DarkCloud Stealer Uses Novel Infection Chain and ConfuserEx Obfuscation Techniques

Unit 42 researchers have identified a significant evolution in the distribution tactics of DarkCloud Stealer, an infostealer malware first observed shifting its delivery mechanisms in early April 2025.

This update introduces a novel infection chain that incorporates advanced obfuscation via ConfuserEx, culminating in a Visual Basic 6 (VB6) payload designed to thwart static and dynamic analysis.

Obfuscation Strategies

Previously documented attacks relied on AutoIt scripting for evasion, but the latest variants employ multi-layered encryption and protection schemes across three distinct chains, each initiated by phishing emails containing TAR, RAR, or 7Z archives.

These archives deliver obfuscated JavaScript (JS) or Windows Script Files (WSF), which in turn fetch PowerShell (PS1) scripts from open directory servers.

The PS1 scripts, encrypted with Base64 and AES, drop and execute ConfuserEx-protected executables, embedding the final DarkCloud payload.

This chain’s complexity, including javascript-obfuscator for JS files and custom AES decryption in PS1, underscores the threat actors’ focus on complicating reverse engineering while maintaining broad compatibility with Windows environments.

Technical Breakdown of ConfuserEx

Delving into the malware’s structure, the ConfuserEx-protected .NET executable features anti-tampering through runtime method body decryption in the module constructor, symbol renaming to non-ASCII identifiers, control flow obfuscation with opaque predicates, proxy call methods for hiding direct invocations, and constant encoding.

According to the report, Researchers defeated these using tools like AntiTamperKiller to remove invalid instructions, de4dot-cex for symbol restoration and control flow unflattening, and proxy call removers to simplify logic, revealing standard .NET methods such as Convert.FromBase64String.

The decrypted payload, stored in Triple DES (3DES) encrypted form within a Length-Value formatted byte array initialized via XOR and bitwise operations on a large unsigned integer array, is then injected via process hollowing into a suspended instance of the legitimate RegAsm.exe process.

This RunPE technique allows the VB6-based DarkCloud executable to execute stealthily, with embedded strings like “DARKCLOUD” confirming its identity.

Critical strings, including regular expressions, registry paths, file extensions, and Telegram API credentials for command-and-control (C2), are further encrypted using RC4 with unique keys per ciphertext, enhancing anti-analysis resilience.

The malware’s use of ActiveX objects for downloads and executions, combined with random file naming in temporary directories, facilitates persistence and data exfiltration to Telegram bots.

This adaptation in DarkCloud’s tactics highlights an ongoing arms race in cyber threats, where obfuscation layers like ConfuserEx and VB6 integration aim to bypass traditional signature-based detections, emphasizing the need for behavior-based analytics.

Security teams should prioritize monitoring for anomalous process injections, encrypted script executions, and connections to known malicious IPs.

Palo Alto Networks products, including Advanced WildFire for machine-learning-driven analysis, Advanced URL Filtering and DNS Security for blocking associated domains, and Cortex XDR/XSIAM for preventing unknown malware via behavioral threat protection, offer robust defenses.

In cases of suspected compromise, immediate engagement with incident response teams is advised to mitigate risks from this evolving infostealer.

Indicators of Compromise

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free