DarkCloud Malware Intensifies Targeting Government, Finance, and Tech

A surge in activity involving the DarkCloud Stealer malware, active since 2022, was observed by Unit 42. Promoted in cybercrime forums since January 2023, recent telemetry from January 28 through February 2, 2025, indicates renewed focus, with 78 unique samples identified during that period. Unit 42 attributes the majority of this activity to targeting government sectors, accounting for 46 of the samples. The remaining detections affected technology (12), finance (9), manufacturing (6), and media and entertainment (3). Geographically, the United States and Brazil registered the highest concentration of infections, followed by detections in Peru, the Netherlands, Turkey, and Hungary.

While infections linked to DarkCloud are numerous, Unit 42 expresses confidence in their observation of the campaign’s delivery, noting the attack chains "vary slightly" with only minor deviations. Attacks typically begin with phishing emails containing a PDF lure, prompting users to download a malicious RAR archive. This archive contains an AutoIt-compiled executable, packed with an encrypted shellcode file and an XOR-obfuscated payload. The AutoIt script decompresses, loads, and executes shellcode in memory using VirtualProtect and CallWindowProc. Once executed, the decrypted payload extracts system information including usernames, hostnames, and browser credentials. DarkCloud also scans directories for SQLite and .db files associated with web and mail clients to harvest login data and saved credit card details. Persistence is maintained by writing to a user-specific RunOnce registry key commonly used to execute programs when a user logs in.

Beyond credential theft, DarkCloud is equipped with anti-analysis mechanisms such as junk code, fake API calls, and the detection of monitoring tools including TCPView, Process Monitor, and Wireshark. It collects the host’s public IP address using external lookup services to aid in geolocation tracking. For delivery, the malware leverages publicly accessible file-sharing platforms, limiting the attacker’s hosting exposure and complicating attribution. Unit 42 notes that the latest variants reflect ongoing refinement in obfuscation and delivery, pointing to the group’s continued investment in operational resilience.