X-Industry

The DarkCloud Campaign

Posted by CyberDog on August 14, 2025 at 8:00am

13694010860?profile=RESIZE_400xIn early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team.  It began with a phishing email containing an attached RAR archive. Fortinet subsequently investigated this campaign and conducted a step-by-step analysis.  DarkCloud is a known stealthy Windows-based information-stealer malware that was first identified in 2022. It is designed to steal sensitive information from the victim’s computer, including saved login credentials, financial data, contacts, and more.

Below, analysts demonstrate how the campaign initiates on the victim’s computer, how it establishes persistence on the system, how it downloads, decodes, and deploys the fileless DarkCloud payload, the types of sensitive information this variant can harvest from the victim, and how the stolen data is exfiltrated.[1]

Infection Chain - Below is the infection chain of this new DarkCloud variant.

13694010683?profile=RESIZE_584xFigure 1: New DarkCloud variant infection chain.

Initialization of Phishing Email Attack - The phishing email, shown in Figure 2, lures recipients into opening an attached RAR file under the pretext of providing an urgent quote.  Notably, the email contains no message body.  Only an attachment is included.


13694010693?profile=RESIZE_584xFigure 2: The phishing email with a RAR attachment.

Upon opening the Quote #S_260627.RAR file in WinRAR, the recipient finds a standalone JavaScript file named Quote #S_260627.js inside.  Once the recipient double-clicks on the JS file, a Windows default process, WScript.exe, is automatically launched to execute it.

JavaScript & PowerShell - The JS code is obfuscated, as shown in Figure 3.  When being executed, it dynamically decodes a piece of PowerShell code from the obfuscated code.  It then creates a WScript.Shell object to run the decoded PowerShell code.
13694010877?profile=RESIZE_584xFigure 3: Partial code of the JavaScript file.

The cosmea variable holds a decoded string, PowerShell -w hidden -noprofile -ep bypass -c, while the effortless variable contains the decoded PowerShell code.  The PowerShell code is Base64-encoded and gets decoded at runtime.  Figure 4 shows the decoded PowerShell code, which is split into multiple parts.

13694011263?profile=RESIZE_710xFigure 4: Base64-decoded PowerShell code.

It downloads a disguised JPEG picture, shown in Figure 5.

13694011095?profile=RESIZE_710xFigure 5: View of the disguised JPEG file.

According to my analysis, an encrypted .NET DLL is embedded in the background of this JPEG picture.  The PowerShell code then locates the .NET DLL by parsing the JPEG file and loads it using the [Reflection.Assembly]::Load() method and then calls the ClassLibrary1.Home.VAI() method by calling the Invoke() method with an array of parameters carried by the $florinda variable.

Dissecting the .NET Module - The Assembly Name of the .NET DLL is Microsoft.Win32.TaskScheduler.  The .NET DLL is disguised as a TaskScheduler-related module, likely intended to confuse both the victim and researchers.  Figure 6 displays a debugger view paused at the entry point function VAI()of the .NET DLL.

13694011461?profile=RESIZE_710xFigure 6: Viewing the VAI() method in a debugger.

The .NET DLL module performs tasks such as maintaining persistence, downloading and decoding the fileless DarkCloud payload, and deploying the payload in a Windows process using process hollowing.

Persistence Mechanism - The module copies the JavaScript file to another location by executing this command line: cmd.exe /C copy *.js C:\Users\Public\Downloads\edriophthalma.js.  The target folder path and file name are passed by the PowerShell code.

It continues to add an auto-run entry to the system registry under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, as shown in Figure 7.


13694011295?profile=RESIZE_710xFigure 7: The auto-run item added to the system registry.

This ensures the copied edriophthalma.js file is executed automatically at system startup.

Payload Download – Notice the first parameter of the VAI() method is a reversed Base64-encoded string (refer to Figure 6).  The .NET module decodes the Base64 string into a URL as hxxp://paste[.]ee/d/0WhDakVP/0.  By requesting the URL, a reversed PE file can be retrieved in the response, as illustrated in Figure 8.


