DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

May 21, 2025, 8:05 p.m.

Description

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins with a phishing email containing a RAR archive or a PDF that downloads the archive. The archive contains an AutoIt-compiled executable that decrypts and executes the final DarkCloud Stealer payload. The malware steals sensitive data including browser passwords, credit card information, and email client credentials. It employs anti-analysis techniques and achieves persistence through registry modifications. The campaign has targeted various sectors, with a focus on government organizations, particularly in Poland.

External References

https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/
https://unit42.paloaltonetworks.com/wp-content/uploads/2025/05/01_Hactivism_Overview_1920x900.jpg
https://otx.alienvault.com/pulse/6824cbccc06b226e68c5b4b5
Tags
obfuscation
phishing
infostealer
anti-analysis
credential theft
autoit
information stealing
2025-05-14
multi-stage payload
darkcloud stealer

Date

  • Created: May 14, 2025, 4:58 p.m.
  • Published: May 14, 2025, 4:58 p.m.
  • Modified: May 21, 2025, 8:05 p.m.

Indicators

  • bf3b43f5e4398ac810f005200519e096349b2237587d920d3c9b83525bb6bafc
  • 9940de30f3930cf0d0e9e9c8769148594240d11242fcd6c9dd9e9f572f68ac01
  • 30738450f69c3de74971368192a4a647e4ed9c658f076459e42683b110baf371
  • 1269c968258999930b573682699fe72de72d96401e3beb314ae91baf0e0e49e8
Download all indicators here!

Attack Patterns

  • DarkCloud Stealer

Additional Informations

  • Telecommunications
  • Government
  • Poland

Linked vulnerabilities

CVE-2025-31324

10.0
    Sap
  • Sap Netweaver Visual Composer
Published: April 24, 2025