A recent security research from eSentire’s Threat Response Unit (TRU) has revealed the sudden rise of a dangerous information-stealing malware (Infostealer) known as DarkCloud, which cybercriminals are using to grab private data.
TRU Researchers discovered the latest version of DarkCloud Infostealer, version 4.2, during an attempted attack in September 2025 against their customer in the manufacturing industry.
DarkCloud is not new, but it has been completely rewritten using a programming language called VB6. It used to be sold on the Russian cybercrime forum XSS.is, which was shut down by law enforcement back in July 2025.
As Hackread.com reported at the time, the site was seized on July 23, 2025, after authorities arrested a suspected administrator in Ukraine. However, by July 24, the XSS forum was confirmed to be back online using its mirror and .onion domains.
Today, the malware is sold on its own website, darkcloud(.)onlinewebshop(.)net, and is also offered through the messaging app Telegram by a user known as @BluCoder.
Phishing Lure
eSentire TRU explained that the attack began with a phishing email that looked like it was about financial information and had a malicious compressed file attached. The email was sent by “procure@bmuxitq(.)shop” and was themed with the subject “Swift Message MT103 Addiko Bank ad: FT2521935SVT.” The malicious compressed file attached was named “Swift Message MT103 FT2521935SVT.zip.”
This shows that “phishing emails continue to remain a key vector for malware distribution,” researchers noted in the blog post shared with Hackread.com. This means that these fake emails are still one of the main ways this software gets onto a system. Researchers caught the spam emails and stopped the DarkCloud Infostealer delivery for their client in September 2025.
What Does DarkCloud Infostealer Steal?
This malware is designed to steal various kinds of sensitive information. This includes browser passwords, credit card numbers, website cookies, login details for FTP, what you type (keystrokes), and even content from your clipboard.
It also targets files such as documents and spreadsheets (including extensions like .txt, .pdf, .doc, and .xls), cryptocurrency wallets, and extracts contact information from email clients, including Thunderbird, MailMaster, and eM Client. All of this stolen data is then sent to the criminals using channels like Telegram, FTP, email, or even a Web Panel using PHP scripts.
Fight DarkCloud Infostealer
eSentire TRU has not only analysed the threat but also released two helpful programs to help other security researchers. One tool can pull out the setup details of the malware, and the other is a Python-based script that can unjumble its secret code. To protect yourself from threats like this, researchers recommend using email protection that blocks suspicious files like compressed folders with executable programs inside.