13694011855?profile=RESIZE_584xFigure 8: Reversed DarkCloud payload.

After reversing and converting its content from a hex string to binary, an EXE file will be present in memory, which serves as the fileless payload of this DarkCloud variant.

Deploy DarkCloud Payload with Process Hollowing - It searches for the MSBuild.exe file in the relevant .NET Framework directories on the victim’s system.  The file name is passed by the PowerShell code (see Figure 6 for more information).  

In the researcher’s environment, it is %Windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe.
13694011667?profile=RESIZE_400xFigure 9: Partial list of Windows APIs used for process hollowing.

It then performs process hollowing on the newly created MSBuild.exe process.  To accomplish this, it must call a series of Window APIs, such as those defined in Figure 9.

The steps involved are as follows:

  • It newly creates a suspended MSBuild.exe process.
  • It copies and deploys the DarkCloud payload into the new process.
  • It modifies the EAX register value to point to the entry point of the DarkCloud.
  • It resumes the suspended process, allowing the DarkCloud to run inside the new MSBuild.exe process.

The relevant APIs called are:

CreateProcess(), ReadProcessMemory(),VirtualAllocEx(), NtUnmapViewOfSection(), WriteProcessMemory(), GetThreadContext(), SetThreadContext(), and ResumeThread().

A Closer Look at the DarkCloud Payload - The DarkCloud payload is written in Microsoft Visual Basic 6.  By analyzing it with the VB Decompiler, we can examine the code structure of DarkCloud, as shown in Figure 10.

13694011479?profile=RESIZE_710xFigure 10: The DarkCloud code structure.

As you can see, the DarkCloud variant contains a Form with multiple Timers attached. In Visual Basic (VB), a Timer is a control or object that repeatedly executes a specified timer function at specified time intervals.  According to my analysis, Timer4 is the primary worker timer, whose function is called every 150 milliseconds.

  • Anti-Analysis Technology
  • Encrypted Constant Strings

To hinder analysis by security researchers, DarkCloud encrypts most of its constant strings.  There are more than 600 encrypted constant strings throughout this payload file, which are decrypted dynamically at runtime.  Figure 11 shows an example of decrypting the Unicode constant string VBScript.RegExp.

13694011678?profile=RESIZE_710xFigure 11: Decrypted constant strings.

Anti-Sandbox - In Timer4’s timer function, there is a mechanism to evade automated analysis systems, like sandboxes.  It examines whether a real user is interacting with the computer by monitoring the status of the mouse and keyboard activities.

The malware calls the GetAsyncKeyState() API to check the status of the keys. If any key or mouse button is pressed, it returns 0x8001.  DarkCloud repeatedly calls the API and checks its result until it detects that a key has been pressed, as shown in Figure 12.  On the other hand, the malware remains idle if no mouse and keyboard activity occurs.
13694011877?profile=RESIZE_710xFigure 12: Code snippet for checking the victim’s input event.

Collecting Sensitive Information - Basic information:

  • DarkCloud retrieves the Computer Name and Username from the compromised system by calling the rtcEnvironVar() API.
  • It also obtains the victim’s public IP address by sending a request to http://showip.NET.

Credentials and Payment Information - The malware harvests saved credentials and payment information from some popular web browsers.

13694011886?profile=RESIZE_710xFigure 13: Browser profile paths.

DarkCloud traverses the profile paths of the browsers listed in Figure 13 to access sensitive data stored in the Login Data and WebData data files.  Both of them are saved in SQLite3 database format. 

It executes two SQL queries, which are decrypted constant strings, to retrieve the data for the logins and credit_cards tables

SELECT origin_url, username_value, password_value FROM logins
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

It utilizes relevant SQLite APIs, such as sqlite3_prepare_v2(), sqlite3_column_text(), and sqlite3_column_blob(), to extract sensitive data.

Some of the retrieved data, like saved passwords, is encrypted. DarkCloud drops and executes another EXE file that extracts the decryption key.  It enables the malware to decrypt these passwords with the decryption key.

