DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt
Summary:
In January 2025, researchers at Unit 42 uncovered ongoing attacks distributing the DarkCloud Stealer malware. These recent attacks exhibit an evolution in tactics, notably incorporating AutoIt to potentially evade traditional detection mechanisms. The observed attack chain typically commences with a phishing email, which may contain either a malicious RAR archive directly or a phishing PDF designed to trick victims into downloading such an archive from a file-sharing service. The RAR archive then contains an AutoIt compiled executable. This executable is bundled with two encrypted data files: one containing shellcode and the other the XORed DarkCloud Stealer payload. The AutoIt script within the executable is responsible for decrypting and executing these payloads in a multi-stage process. Analysis indicates that threat actors have been advertising DarkCloud Stealer since January 2023 and have targeted various sectors, with a notable focus on government organizations. Furthermore, a February 2025 report identified DarkCloud Stealer in attacks against entities in Poland. The malware, initially seen in 2022, is designed to steal sensitive browser data, including credentials and financial information, and is under active development with observed new variants in late January 2025.
Security Officer Comments:
The resurgence of DarkCloud Stealer in early 2025, particularly its integration of AutoIt for obfuscation and evasion, presents a challenge for defenders. The use of AutoIt compilation and encryption of payloads demonstrates the malware author's intent to complicate static analysis and signature-based detection. The use of file-sharing services for hosting the malware is a notable characteristic, offering attackers convenience. File-sharing services offer attackers the temporary advantage of hosting and removing malicious files, which can disrupt attacks if files or accounts are deleted, thus limiting their full control compared to dedicated servers.
The multi-stage delivery mechanism, starting with phishing emails, highlights the need for robust email security and user awareness training to mitigate that initial access vector. The observed targeting of government organizations underscores the potential for high-impact data breaches. The continued development and the identification of the new variant samples, as evidenced by the sample timeline, necessitate ongoing monitoring and adaptation of detection strategies with this threat in mind. Organizations should prioritize the development and deployment of dynamic and behavioral analysis techniques to identify malicious activity. Furthermore, understanding the specific anti-analysis techniques incorporated within DarkCloud that are detailed in this blog is crucial. The fact that the malware has been active since 2022 and continues to evolve suggests a persistent threat actor and the likelihood of further modifications to its tactics, techniques, and procedures that defenders should remain vigilant for. Proactively sharing threat intelligence, such as the information provided by Unit 42, a Polish telecommunications provider, and CERT Orange Polska (references at the end of Unit 42’s article), is essential for developing and implementing effective preventative measures.
Suggested Corrections:
IOCs are available here.
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from their customers. If in doubt, users should verify with the company itself to avoid any potential issues.
Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.
As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.
Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.
Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.
Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.
Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.
Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.
Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.
Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.
It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.
If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.
Link(s):
https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/
In January 2025, researchers at Unit 42 uncovered ongoing attacks distributing the DarkCloud Stealer malware. These recent attacks exhibit an evolution in tactics, notably incorporating AutoIt to potentially evade traditional detection mechanisms. The observed attack chain typically commences with a phishing email, which may contain either a malicious RAR archive directly or a phishing PDF designed to trick victims into downloading such an archive from a file-sharing service. The RAR archive then contains an AutoIt compiled executable. This executable is bundled with two encrypted data files: one containing shellcode and the other the XORed DarkCloud Stealer payload. The AutoIt script within the executable is responsible for decrypting and executing these payloads in a multi-stage process. Analysis indicates that threat actors have been advertising DarkCloud Stealer since January 2023 and have targeted various sectors, with a notable focus on government organizations. Furthermore, a February 2025 report identified DarkCloud Stealer in attacks against entities in Poland. The malware, initially seen in 2022, is designed to steal sensitive browser data, including credentials and financial information, and is under active development with observed new variants in late January 2025.
Security Officer Comments:
The resurgence of DarkCloud Stealer in early 2025, particularly its integration of AutoIt for obfuscation and evasion, presents a challenge for defenders. The use of AutoIt compilation and encryption of payloads demonstrates the malware author's intent to complicate static analysis and signature-based detection. The use of file-sharing services for hosting the malware is a notable characteristic, offering attackers convenience. File-sharing services offer attackers the temporary advantage of hosting and removing malicious files, which can disrupt attacks if files or accounts are deleted, thus limiting their full control compared to dedicated servers.
The multi-stage delivery mechanism, starting with phishing emails, highlights the need for robust email security and user awareness training to mitigate that initial access vector. The observed targeting of government organizations underscores the potential for high-impact data breaches. The continued development and the identification of the new variant samples, as evidenced by the sample timeline, necessitate ongoing monitoring and adaptation of detection strategies with this threat in mind. Organizations should prioritize the development and deployment of dynamic and behavioral analysis techniques to identify malicious activity. Furthermore, understanding the specific anti-analysis techniques incorporated within DarkCloud that are detailed in this blog is crucial. The fact that the malware has been active since 2022 and continues to evolve suggests a persistent threat actor and the likelihood of further modifications to its tactics, techniques, and procedures that defenders should remain vigilant for. Proactively sharing threat intelligence, such as the information provided by Unit 42, a Polish telecommunications provider, and CERT Orange Polska (references at the end of Unit 42’s article), is essential for developing and implementing effective preventative measures.
Suggested Corrections:
IOCs are available here.
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from their customers. If in doubt, users should verify with the company itself to avoid any potential issues.
Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.
As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.
Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.
Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.
Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.
Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.
Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.
Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.
Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.
It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.
If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.
Link(s):
https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/