The DarkCloud campaign, observed in July 2025, represents a sophisticated and multi-stage attack targeting Windows users. The infection chain initiates via phishing emails containing RAR archives. Upon extraction, these archives execute obfuscated JavaScript and PowerShell scripts. These scripts deploy a fileless .NET DLL in memory, avoiding traditional disk-based detection methods. This DLL subsequently downloads and injects the DarkCloud payload into a legitimate Windows process through process hollowing, a technique that replaces the memory of a legitimate process with malicious code to evade detection. The DarkCloud payload itself is written in Visual Basic 6 and incorporates advanced anti-analysis techniques to hinder forensic and automated analysis. Its primary objective is credential theft, harvesting sensitive information from web browsers, email clients, and FTP clients. The stolen data is exfiltrated using SMTP, blending with normal email traffic to evade network detection. The campaign leverages multiple MITRE ATT&CK techniques including T1566.001 (phishing), T1059.001 (PowerShell), T1055.012 (process hollowing), T1555 (credential access), and T1041 (exfiltration over SMTP), demonstrating a high level of operational sophistication. The use of fileless malware and process hollowing complicates detection and remediation, as traditional antivirus solutions may fail to identify the malicious activity. The campaign targets a broad spectrum of user credentials and personal information, posing a significant threat to organizational security and user privacy.

For European organizations, the DarkCloud campaign poses a substantial risk to confidentiality and integrity of sensitive data. Credential theft can lead to unauthorized access to corporate networks, email accounts, and FTP servers, potentially resulting in data breaches, intellectual property theft, and financial fraud. The fileless nature of the attack and use of legitimate Windows processes for payload execution increase the likelihood of evading endpoint detection and response (EDR) tools, prolonging dwell time and increasing damage potential. Exfiltration via SMTP can bypass network security controls that do not inspect outbound email traffic thoroughly. Organizations handling sensitive personal data, including those subject to GDPR, face regulatory and reputational risks if compromised. Additionally, the campaign's phishing vector exploits human factors, making it a persistent threat especially in sectors with large user bases or less mature security awareness programs. The medium severity rating reflects the campaign's complexity and potential for significant impact, though it currently lacks known exploits in the wild at scale. However, the advanced evasion and credential theft capabilities warrant immediate attention to prevent lateral movement and further compromise.

1. Enhance email security by deploying advanced phishing detection solutions that analyze attachments and embedded scripts, including sandboxing RAR archives and scanning for obfuscated JavaScript and PowerShell code. 2. Implement strict execution policies for PowerShell, such as constrained language mode and logging of all script executions, to detect and block malicious scripts. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting fileless malware and process hollowing techniques, focusing on anomalous process injections and memory-only payloads. 4. Enforce multi-factor authentication (MFA) across all user accounts to mitigate the impact of credential theft. 5. Monitor outbound SMTP traffic for unusual patterns or volumes, and apply data loss prevention (DLP) controls to detect unauthorized exfiltration attempts. 6. Conduct regular user awareness training focused on phishing recognition and safe handling of email attachments. 7. Maintain up-to-date threat intelligence feeds and indicators of compromise (IOCs), including the provided hashes, to enable proactive detection and blocking. 8. Apply the principle of least privilege to limit user access to sensitive systems and data, reducing the attack surface. 9. Regularly audit and monitor logs for signs of anti-analysis evasion techniques and suspicious process behavior. 10. Consider network segmentation to contain potential breaches and limit lateral movement.