Unveiling a New Variant of the DarkCloud Campaign

SUMMARY :

A new DarkCloud campaign was observed in July 2025, targeting Windows users with a sophisticated infection chain. The attack begins with a phishing email containing a RAR archive, which leads to the execution of obfuscated JavaScript and PowerShell code. This code downloads and deploys a fileless .NET DLL, which in turn downloads and injects the DarkCloud payload into a legitimate Windows process. The DarkCloud variant, written in Visual Basic 6, employs anti-analysis techniques and collects sensitive information from various sources, including web browsers, email clients, and FTP clients. The stolen data is exfiltrated via SMTP. The campaign demonstrates advanced evasion techniques and targets a wide range of user credentials and personal information.

OPENCTI LABELS :

fileless,powershell,credential-theft,anti-analysis,process-hollowing,darkcloud,information-stealer


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Unveiling a New Variant of the DarkCloud Campaign