Adversaries don’t work 9–5 and neither do we. At eSentire, our 24/7 SOCs are staffed with elite threat hunters and cyber analysts who hunt, investigate, contain and respond to threats within minutes.
Backed by threat intelligence, tactical threat response and advanced threat analytics from our Threat Response Unit (TRU), eSentire delivers rapid detection and disruption against today’s most dangerous attacks.
In this TRU Positive, we outline our investigation of a new spear-phishing campaign that attempted to deliver the DarkCloud infostealer to a manufacturing customer—and reveal our recommendations for defending against this evolving threat.
In September 2025, eSentire’s TRU detected a targeted spear-phishing campaign aimed at a mid-sized manufacturer’s Zendesk support inbox.
The attackers used a banking-themed lure—“Swift Message MT103 Addiko Bank ad: FT2521935SVT”—and sent a malicious zip attachment, “Swift Message MT103 FT2521935SVT.zip,” containing DarkCloud version 3.2 (“Swift Message MT103 FT2521935SVT.exe”).
Formerly sold on the now-defunct XSS.is forum and rebuilt from .NET into VB6, DarkCloud has evolved with string encryption, sandbox evasion checks and an updated stub.
Once executed, it harvests browser passwords, credit cards, cookies, keystrokes, FTP credentials, clipboard contents, email contacts, files and cryptocurrency wallets, exfiltrating stolen data via Telegram, FTP, SMTP or PHP web panels.
The lure email, sent from procure@bmuxitq[.]shop, mimicked legitimate financial correspondence to evade detection.
By attaching a packed DarkCloud sample under the guise of a transaction update, the attackers sought to trick analysts into enabling the malware.
DarkCloud is actively marketed through darkcloud.onlinewebshop[.]net and Telegram user @BluCoder, with a façade of legitimate software features: password recovery, keystroke harvesting, crypto-clipping, file grabbing and more.
Technical Analysis
DarkCloud’s builder requires the VB6 IDE to compile locally, mirroring past mistakes by Redline Stealer.
This approach exposes the author’s source code and facilitates unauthorized forks. The latest DarkCloud 4.2 supports optional string encryption via a VB6-specific Caesar cipher seeded by the Randomize/Rnd functions.
By reverse-engineering msvbvm60.dll’s rtcRandomize and rtcRandomNext implementations, analysts can decrypt obfuscated strings to reveal exfiltration credentials and command-and-control endpoints.
Additional functionality includes WMI-based system profiling (Win32_Processor, Win32_OperatingSystem, disk size, memory, processor count), VBScript-powered credit-card regex parsing, email contact harvesting for Thunderbird and other clients, sandbox and VM detection via process name checks, disk/memory thresholds and file existence queries.
Persistence is achieved through randomized RunOnce registry entries. DarkCloud’s file grabber targets documents, spreadsheets, PDFs and more, while crypto-wallet theft spans major wallet directories (Exodus, Electrum, Coinomi, MetaMask, etc.).
To thwart researchers, DarkCloud halts execution if fewer than 50 processes are running or if blacklisted sandbox tools (Wireshark, procmon, AutoIt, etc.) are detected.
Evasion and Exfiltration
For exfiltration, it gathers the victim’s external IP via showip[.]net or mediacollege[.]com utilities, then sends logs over SMTP (including SSL), Telegram API, FTP or PHP web panels. PCAP analysis from VirusTotal’s CAPE Sandbox confirms each method in real-world traffic captures.
Our 24/7 SOC analysts identified the spam campaign, quarantined malicious emails and blocked the DarkCloud executable on behalf of the customer. We guided the remediation process—resetting credentials, scanning for residua and reinforcing email filtering policies.
Email remains a primary malware vector. To guard against DarkCloud and similar threats:
- Enforce email protection rules to block ZIP attachments with executables or scripts.
- Implement Phishing and Security Awareness Training (PSAT) to educate staff on social engineering tactics.
- Partner with a 24/7 MDR service for continuous threat hunting, multi-signal visibility and rapid response.
- Deploy Next-Gen AV or Endpoint Detection and Response (EDR) to detect, block and contain infostealers.
By combining proactive threat hunting, security awareness and advanced analytics, organizations can stay ahead of adversaries’ evolving techniques—and ensure that DarkCloud never delivers on its promise of widespread credential theft.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
