DarkCloud Rises: New Fileless Stealer Uses PowerShell & Process Hollowing to Evade Detection

Researchers from Fortinet’s FortiGuard Labs detected a new DarkCloud campaign deploying a stealthy, fileless payload through a sophisticated phishing and PowerShell-based attack chain. DarkCloud — first identified in 2022 — is a Windows-based information stealer designed to exfiltrate saved credentials, payment data, email contacts, and other sensitive information.

The attack begins with a phishing email containing no message body — only an attached RAR archive (Quote #S_260627.RAR). Inside, victims find a JavaScript file (Quote #S_260627.js) which, when opened, is executed via WScript.exe.

The obfuscated JS decodes and runs Base64-encoded PowerShell code that downloads a disguised JPEG image. Hidden within the JPEG is an encrypted .NET DLL, loaded directly into memory via [Reflection.Assembly]::Load().

The .NET DLL, masquerading as Microsoft.Win32.TaskScheduler, maintains persistence by copying the JS file to a new location and adding a registry autorun key under:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The DLL retrieves a reversed, Base64-encoded URL from its parameters, leading to a reversed PE file hosted on paste[.]ee. After decoding it in memory, it deploys the payload via process hollowing into MSBuild.exe.

The malware uses Windows APIs like CreateProcess(), NtUnmapViewOfSection(), WriteProcessMemory(), and SetThreadContext() to inject and run the DarkCloud payload without writing it to disk.

The payload is written in VB6, leveraging multiple Timers to execute functions in short intervals. Timer4 is the main worker, running every 150 ms.

Anti-analysis measures include:

• Over 600 encrypted constant strings, decrypted at runtime.
• Anti-sandbox detection by monitoring mouse/keyboard activity via GetAsyncKeyState(). If no user input is detected, execution stalls.

DarkCloud targets:

• System information — Computer name, username, public IP (http://showip.NET).
• Browser data — Saved passwords and credit card info from Chrome, Edge, Firefox, Brave, and others. Data is extracted from SQLite DBs (logins, credit_cards tables) using sqlite3_column_text() and sqlite3_column_blob().
• Other applications — Credentials from FTP clients (FileZilla, WinSCP), email clients (Outlook, Thunderbird, FoxMail), developer tools (dnSpy), and even packet capture tools (Wireshark).
• Email contacts — Exported to text files per client (e.g., ThunderBirdContacts.txt, OutlookContacts.txt).

Instead of FTP, this variant uses SMTP over TLS for exfiltration. All SMTP details — including server address, login credentials, and recipient — are stored as encrypted strings.

“The email subject contains basic information from the victim’s system, including the computer name, username, and public IPv4 address,” Fortinet notes.

This DarkCloud variant demonstrates multiple layers of obfuscation, fileless delivery, and anti-analysis mechanisms — making it harder to detect and investigate. The use of legitimate tools (MSBuild.exe, registry autorun) combined with in-memory payload execution aligns with current APT-grade tradecraft.

Related Posts:

• DarkCloud Stealer Returns: AutoIt-Powered Malware Strikes with New Stealth Tactics
• DarkCloud Stealer: New Evasive Tactics Use Obfuscated Scripts & VB6 Payloads to Evade Detection
• Raven Stealer: New MaaS Infostealer Plunders Data via Reflective Process Hollowing & Telegram Exfil
• FormBook Malware Spreads via Sophisticated Phishing Attack
• Sandiflux: Another botnet using Fast Flux technology has emerged

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy