DarkCloud Stealer has recently emerged as a potent threat targeting financial organizations through convincing phishing campaigns. Adversaries employ weaponized RAR attachments masquerading as legitimate documents to deliver a multi-stage JavaScript-based payload.<\/p>\n
Upon opening the archive, victims execute a VBE script that leverages Windows Script Host to initiate a PowerShell downloader hidden in innocuous-seeming image files.<\/p>\n
This initial access vector exploits users\u2019 trust in routine financial correspondence, triggering an automated chain of decoding and decryption steps designed to evade conventional security controls.<\/p>\n
In early September 2025, security teams observed a dramatic uptick in malicious RAR attachments sent to corporate email accounts<\/a> within the banking sector.<\/p>\n CyberProof analysts identified that the archive named \u201cProof of Payment.rar\u201d contains a VBE script which, when executed, calls PowerShell to download an embedded JPG file named The stealer\u2019s loader is concealed within this image, and the decoding routine extracts the .NET DLL module directly from image pixel data.<\/p>\n CyberProof researchers noted<\/a> that the PowerShell script rigorously checks memory offsets to locate a distinct BMP header pattern before carving out the loader DLL.<\/p>\n The following snippet illustrates the core loop used for scanning the downloaded image bytes:-<\/p>\n Once the DLL is reconstructed in memory, the script invokes After loading into memory, DarkCloud Stealer establishes persistence by copying a JavaScript payload to the Windows Run registry key under a disguised filename ( The stealer then injects into legitimate processes like MSBuild.exe and mtstocom.exe using process hollowing techniques, enabling it to siphon saved credentials from browser databases such as Chrome\u2019s Alerts from endpoint detection<\/a> platforms confirm DPAPI access events and memory mapping into browser processes, revealing attempts to decrypt stored passwords directly in memory.<\/p>\n Finally, stolen data is staged in user directories and exfiltrated via FTP and HTTP channels to dynamic domain clusters (.shop, .xyz), complicating network-based detection<\/a>.<\/p>\n Financial institutions are urged to monitor for anomalous VBE\/VBS execution, unexpected registry Run key modifications, and JavaScript files in public download folders to rapidly detect and disrupt this insidious campaign.<\/p>\n The post DarkCloud Stealer Attacking Financial Companies With Weaponized RAR Attachments<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nuniverse-1733359315202-8750.jpg<\/code>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi4V_N6w9dkatfAzB2Jc7wLcEn0UKzjlxAzoyvBF6CEEgdmxOaD5zK7ZhyphenhyphenzrAj4Xj577AQrs23V3UNn2L82sz-MXka1MEyyHpjmdC1TPs2SaHbgXulpXR-wGTyTZbZn1pmsF9GuUaYhdCFfxUp0-8t9ymERgNloOd7MABgafSDEZRzm7Y92wU5xIZKLwoQ\/s16000\/Device%2520timeline%2520showing%2520the%2520download%2520activty%2520from%2520user%2520%28Source%2520-%2520CyberProof%29.webp?ssl=1\")
for ($i=0; $i -lt $data.Length - $header. Length; $i++) {\n $match = $true\n for ($j=0; $j -lt $header.Length; $j++) {\n if ($data[$i + $j] -ne $header[$j]) { $match = $false; break }\n }\n if ($match) { $offset = $i; break }\n}<\/code><\/pre>\n[Reflection.Assembly]::Load()<\/code> to execute the loader without ever touching disk.<\/p>\nPersistence and Credential Theft<\/strong><\/h2>\n
M3hd0pf.exe<\/code> masquerading as MSBuild.exe), ensuring execution on every user login.<\/p>\nLogin Data<\/code>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTCq4PJZQ_NCtJotT8DwuVN4XvWBRMhPFdrSU2M-EYH2FoC0rf0hxZCWcG0O98zUmU2hJlNsmq9CjUwjUKgAVWj7reRHTYxixc2sXSRZKNFbe1TVm-G3_eptLq6o2i7KQYvDuetWVhQJTO27xnXjxd_mqdNu8mlijM4dDRoBm05pShVWfFesybfj_PaUk\/s16000\/Stolen%2520data%2520being%2520sent%2520to%2520remote%2520IPs%2520%28Source%2520-%2520CyberProof%29.webp?ssl=1\")
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n