New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

Description

Unit 42 researchers have observed changes in the distribution and obfuscation techniques of DarkCloud Stealer. The new infection chain, first seen in April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with a phishing email containing an archive file, which leads to the download and execution of a PowerShell script. This script then drops an executable protected by ConfuserEx, which ultimately injects the DarkCloud Stealer payload into a legitimate process. The malware employs various anti-analysis techniques, including encryption and obfuscation of strings. These changes highlight the evolving evasion strategies of cybercriminals and underscore the need for advanced, behavior-based threat detection approaches.