Date: 05/15/2025
Severity: Medium
Summary
In January 2025, researchers uncovered a series of attacks delivering DarkCloud Stealer, a sophisticated malware that uses AutoIt scripting to evade detection. The attack chain involved hosting the malware on a file-sharing server and deploying multi-stage, obfuscated payloads, making it difficult for traditional security tools to detect. DarkCloud is capable of stealing sensitive data and establishing command and control (C2) communications, highlighting the need for advanced detection methods and thorough threat analysis.
Indicators of Compromise (IOC) List
URL/Domains | https://files.catbox.moe/olyfi3.001 |
Hash | bf3b43f5e4398ac810f005200519e096349b2237587d920d3c9b83525bb6bafc
9940de30f3930cf0d0e9e9c8769148594240d11242fcd6c9dd9e9f572f68ac01
30738450f69c3de74971368192a4a647e4ed9c658f076459e42683b110baf371
1269c968258999930b573682699fe72de72d96401e3beb314ae91baf0e0e49e8
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | domainname like "https://files.catbox.moe/olyfi3.001" or siteurl like "https://files.catbox.moe/olyfi3.001" or url like "https://files.catbox.moe/olyfi3.001" |
Detection Query 2 | sha256hash IN ("9940de30f3930cf0d0e9e9c8769148594240d11242fcd6c9dd9e9f572f68ac01","bf3b43f5e4398ac810f005200519e096349b2237587d920d3c9b83525bb6bafc","30738450f69c3de74971368192a4a647e4ed9c658f076459e42683b110baf371","1269c968258999930b573682699fe72de72d96401e3beb314ae91baf0e0e49e8")
|
Reference:
https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/