New Windows-Based DarkCloud Stealer Attacking Computers to Steal Login Credentials and Financial Data

A sophisticated new variant of the DarkCloud information stealer has emerged in the cyberthreat landscape, targeting Windows users through carefully crafted phishing campaigns designed to harvest sensitive credentials and financial information.

This fileless malware variant represents a significant evolution in stealer technology, employing advanced evasion techniques and multi-stage deployment mechanisms that make detection particularly challenging for traditional security solutions.

The campaign begins with deceptive phishing emails containing RAR archives disguised as urgent business quotes.

When victims extract and execute the JavaScript file named “Quote #S_260627.js,” the malware initiates a complex infection chain that ultimately deploys the DarkCloud payload without leaving traditional file signatures on the compromised system.

The attack vector leverages social engineering tactics, presenting seemingly legitimate business communications that prompt users to open malicious attachments.

Fortinet analysts identified this new DarkCloud variant in early July 2025, noting its sophisticated use of process hollowing techniques and fileless deployment strategies.

The researchers observed that this campaign specifically targets saved login credentials, payment card information, and contact lists stored across multiple popular applications including web browsers, email clients, and FTP software.

The malware demonstrates particular sophistication in its data harvesting capabilities, targeting major web browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, and Brave Browser.

It executes specific SQL queries against browser databases to extract sensitive information: SELECT origin_url, username_value, password_value FROM logins for credential harvesting and SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards for financial data extraction.

Advanced Persistence and Evasion Mechanisms

The DarkCloud variant employs several sophisticated techniques to maintain persistence and evade detection on infected systems.

Upon successful execution, the malware establishes persistence by copying the initial JavaScript file to C:UsersPublicDownloadsedriophthalma.js and creating an auto-run registry entry under HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun.

This ensures the malware automatically executes during system startup, maintaining its presence across reboots.

The most notable technical advancement in this variant lies in its fileless deployment strategy.

The malware downloads a seemingly innocuous JPEG image from archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg that actually contains an encrypted .NET DLL embedded within its pixel data.

The PowerShell component extracts this hidden payload by parsing the image file and loading the assembly directly into memory using [Reflection.Assembly]::Load() methods.

To evade automated analysis systems, DarkCloud implements anti-sandbox techniques that monitor user interaction through the GetAsyncKeyState() API.

The malware remains dormant until it detects actual keyboard or mouse activity, effectively bypassing sandboxed environments that lack genuine user interaction.

This behavioral analysis evasion represents a significant challenge for automated security testing platforms.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial