DarkCloud

DarkCloud is a Windows information-stealing malware family first observed in 2022 and commonly referred to as DarkCloud Infostealer. It is widely described as a low-cost commercial infostealer sold via Telegram, public storefronts, and dedicated websites, including offerings attributed to the seller @BluCoder; reporting also states it was previously sold on the Russian-language forum XSS.is. Multiple sources describe DarkCloud as written in Visual Basic 6.0/VB6, including a rewritten v4.2 variant identified in September 2025. It has been distributed in phishing campaigns, including emails themed as financial correspondence or SWIFT MT103 messages carrying malicious ZIP or RAR archives, and has also appeared as a payload delivered by intermediary loaders such as PhantomVAI/PanthomVAI and shared AutoIt-based crypter chains. Reported delivery chains include obfuscated JavaScript, PowerShell, archive.org-hosted images with embedded code, .NET loaders masquerading as Microsoft.Win32.TaskScheduler, and process hollowing into legitimate processes such as MSBuild.exe.

DarkCloud is designed to steal a broad range of personal and corporate data. High-confidence reporting states it can collect browser credentials, cookies, credit card/payment data, browser information, email client information and contacts, FTP credentials, keylogging data, clipboard contents, screenshots, document files, and cryptocurrency wallet information. Specific targeted software and data sources mentioned in reporting include Chromium-based browsers such as Google Chrome, Microsoft Edge, and Brave; browser SQLite databases such as Login Data and WebData; FTP clients FileZilla and WinSCP; and email clients including Thunderbird, MailMaster, and eM Client. One analyzed sample dropped vbsqlite3.dll into C:\Users\Public\Libraries\ to access SQLite browser databases, used GetAsyncKeyState/GetForegroundWindow/GetWindowTextA for keylogging, queried showip.NET for public IP discovery, and staged stolen data into local text files.

Exfiltration methods vary by campaign and version. Across the reporting, DarkCloud is described as exfiltrating stolen data via Telegram Bot API, FTP, SMTP/email, HTTP POST, and PHP-based web panels. One March 2026 sample exfiltrated simultaneously through Telegram Bot API, FTP upload, and HTTP POST, using api.telegram.org and a hardcoded multipart/form-data boundary string 3fbd04f5-b1ed-4060-99b9-fca7ff59c113. A July 2025 campaign analyzed by Fortinet used SMTP over TLS to send stolen files as email attachments, with the subject containing victim host, user, and IP details. Persistence and anti-analysis behaviors reported for DarkCloud include HKCU Run or RunOnce registry persistence, self-deletion via cmd /C cleanup commands, extensive encrypted strings, RijndaelManaged-encrypted configuration values, and sandbox evasion based on waiting for real keyboard and mouse activity.

DarkCloud has been observed in campaigns targeting both individuals and businesses, with explicit reporting of attacks against manufacturing-sector victims. It is also repeatedly referenced as one of several payloads delivered by broader phishing and loader ecosystems alongside malware such as AsyncRAT, Remcos, XWorm, SmokeLoader, AgentTesla, and FormBook. Notable indicators and artifacts directly mentioned in reporting include the internal banner string "===============DARKCLOUD===============", sample SHA-256 hashes 4ff1f0ed9795f7f3990891bd6cf7e3dd317de240958b6a4731606aa0c5d61220, 82BA4340BE2E07BB74347ADE0B7B43F12CF8503A8FA535F154D2E228EFBEF69C, and infrastructure such as hxxp://paste[.]ee/d/0WhDakVP/0, hxxps://archive[.]org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg, and api.telegram.org. Reported phishing artifacts include sender procure@bmuxitq(.)shop and attachment names such as "Swift Message MT103 FT2521935SVT.zip" and "Quote #S_260627.RAR".