DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

    Date: 05/15/2025

    Severity: Medium

    Summary

    In January 2025, researchers uncovered a series of attacks delivering DarkCloud Stealer, a sophisticated malware that uses AutoIt scripting to evade detection. The attack chain involved hosting the malware on a file-sharing server and deploying multi-stage, obfuscated payloads, making it difficult for traditional security tools to detect. DarkCloud is capable of stealing sensitive data and establishing command and control (C2) communications, highlighting the need for advanced detection methods and thorough threat analysis.

    Indicators of Compromise (IOC) List

    URL/Domains

    https://files.catbox.moe/olyfi3.001

    Hash

    bf3b43f5e4398ac810f005200519e096349b2237587d920d3c9b83525bb6bafc

    9940de30f3930cf0d0e9e9c8769148594240d11242fcd6c9dd9e9f572f68ac01

    30738450f69c3de74971368192a4a647e4ed9c658f076459e42683b110baf371

    1269c968258999930b573682699fe72de72d96401e3beb314ae91baf0e0e49e8

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1

    domainname like "https://files.catbox.moe/olyfi3.001" or siteurl like "https://files.catbox.moe/olyfi3.001" or url like "https://files.catbox.moe/olyfi3.001"

    Detection Query 2

    sha256hash IN ("9940de30f3930cf0d0e9e9c8769148594240d11242fcd6c9dd9e9f572f68ac01","bf3b43f5e4398ac810f005200519e096349b2237587d920d3c9b83525bb6bafc","30738450f69c3de74971368192a4a647e4ed9c658f076459e42683b110baf371","1269c968258999930b573682699fe72de72d96401e3beb314ae91baf0e0e49e8")

    Reference:  

    https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/


    Tags

    MalwareDarkCloudAutoItData Stealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags