DarkCloud Stealer Evolves: New VB6 Obfuscation and Crypto Wallet Theft Make Malware More Dangerous Than Ever

Recently, eSentire’s Threat Response Unit (TRU) identified a spear-phishing campaign targeting a manufacturing client that attempted to deliver the DarkCloud information stealer. The lure, themed around banking transactions, contained a malicious ZIP archive sent to the company’s Zendesk support email, posing as legitimate financial correspondence.

The attackers used convincing social engineering. According to TRU, “The phishing lure, sent by procure@bmuxitq[.]shop, features a banking-themed subject line ‘Swift Message MT103 Addiko Bank ad: FT2521935SVT’ and message body that is designed to appear as legitimate financial correspondence.” The attachment contained DarkCloud version 3.2, disguised as a Swift transaction file.

Once sold on the now-defunct XSS.is forum, DarkCloud has undergone significant development. The report notes, “Formerly built in .NET, DarkCloud has received numerous updates, including a full stub re-write in VB6, string encryption, and evasion updates.”

The latest version (4.2) features a VB6-driven Caesar cipher for string encryption, complicating analysis. Researchers had to reverse-engineer VB6’s random number generator from msvbvm60.dll to decrypt stored strings.

DarkCloud is designed to maximize theft across multiple categories:

• Credentials & Financial Data: Browser-stored passwords, cookies, credit card info, FTP credentials, and email client data.
• File Grabbing: From directories like Desktop, Documents, and Favorites, focusing on .txt, .docx, .pdf, .xls[x] files.
• Crypto-Wallets: Targets wallets such as Electrum, Exodus, Zcash, Atomic, Guarda, and MetaMask. The report emphasizes, “DarkCloud has been observed targeting… MetaMask directories in Chrome and Edge.”
• System Reconnaissance: Collects OS details, usernames, and hardware info via WMI queries.

DarkCloud incorporates extensive sandbox and VM checks. TRU details, “If there are not more than 50 processes running, the check fails… variants query WMI and compare the system model against VMware, VirtualBox, and Microsoft virtual environments.” It also checks for analysis tools like Wireshark, Procmon, IDA Pro, and Joe Sandbox indicators.

Additionally, the malware attempts to detect if its executable filename is composed entirely of hex characters—an indicator of automated sandbox testing.

Stolen data is exfiltrated via multiple channels:

• SMTP: “DarkCloud sends stolen cookies and other data in JSON format as multipart/mixed messages… recently updated to support SMTP over SSL.”
• Telegram: Using stolen bot tokens to exfiltrate credentials and files.
• FTP: Uploading browser cookies and files over plain FTP.
• Web Panel: To PHP-based control panels used by operators.

eSentire captured PCAPs showing exfiltration to attacker-controlled mail servers and Telegram endpoints.

Currently, DarkCloud is marketed via darkcloud.onlinewebshop[.]net and through a Telegram handle, @BluCoder. While advertised as a “password recovery tool,” the site lists malicious features including keystroke harvesting, clipboard theft, and crypto clipping.

DarkCloud represents the steady professionalization of infostealer malware. By combining new VB6 obfuscation, multi-channel exfiltration, and anti-analysis techniques, it continues to evolve as a persistent threat. With active phishing campaigns underway, defenders must tighten email security, endpoint detection, and monitoring of outbound SMTP/Telegram traffic to detect compromises early.

Related Posts:

• DarkCloud Stealer: New Evasive Tactics Use Obfuscated Scripts & VB6 Payloads to Evade Detection
• DarkCloud Stealer Returns: AutoIt-Powered Malware Strikes with New Stealth Tactics
• Unmasking the DarkCloud: A New Stealer Is Hiding Malware in JPG Files
• Hackers attack MetaMask users via phishing and steal $655,000