All collected sensitive data is written into a local text file (see Figure 14), which is later submitted to the attacker.

13694011698?profile=RESIZE_710xFigure 14: Example of credentials and payment information collected from Chrome.

Besides web browsers, DarkCloud can also collect credentials from email clients, FTP clients, and sensitive data stored in the following profile folders.

%AppData%\Adobe
%AppData%\dnSpy
%AppData%\FileZilla
%AppData%\IDMComp
%AppData%\Mozilla
%AppData%\SweetScape
%AppData%\Wireshark

Relevant software list:

Google Chrome, Microsoft Edge (and Edge-based Browsers), Mozilla Firefox, Brave Browser, FoxMail, eM Client, Microsoft Outlook, CoreFTP, WinSCP, Adobe, dnSpy, FileZilla, IDMComp, Mozilla, SweetScape, and Wireshark.

Email Contacts:

DarkCloud has the capability to retrieve the victim’s email contacts from multiple email clients installed on the compromised computer.  Like the credentials, the harvested email contacts are saved in local text files.

The following text files (they are also decrypted constant strings) correspond to each email client and are submitted to the attacker.

ThunderBirdContacts.txt
163MailContacts.txt
EMClient10Contacts.txt
OutlookContacts.txt

Email clients list:

Mozilla Thunderbird, NetEase MailMaster, eM Client, and Microsoft Outlook.

Submission over SMTP - DarkCloud supports both FTP and SMTP protocols to exfiltrate collected data to the attacker.

This variant uses the SMTP protocol. All the relevant strings, including SMTP server domain, login email account and password, and recipient email address, are decrypted constant strings.

13694011499?profile=RESIZE_710xFigure 15: Malware about to send collected data over SMTP.

Figure 15 shows an example of DarkCloud submitting collected credentials and payment information as a text file attachment in an email.  DarkCloud uses the same method to submit collected email contacts to the attacker.

The email subject contains basic information from the victim’s system, including the computer name, username, and public IPv4 address, which is shown at the bottom of Figure 15.

13694012456?profile=RESIZE_710xFigure 16 presents a screenshot of the SMTP traffic generated when transmitting the text file containing the collected credentials and payment information.

Figure 16: Collected data sent via SMTP over TLS.

Conclusion - In this analysis, analysts examined a new DarkCloud campaign discovered by Fortinet’s FortiGuard Labs.  The campaign begins with a phishing email containing a malicious RAR archive that lures the recipient into executing a JavaScript file within the attached RAR archive.  This script decodes and launches PowerShell code, then loads an encrypted, fileless .NET DLL masquerading as a legitimate Task Scheduler module.

The .NET DLL establishes persistence, downloads and reverses a payload from a remote URL, and uses process hollowing to inject the final DarkCloud payload into MSBuild.exe.

The payload, written in VB6, performs anti-analysis checks by monitoring keyboard and mouse activity to evade sandbox detection.

This analysis also focuses on what sensitive information the malware collects from the compromised system, such as credentials, payment information stored in web browsers, FTP clients, and email clients.  It also collects the email contacts from the victim’s email client software.

Finally, I explained how the collected data saved in text files is submitted to the attacker via the SMTP protocol.

IOCs:

URLs:

hxxps://archive[.]org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg
hxxp://paste[.]ee/d/0WhDakVP/0

Relevant Sample SHA-256:

[Quote #$_260627.js]
381AA445E173341F39E464E4F79B89C9ED058631BCBBB2792D9ECBDF9FFE027D

[DarkCloud payload]
82BA4340BE2E07BB74347ADE0B7B43F12CF8503A8FA535F154D2E228EFBEF69C

 

This article is shared with permission at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

 

[1] https://www.fortinet.com/blog/threat-research/unveiling-a-new-variant-of-the-darkcloud-campaign/

Views: 37
Tags: ir-25-223-001, darkcloud, infostealer, phishing, threatintelligence, filelessmalware, powershell, vb6, processhollowing
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!