New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
Unit 42 researchers have identified a shift in the delivery method and obfuscation techniques used for distributing DarkCloud Stealer. The new infection chain, observed since April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with phishing emails containing compressed archives (TAR, RAR, or 7Z) that include JavaScript or Windows Script files. These files download and execute a PowerShell script, which then drops an executable protected by ConfuserEx. The final payload is a VB6 executable injected into a legitimate process using RunPE techniques. The malware employs various obfuscation methods, including anti-tampering, symbol renaming, and proxy call methods, to complicate analysis and evade detection.
OPENCTI LABELS :
process hollowing,infostealer,obfuscation,confuserex,darkcloud stealer,visual basic 6,runpe
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer