precision-targeted attacks. The exfiltrated information may be leveraged for fraudulent activities, intelligence gathering, or traded on underground forums, leading to monetary losses, reputational harm, and possible legal or regulatory repercussions.
https://cybersecuritynews.com/new-windows-based-darkcloud-stealer-attacking-computers/
