DarkCloud Stealer has just lately emerged as a potent risk concentrating on monetary organizations via convincing phishing campaigns. Adversaries make use of weaponized RAR attachments masquerading as legit paperwork to ship a multi-stage JavaScript-based payload.
Upon opening the archive, victims execute a VBE script that leverages Home windows Script Host to provoke a PowerShell downloader hidden in innocuous-seeming picture information.
This preliminary entry vector exploits customers’ belief in routine monetary correspondence, triggering an automatic chain of decoding and decryption steps designed to evade typical safety controls.
In early September 2025, safety groups noticed a dramatic uptick in malicious RAR attachments despatched to company electronic mail accounts inside the banking sector.
CyberProof analysts recognized that the archive named “Proof of Cost.rar” accommodates a VBE script which, when executed, calls PowerShell to obtain an embedded JPG file named universe-1733359315202-8750.jpg.
Machine timeline exhibiting the obtain activty from person (Supply – CyberProof)
The stealer’s loader is hid inside this picture, and the decoding routine extracts the .NET DLL module instantly from picture pixel knowledge.
CyberProof researchers famous that the PowerShell script rigorously checks reminiscence offsets to find a definite BMP header sample earlier than carving out the loader DLL.
The next snippet illustrates the core loop used for scanning the downloaded picture bytes:-
for ($i=0; $i -lt $knowledge.Size – $header. Size; $i++) {
$match = $true
for ($j=0; $j -lt $header.Size; $j++) {
if ($knowledge[$i + $j] -ne $header[$j]) { $match = $false; break }
}
if ($match) { $offset = $i; break }
}
As soon as the DLL is reconstructed in reminiscence, the script invokes [Reflection.Assembly]::Load() to execute the loader with out ever touching disk.
Persistence and Credential Theft
After loading into reminiscence, DarkCloud Stealer establishes persistence by copying a JavaScript payload to the Home windows Run registry key below a disguised filename (M3hd0pf.exe masquerading as MSBuild.exe), guaranteeing execution on each person login.
The stealer then injects into legit processes like MSBuild.exe and mtstocom.exe utilizing course of hollowing methods, enabling it to siphon saved credentials from browser databases akin to Chrome’s Login Information.
Alerts from endpoint detection platforms verify DPAPI entry occasions and reminiscence mapping into browser processes, revealing makes an attempt to decrypt saved passwords instantly in reminiscence.
Stolen knowledge being despatched to distant IPs (Supply – CyberProof)
Lastly, stolen knowledge is staged in person directories and exfiltrated by way of FTP and HTTP channels to dynamic area clusters (.store, .xyz), complicating network-based detection.
Monetary establishments are urged to watch for anomalous VBE/VBS execution, sudden registry Run key modifications, and JavaScript information in public obtain folders to quickly detect and disrupt this insidious marketing campaign.
Enhance your SOC and assist your workforce shield your online business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
