The DarkCloud Stealer malware campaign has evolved with a new infection chain and enhanced obfuscation techniques identified by Unit 42 researchers as of April 2025. The attack begins with phishing emails containing compressed archive files (TAR, RAR, or 7Z) that include malicious JavaScript or Windows Script files. When executed, these scripts download and run a PowerShell script which subsequently drops an executable protected by ConfuserEx, a popular .NET obfuscator. The final payload is a Visual Basic 6 (VB6) executable that is injected into a legitimate process using RunPE (Run Portable Executable) techniques, a form of process hollowing that allows the malware to run stealthily within a trusted process context. This campaign leverages multiple advanced obfuscation methods such as anti-tampering, symbol renaming, and proxy call methods to evade detection and complicate reverse engineering efforts. The use of ConfuserEx obfuscation protects the intermediate executable, while the VB6 payload’s injection into legitimate processes helps avoid behavioral detection by endpoint security solutions. The malware’s tactics align with several MITRE ATT&CK techniques including command and scripting interpreter abuse (T1059.001, T1059.007), user execution via phishing (T1204.002), process injection (T1055, T1055.012), persistence mechanisms (T1547.001), and obfuscation (T1027 and sub-techniques). Although no known exploits or CVEs are associated with this campaign, the infection chain’s complexity and stealth capabilities make it a significant threat for targeted environments. Indicators of compromise include multiple file hashes and an IP address linked to command and control infrastructure.

For European organizations, the DarkCloud Stealer campaign poses a considerable risk primarily through information theft. The malware’s ability to stealthily inject into legitimate processes and evade detection means that sensitive data such as credentials, personal identifiable information (PII), and intellectual property could be exfiltrated without immediate detection. The phishing-based delivery vector exploits common user behaviors, increasing the likelihood of successful infection across diverse sectors including finance, healthcare, government, and critical infrastructure. The use of compressed archives and scripting files may bypass some email security filters if not properly configured. Additionally, the obfuscation and anti-analysis techniques complicate incident response and forensic investigations, potentially delaying mitigation and increasing exposure time. This threat could also facilitate lateral movement within networks, enabling attackers to escalate privileges or deploy additional payloads. The medium severity rating reflects the campaign’s moderate ease of exploitation combined with impactful data theft capabilities, which can lead to reputational damage, regulatory fines under GDPR, and operational disruptions.

European organizations should implement a multi-layered defense strategy tailored to this threat’s infection chain and evasion techniques. Specifically: 1) Enhance email security by deploying advanced sandboxing and attachment inspection capable of unpacking compressed archives (TAR, RAR, 7Z) and analyzing embedded scripts. 2) Enforce strict PowerShell execution policies and enable logging and monitoring of PowerShell activity to detect suspicious script downloads and executions. 3) Deploy endpoint detection and response (EDR) solutions with capabilities to detect process injection and RunPE techniques, focusing on anomalous behavior within legitimate processes. 4) Use application whitelisting to restrict execution of unauthorized scripts and executables, especially those originating from email attachments or temporary directories. 5) Conduct targeted user awareness training emphasizing the risks of opening compressed attachments and executing unknown scripts. 6) Maintain up-to-date threat intelligence feeds to block known malicious hashes and IP addresses associated with this campaign. 7) Implement network segmentation and strict egress filtering to limit malware communication with command and control servers. 8) Regularly audit and harden persistence mechanisms to detect and remove unauthorized registry or service modifications. These measures go beyond generic advice by addressing the specific infection vectors, obfuscation methods, and stealth techniques used by DarkCloud Stealer.