On September 25, 2025, eSentire’s Threat Response Unit (TRU) uncovered a sophisticated spear-phishing operation targeting a prominent manufacturing client’s Zendesk support email.
The attackers sent a banking-themed lure titled “Swift Message MT103 Addiko Bank ad: FT2521935SVT” containing a malicious ZIP attachment.
When extracted, the archive deployed the DarkCloud information stealer (version 3.2), which is marketed openly on DarkCloud. onlinewebshop[.]net and via Telegram user @BluCoder.
The phishing email impersonated legitimate financial correspondence and carried “Swift Message MT103 FT2521935SVT.zip.” Inside, “Swift Message MT103 FT2521935SVT.exe” installed DarkCloud, a .NET original stealer rewritten in VB6 with advanced evasion features.
DarkCloud’s builder requires the Visual Basic 6 IDE, which forces local compilation from source code and increases the risk of unauthorized variants proliferating. This local-compile model mirrors the Redline Stealer’s approach and amplifies widespread misuse.
DarkCloud is designed to harvest a broad spectrum of sensitive data: browser-stored passwords, credit card details, cookies, keystrokes, FTP credentials, email client contacts, clipboard contents, and cryptocurrency wallet files.
Exfiltration occurs via multiple channels, including the Telegram API, SMTP (with SSL support), FTP, and a PHP-based web panel, ensuring redundancy. In the observed sample, stolen data was sent to attacker-controlled endpoints over SMTP and Telegram.
DarkCloud implements optional string encryption using VB6’s Randomize and Rnd functions. A custom algorithm seeds the random generator, shifting ASCII characters to obfuscate static strings, such as exfiltration credentials.
By reverse engineering msvbvm60.dll’s rtcRandomize and rtcRandomNext routines, defenders can decrypt these strings.
The stealer collects system metadata through WMI queries (“Win32_LogicalDisk”, “Win32_ComputerSystem”, “Win32_Processor”) and environment variables for machine and user identification.
Sandbox and virtual machine detection routines strengthen stealth. Checks include blacklisted process names (e.g., “fiddler”, “wireshark”, “idaq”), process count thresholds (<50 processes triggers exit), disk size (<60 GB), RAM (<1 GB), CPU cores (<2), and VM artifacts (drivers like vmmemctl.sys, model strings such as “VMware Virtual Platform”) file name validation against hex-only binaries further thwarts analysis environments.
eSentire’s 24/7 SOC Cyber Analysts intercepted the spam emails, prevented DarkCloud execution, and guided the customer through remediation. Key recommendations include:
- Enforce email security policies to block ZIP attachments containing executables or scripts.
- Deploy Next-Generation AV or EDR to detect stealer behavior in real-time.
- Implement comprehensive Phishing and Security Awareness Training (PSAT) to educate employees on evolving social engineering tactics.
- Partner with a 24/7 MDR provider for continuous multi-signal threat monitoring, proactive hunting, and rapid containment.
DarkCloud’s modular design and active development, evidenced by its VB6 rewrite, string encryption, and evasion logic, underscore the persistent threat posed by infostealers.
Organizations must adopt layered defenses, combining employee vigilance, advanced endpoint controls, and around-the-clock incident response to thwart such stealthy malware campaigns.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
