First spotted in 2022 and actively developed ever since, DarkCloud Stealer has reemerged with a sophisticated new variant that leverages AutoIt scripting and multi-stage payloads to evade traditional security solutions. According to Palo Alto Networks’ Unit 42, the malware was observed in new attacks as recently as January 2025, demonstrating its ongoing development and adaptability.
“DarkCloud employs multi-stage payloads and obfuscated AutoIt scripting, making its detection challenging with traditional signature-based methods,” Unit 42 explains.
While the malware first appeared in 2022, Unit 42 researchers traced its resurgence back to early 2025, when spikes in telemetry revealed multiple samples targeting government organizations and telecom providers, particularly in Poland.
“Our telemetry reveals that attackers distributing DarkCloud Stealer have targeted various sectors but have notably focused on government organizations,” the report writes.
This time around, attackers aren’t relying on just one method of infection. Instead, they’ve woven a web of phishing emails, malicious PDFs, file-sharing services, and encrypted dropper executables compiled using AutoIt.

The infection begins innocently enough: a phishing email with either a RAR archive or a deceptive PDF claiming an Adobe Flash update is required.
Clicking the fake update triggers a download from a file-sharing site like catbox.moe, delivering a malicious archive containing an AutoIt-compiled executable and two encrypted files—shellcode and an XOR-obfuscated payload.
“The AutoIt script builds and runs the final DarkCloud Stealer payload from the two data files,” Unit 42 notes.
Once unpacked, the script constructs the payload in memory, applies decryption routines, and executes it—all while staying under the radar thanks to heavily obfuscated string decoding routines and delayed execution techniques.
AutoIt, typically a benign scripting language for Windows automation, is now weaponized. The compiled executable includes embedded scripts and uses functions like Call(), StringMid(), and Execute() through dynamically defined global variables.
“At the beginning of the AutoIt script… function pointers are assigned to obscurely named global variables using the Execute() function,” the report details.
Further analysis revealed that the decryption process for the shellcode and payload hinges on shellcode embedded in one file and a PE payload hidden in another. These are reconstructed and run directly from memory using VirtualProtect() and CallWindowProc()—classic techniques for executing shellcode without writing to disk.
Once activated, DarkCloud Stealer goes to work harvesting data with ruthless efficiency:
- Browser credentials and credit card info (Chrome, Firefox, etc.)
- Email client data from popular applications
- Screenshots and system metadata
- FTP client credentials
- Anti-analysis techniques that scan for tools like Wireshark, Process Monitor, and VMWare
“DarkCloud incorporates numerous anti-analysis techniques, including checks for analysis tools such as WinDbg, Fiddler, TCPView, and Process Explorer,” the report explains.
It even pulls the victim’s public IP address from sites like showip.net, and establishes persistence using the Windows Registry (HKCU\…\RunOnce).
“Attackers often modify their techniques for delivering malware, making detection and prevention more difficult,” the report concludes.
Related Posts:
- Sandiflux: Another botnet using Fast Flux technology has emerged
- Horabot Malware Targets Latin America with Sophisticated Phishing
- Sophisticated Phishing Campaign Uses Multi-Layered Tactics to Deliver Malware
- Xloader Malware Delivered via Sophisticated SharePoint Attack
- Excel File Unleashes Sophisticated Cobalt Strike Cyberattack