DarkCloud Stealer Targets Windows Systems to Harvest Login Credentials and Financial Data

A new variant of the DarkCloud information-stealer malware has been observed targeting Microsoft Windows systems, primarily affecting Windows users by collecting sensitive data such as login credentials, financial information, and personal contacts.

Discovered in early July 2025 by Fortinet’s FortiGuard Labs, this high-severity campaign leverages sophisticated phishing tactics to initiate infections, demonstrating advanced evasion methods including fileless execution and process hollowing.

DarkCloud, first identified in 2022, is a stealthy Windows-based malware engineered to exfiltrate a wide array of sensitive information from compromised machines, posing substantial risks to individual privacy and organizational security.

Exploits Fileless Techniques

The campaign’s infection chain begins with a phishing email containing a RAR archive disguised as an urgent quote, lacking any message body to heighten curiosity and prompt immediate interaction.

Upon extraction, the archive reveals a standalone JavaScript file, which, when executed via WScript.exe, deobfuscates and launches Base64-encoded ...