New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

    Friday, August 8, 2025 In: Threat Research Print

    Date: 08/08/2025

    Severity: High

    Summary

    Researchers recently identified changes in DarkCloud Stealer’s distribution and obfuscation techniques, first observed in April 2025. These methods include a new infection chain with ConfuserEx obfuscation and a final payload written in Visual Basic 6 (VB6). Previous attacks linked to DarkCloud Stealer also used AutoIt for evasion, detailed in our earlier report. Current attacks involve phishing emails with different archive types (TAR, RAR, or 7Z), each containing a JavaScript or Windows Script File (WSF), with almost every stage now heavily obfuscated.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    http://176.65.142.190

    https://api.telegram.org/bot7684022823:AAFw0jHSu-b4qs6N7yC88nUOR8ovPrCdIrs/sendMessage?chat_id=6542615755

    Hash : 

    bd8c0b0503741c17d75ce560a10eeeaa0cdd21dff323d9f1644c62b7b8eb43d9

    9588c9a754574246d179c9fb05fea9dc5762c855a3a2a4823b402217f82a71c1

    6b8a4c3d4a4a0a3aea50037744c5fec26a38d3fb6a596d006457f1c51bbc75c7

    F6d9198bd707c49454b83687af926ccb8d13c7e43514f59eac1507467e8fb140

    72d3de12a0aa8ce87a64a70807f0769c332816f27dcf8286b91e6819e2197aa8

    fa598e761201582d41a73d174eb5edad10f709238d99e0bf698da1601c71d1ca

    2bd43f839d5f77f22f619395461c1eeaee9234009b475231212b88bd510d00b7

    24552408d849799b2cac983d499b1f32c88c10f88319339d0eec00fb01bb19b4

    ce3a3e46ca65d779d687c7e58fb4a2eb784e5b1b4cebe33dbb2bf37cccb6f194

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs:

    domainname like "http://176.65.142.190" or url like "http://176.65.142.190" or siteurl like "http://176.65.142.190" or domainname like "https://api.telegram.org/bot7684022823:AAFw0jHSu-b4qs6N7yC88nUOR8ovPrCdIrs/sendMessage?chat_id=6542615755" or url like "https://api.telegram.org/bot7684022823:AAFw0jHSu-b4qs6N7yC88nUOR8ovPrCdIrs/sendMessage?chat_id=6542615755" or siteurl like "https://api.telegram.org/bot7684022823:AAFw0jHSu-b4qs6N7yC88nUOR8ovPrCdIrs/sendMessage?chat_id=6542615755"

    Hash : 

    sha256hash IN ("bd8c0b0503741c17d75ce560a10eeeaa0cdd21dff323d9f1644c62b7b8eb43d9","9588c9a754574246d179c9fb05fea9dc5762c855a3a2a4823b402217f82a71c1","6b8a4c3d4a4a0a3aea50037744c5fec26a38d3fb6a596d006457f1c51bbc75c7","F6d9198bd707c49454b83687af926ccb8d13c7e43514f59eac1507467e8fb140","72d3de12a0aa8ce87a64a70807f0769c332816f27dcf8286b91e6819e2197aa8","fa598e761201582d41a73d174eb5edad10f709238d99e0bf698da1601c71d1ca","2bd43f839d5f77f22f619395461c1eeaee9234009b475231212b88bd510d00b7","24552408d849799b2cac983d499b1f32c88c10f88319339d0eec00fb01bb19b4","ce3a3e46ca65d779d687c7e58fb4a2eb784e5b1b4cebe33dbb2bf37cccb6f194")

    Reference: 

    https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/


    Tags

    MalwarePhishingDarkCloudStealerConfuserEx

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.