Ddos 
CyberProof’s MDR analysts and Threat Hunters observed a sharp increase in DarkCloud Stealer infections, with campaigns primarily targeting financial organizations through phishing emails carrying malicious RAR attachments. The findings reveal a sophisticated kill chain involving image-based loaders, process injection, and persistence mechanisms designed to harvest sensitive credentials.
CyberProof’s researchers explain, “DarkCloud stealers [were] targeting financial companies in August 2025, through phishing emails with malicious RAR attachments. The observed samples were programmed to target Windows users and programmed to steal login credentials from email clients, FTP clients and data from browsers.”
The initial access vector was a phishing email containing an attachment named Proof of Payment.rar, which, once opened, launched a malicious VBE script. CyberProof notes, “Reviewing the timeline, it was confirmed that the user downloaded the attachment named ‘Proof of Payment.rar’ and launched the inner VBE file using wscript.exe.”
This script decoded base64 content that downloaded a JPG file (universe-1733359315202-8750.jpg). Hidden within the image was the DarkCloud Loader, a .NET DLL extracted and executed using PowerShell. “The PowerShell script parses through the JPG file, to locate the DarkCloud loader .NET DLL file using [Reflection.Assembly]::Load() method and executes through Invoke() method.”
Once deployed, the DarkCloud Loader maintained persistence by copying JavaScript files and creating registry run keys. It then downloaded and executed the main stealer payload, which ran in-memory and injected itself into MSBuild.exe for stealth execution.
CyberProof confirmed that “the downloaded file is the main payload code of DarkCloud stealer that runs in memory and injects code into MSBuild.exe.”
This tactic allowed the malware to masquerade as a legitimate Windows process while conducting credential theft. Later, persistence was reinforced with additional masquerading: “DarkCloud also creates another persistence entry… where it creates a new process with a different name… M3hd0pf.exe on every user login.”
Once injected, the DarkCloud Stealer actively sought out credentials and sensitive information from major web browsers like Chrome and Edge, as well as FTP and email clients. CyberProof observed attempts to access stored credentials and session tokens.
Exfiltration was conducted via both FTP and SMTP protocols, as well as connections to suspicious domains generated through a Domain Generation Algorithm (DGA). The report lists several C2 endpoints, including blurjbxy[.]shop, financialsecured[.]xyz, and wizwig[.]biz.
The sophistication of the DarkCloud campaign illustrates how attackers combine phishing, steganography, process hollowing, and persistence mechanisms to evade detection. By embedding loaders within JPG images and injecting into trusted processes, DarkCloud significantly complicates forensic analysis and response.
Related Posts:
- DarkCloud Stealer Returns: AutoIt-Powered Malware Strikes with New Stealth Tactics
- DarkCloud Rises: New Fileless Stealer Uses PowerShell & Process Hollowing to Evade Detection
- NordVPN Impersonators Exploit Bing Ads to Spread SecTopRAT Malware
- DarkCloud Stealer: New Evasive Tactics Use Obfuscated Scripts & VB6 Payloads to Evade Detection
Donate