By rssfeeds-admin 
Among the latest threats drawing serious attention is DarkCloud, a commercially available credential-harvesting malware that proves even low-cost tools can deliver devastating results against enterprise environments.
DarkCloud was first observed in 2022 and is attributed to a developer known as “Darkcloud Coder,” formerly operating under the alias “BluCoder” on Telegram.
The malware is openly sold through Telegram and a clearnet storefront, with subscription tiers starting at just US$30 — a price point that puts it within reach of nearly any aspiring threat actor.
Despite being marketed as “surveillance software,” its actual purpose is far more aggressive: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks.
Flashpoint analysts identified DarkCloud as a potent entry-level threat that can hand adversaries the keys to an entire corporate network through harvested credentials.
The malware is written in Visual Basic 6.0 (VB6) and compiled into a native C/C++ application — a deliberate engineering choice that gives it an unexpected edge against modern detection tools.
By relying on legacy runtime components like MSVBVM60.DLL, DarkCloud operates outside the scope of many contemporary security models while retaining full credential theft functionality.
What makes DarkCloud particularly dangerous for enterprises is its sheer scale of targeting.
It collects login credentials, cookies, and credit card data from major browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, Opera, Yandex, and Vivaldi, as well as many other Chromium- and Firefox-based browsers.
It also targets email clients such as Outlook, Thunderbird, FoxMail, and eM Client, file transfer tools like FileZilla and WinSCP, and VPN applications such as NordVPN.
Email contact lists are additionally scraped, likely to seed future phishing campaigns against victims and their networks.
Stolen data is staged locally in two directories under %APPDATA%MicrosoftWindowsTemplates — one for raw database files and another for parsed, unencrypted text logs — before being exfiltrated through SMTP, FTP, Telegram, or HTTP.
This flexibility in exfiltration methods allows operators to tailor deployments to match their infrastructure preferences and operational security needs, making DarkCloud adaptable across a wide range of attack scenarios.
How DarkCloud Evades Detection Through Encryption
One of the most technically notable aspects of DarkCloud is the layered encryption scheme it uses to frustrate both static and dynamic analysis.
Rather than relying on modern cryptographic libraries, DarkCloud abuses a quirk of the legacy Visual Basic language itself to hide its internal strings and behavior from analysts and security tools.
Most of DarkCloud’s internal strings are encrypted and decrypted at runtime using Visual Basic’s built-in Rnd() pseudo-random number generator (PRNG), combined with a custom seed-generation algorithm.
The decryption process follows a precise sequence: encrypted strings are first hex-encoded, keys are Base64-encoded, a custom algorithm calculates a seed value, the VB PRNG is reset to a known state using that seed, and then iterative Rnd() calls reconstruct the original plaintext strings at runtime.
Since the PRNG is reset to a deterministic known value before each decryption cycle, the malware guarantees consistent output without needing external keys or network calls, which would otherwise raise flags in monitored environments.
Flashpoint analysts noted that this approach does not rely on novel cryptographic techniques. Instead, it weaponizes the predictable behavior of an outdated language runtime to slow down reverse engineering efforts.
In controlled testing, Flashpoint generated equivalent payloads in both C/C++ and VB6. The VB6 variant produced significantly fewer detections in VirusTotal scans, confirming that the language choice alone provides a meaningful detection advantage for the attacker.
Flashpoint researchers also identified notable code-level similarities between DarkCloud and a previously documented project known as “A310LoggerStealer,” also referred to as BluStealer.
The credit card parsing regular expressions in both tools appear in identical order and format.
Combined with the developer’s prior alias “BluCoder,” Flashpoint assesses that A310LoggerStealer likely represents an earlier version of what eventually became DarkCloud — reflecting the common pattern of incremental refinement seen in commodity malware development.
Recommendations:-
Organizations looking to defend against DarkCloud and similar commodity infostealers should adopt the following measures:
- Treat phishing-delivered ZIP and RAR attachments as high-risk initial access vectors and implement strict email attachment filtering policies.
- Monitor network traffic for abnormal data exfiltration patterns over SMTP, FTP, and Telegram channels.
- Audit credential reuse across browser-stored passwords and email applications, and enforce enterprise-wide password management policies.
- Prioritize credential rotation and activate incident response playbooks immediately following any suspected compromise.
- Deploy endpoint detection tools capable of monitoring legacy runtime environments, particularly those that use VB6 runtime components such as MSVBVM60.DLL.
Infostealers like DarkCloud do not rely on zero-day exploits or breakthrough techniques.
They exploit scale, accessibility, and identity exposure — and in a landscape where identity is the new perimeter, even a US$30 subscription can cause operationally devastating damage to an enterprise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post DarkCloud Infostealer Emerges as Major Threat With Scalable Credential Theft Targeting Enterprises appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.