Unveiling a New Variant of the DarkCloud Campaign

Aug. 10, 2025, 8:41 p.m.

Description

A new DarkCloud campaign was observed in July 2025, targeting Windows users with a sophisticated infection chain. The attack begins with a phishing email containing a RAR archive, which leads to the execution of obfuscated JavaScript and PowerShell code. This code downloads and deploys a fileless .NET DLL, which in turn downloads and injects the DarkCloud payload into a legitimate Windows process. The DarkCloud variant, written in Visual Basic 6, employs anti-analysis techniques and collects sensitive information from various sources, including web browsers, email clients, and FTP clients. The stolen data is exfiltrated via SMTP. The campaign demonstrates advanced evasion techniques and targets a wide range of user credentials and personal information.

External References

https://www.fortinet.com/blog/threat-research/unveiling-a-new-variant-of-the-darkcloud-campaign
https://otx.alienvault.com/pulse/689603fb45b4df2572916578
Tags
powershell
credential-theft
anti-analysis
process-hollowing
fileless
information-stealer
2025-08-08
darkcloud

Date

  • Created: Aug. 8, 2025, 2:04 p.m.
  • Published: Aug. 8, 2025, 2:04 p.m.
  • Modified: Aug. 10, 2025, 8:41 p.m.

Indicators

  • 82ba4340be2e07bb74347ade0b7b43f12cf8503a8fa535f154d2e228efbef69c
  • 381aa445e173341f39e464e4f79b89c9ed058631bcbbb2792d9ecbdf9ffe027d
Download all indicators here!

Attack Patterns

  • DarkCloud