Infostealers continue to dominate the initial access landscape in 2026, driving breaches through scalable credential theft.
Among these, DarkCloud has emerged as a major threat, illustrating how low-cost, commercialized malware is reshaping enterprise compromise dynamics worldwide.
Despite being promoted as “surveillance software,” its real function is unmistakable high–volume credential harvesting across browsers, email clients, file transfer tools, and financial applications.
First observed in 2022 and linked to a developer known as “Darkcloud Coder” (formerly “BluCoder”), DarkCloud is openly marketed on Telegram and a public clearnet storefront.
With subscription tiers starting at just US$30, the malware’s affordability has made it a popular entry-level choice for both new and experienced cybercriminals.
DarkCloud Infostealer
DarkCloud represents a sophisticated example of commodity malware-as-a-service (MaaS). It masquerades as a simple keylogger to appear legitimate, but its true value lies in credentials collection and structured data exfiltration.
This dual identity publicly “legal” software and privately weaponized tool enables broader distribution and operational flexibility.
According to Flashpoint’s research, this commercial positioning reduces the barriers for emerging threat actors by providing them with instant access to scalable, automated credential theft capabilities.
Unusually, DarkCloud is written in Visual Basic 6.0 (VB6) and compiled into a native C/C++ executable.
This legacy language choice is strategic: VB6 applications rely on older Windows components like MSVBVM60.DLL, helping the malware evade modern heuristic detection methods.
In comparative testing, Flashpoint analysts found that identical payloads built in VB6 had significantly lower detection rates on VirusTotal than their C/C++ equivalents.
This demonstrates that using outdated languages can sometimes bypass modern machine learning-based security scans a calculated advantage for the developer.
DarkCloud employs layered string encryption to hinder reverse engineering. Strings are encrypted using Visual Basic’s pseudo-random generator (Rnd()), combined with a custom seed-generation routine.
This multi-layered approach creates deterministic decryption at runtime while frustrating both static and dynamic analysis.
Rather than relying on advanced cryptography, DarkCloud exploits language quirks to confuse analysts another example of low-cost, high ingenuity design in commodity malware.
From BluStealer to DarkCloud
The stealer’s main goal is credential harvesting at scale. It extracts data from major browsers (Chrome, Edge, Firefox, Brave, Opera), email clients (Outlook, Thunderbird, FoxMail, eM Client), file transfer tools (FileZilla, WinSCP, CoreFTP), and even VPN software.
Collected data including passwords, cookies, credit card details, and contact lists is locally stored under %APPDATA%MicrosoftWindowsTemplates before exfiltration.
Flashpoint notes that DarkCloud supports multiple exfiltration channels SMTP, FTP, HTTP, and Telegram allowing threat actors to adapt to different infrastructures and evade detection.
Researchers have traced code-level similarities between DarkCloud and an older stealer called A310LoggerStealer (also known as BluStealer).
Identical credit card parsing regex patterns and shared developer aliases suggest that DarkCloud is an evolved version of that earlier project reflecting a pattern of iterative malware refinement rather than sudden innovation.
Despite its price, DarkCloud is far from amateur. Its scalability and flexibility make it a potent tool for threat actors seeking initial access into corporate environments.
With identity now serving as the new perimeter, even a $30 subscription can compromise an entire enterprise network.
Organizations should:
- Treat compressed attachments from email as high-risk vectors.
- Monitor outbound traffic involving SMTP, FTP, or Telegram.
- Regularly rotate credentials and turn off stored browser passwords.
- Strengthen incident response plans for credential-based compromises.
DarkCloud reinforces a critical lesson for 2026’s defenders: malware sophistication is no longer measured by cost, but by reach. Cheap, scalable infostealers like DarkCloud are quietly redefining the economics of enterprise intrusion.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
