Threat Research

Eye of the Storm: Analyzing DarkCloud’s Latest Capabilities

Esentire
Eye of the Storm: Analyzing DarkCloud’s Latest Capabilities

eSentire’s TRU discovered a spear-phishing campaign that attempted to deliver the DarkCloud info-stealer to a manufacturing customer via a banking-themed email with a malicious ZIP containing Swift Message MT103 FT2521935SVT.exe (DarkCloud v3.2). The report details DarkCloud’s capabilities (browser/password/crypto-wallet theft, keystroke/clipboard harvesting, various exfiltration methods), distribution channels, VB6-based builder and string-encryption, sandbox/VM evasion checks, persistence, IOCs and mitigations. #DarkCloud #eSentire

Keypoints

  • eSentire TRU detected a spear-phishing campaign in Sept 2025 delivering DarkCloud via a banking-themed ZIP attachment to a Zendesk support email.
  • DarkCloud is an actively developed VB6 info-stealer (latest v4.2, observed sample v3.2) that harvests browser passwords, cookies, credit cards, keystrokes, FTP/email credentials, files, contacts, and crypto-wallets.
  • The malware is marketed on darkcloud.onlinewebshop[.]net and via Telegram (@BluCoder); its builder requires a local VB6 IDE to compile, raising reuse and variant-proliferation risks.
  • DarkCloud implements string obfuscation using a VB6-specific pseudo-random algorithm (Randomize/Rnd) and researchers reproduced rtcRandomNext/rtcRandomize to decrypt strings.
  • It uses multiple exfiltration channels (SMTP, Telegram API, FTP, PHP web panels) and can retrieve victim external IP via showip[.]net or mediacollege[.]com links.
  • Evasion includes process blacklists, hardware/resource checks (disk <60GB, RAM <1GB, CPUs <2), sandbox filename checks, VM model/file checks, and persistence via RunOnce registry entries with randomized value names.
  • eSentire blocked delivery, assisted remediation, released tooling (config extractor and IDA Python decryption script), and provided a YARA rule and mitigation recommendations (block suspicious ZIPs, PSAT, 24/7 MDR).

MITRE Techniques

  • [T1566] Phishing – delivery via a banking-themed spear-phishing email with a malicious ZIP attachment (“Swift Message MT103 FT2521935SVT.zip” containing “Swift Message MT103 FT2521935SVT.exe”).
  • [T1204.002] User Execution: Malicious File – victim interaction required to run the packed DarkCloud executable contained in the ZIP attachment (“…a packed sample of DarkCloud named ‘Swift Message MT103 FT2521935SVT.exe’”).
  • [T1056.001] Keylogging – captures keystrokes to harvest credentials and other typed data (malware “targets … keystrokes”).
  • [T1056.001] Clipboard Data – harvests clipboard contents and performs clipboard hijacking (“…clipboard contents… clipboard harvesting, clipboard hijacking”).
  • [T1505.001] New Service (Persistence via Registry RunOnce) – persistence using RunOnce registry entries with randomized value names (“…supports persistence via the RunOnce registry key. It uses a list of random words to serve as the value name”).
  • [T1041] Exfiltration Over C2 Channel – exfiltrates stolen data via SMTP, Telegram API, FTP, and PHP web panels (“Stolen credentials/data are sent to attacker-controlled Telegram, FTP, SMTP, or Web Panel (PHP) endpoints”).
  • [T1016] System Network Configuration Discovery – retrieves external IP via showip[.]net or mediacollege URL to identify victim network (“…will grab the victim’s external IP address through showip[.]net … or … mediacollege[.]com”).
  • [T1027] Obfuscated Files or Information – string encryption/obfuscation using a VB6-specific Caesar-like cipher driven by VB6 Randomize/Rnd to conceal static strings (“…supports string encryption … Caesar cipher driven by VB6’s random number generator”).
  • [T1083] File and Directory Discovery / Collection – file grabber collects files from user profile paths and common document locations and targets specific crypto-wallet directories (“…collects files matching … %USERPROFILE%Desktop … and targets %APPDATA%Exodusexodus.wallet, %APPDATA%Electrumwallets …”).
  • [T1497] Virtualization/Sandbox Evasion – checks running processes, disk size, memory, CPU count, filename patterns and VM-specific files/strings to avoid analysis environments (“IsProcessListReliable … blacklisted substrings” and hardware/sandbox checks like disk <60GB, RAM <1GB, VM model strings and driver file presence).”

Indicators of Compromise

  • [Email Address] phishing sender – procure@bmuxitq[.]shop (used to send the banking-themed lure).
  • [File Name] malicious attachment/sample – “Swift Message MT103 FT2521935SVT.zip” containing “Swift Message MT103 FT2521935SVT.exe” (DarkCloud v3.2).
  • [Domains/Hosts] distribution and exfiltration hosts – darkcloud.onlinewebshop[.]net (marketing site), mail.apexpharmabd[.]com (observed SMTP exfil host), showip[.]net and mediacollege[.]com (external IP lookups).
  • [Telegram] actor/contact – Telegram user @BluCoder used to market DarkCloud and Telegram API used for exfiltration.
  • [File Hashes] sample PCAP/SHA256 – SMTP exfil PCAP: 3ac8413215cec66aa18c0e530dbe6bf4cf64017763c9580cf787053689f36eaa; Telegram exfil PCAP: 56089cda02771fd45bdd70071d144472f75047f8fa018092e2a21fe11baf9862.

Read more: https://www.esentire.com/blog/eye-of-the-storm-analyzing-darkclouds-latest-capabilities