DarkCloud Stealer: New Evasive Tactics Use Obfuscated Scripts & VB6 Payloads to Evade Detection

Unit 42 researchers have uncovered a significant shift in the distribution tactics of the DarkCloud Stealer malware, revealing new delivery methods and advanced obfuscation techniques designed to hinder analysis and evade detection. First spotted in early April 2025, these enhancements mark a calculated escalation in the malware’s evasion strategy.

“The shift in delivery methods observed in April 2025 indicates an evolving evasion strategy. This highlights the need for security professionals to adopt proactive, behavior-based approaches to threat detection and mitigation,” Unit 42 warns.

The latest DarkCloud campaigns employ three slightly different attack chains, all leading to the same final payload. Each campaign begins with a phishing email carrying a compressed archive — TAR, RAR, or 7Z.

• TAR/RAR archives contain an obfuscated JavaScript (JS) file.
• 7Z archives deliver a Windows Script File (WSF).

Regardless of format, every stage in these chains is heavily obfuscated or protected, making analysis a challenge.

In JS-based attacks, the malicious script — obfuscated with javascript-obfuscator — uses ActiveXObject calls to download and run a PowerShell (PS1) script from an open directory server. This PS1 script is double-encrypted with Base64 and AES, ultimately dropping a ConfuserEx-protected executable containing the DarkCloud payload.

The ConfuserEx obfuscator, a popular .NET protection tool, plays a central role in the malware’s defense mechanisms. The report notes multiple layers of obfuscation, including:

• Anti-tampering method encryption
• Control flow flattening
• Proxy call method obfuscation
• Symbol renaming and constant encoding

Through careful deobfuscation, Unit 42 analysts uncovered the final payload — a Visual Basic 6 (VB6) executable encrypted with Triple DES and injected via a process hollowing technique into RegAsm.exe, a legitimate .NET Framework utility.

The final VB6 payload contains strings encrypted with the RC4 stream cipher, covering:

• Credit card brand names
• Registry paths
• File and directory paths
• Telegram API credentials used for command-and-control (C2) operations

Notably, the payload’s embedded “DARKCLOUD” string confirms its lineage.

DarkCloud Stealer’s evolution demonstrates how cybercriminals combine multi-stage delivery, heavy obfuscation, and legacy coding environments to complicate detection. The use of VB6 — an outdated but still functional language — combined with ConfuserEx’s protections allows the malware to slip past many conventional security tools.

Related Posts:

• Sandiflux: Another botnet using Fast Flux technology has emerged
• DarkCloud Stealer Returns: AutoIt-Powered Malware Strikes with New Stealth Tactics