DarkCloud Infostealer Slips Into Manufacturing Firm Through Spear-Phishing Attack

In the unrelenting tug-of-war between defenders and cybercriminals, a new chapter has unfolded. eSentire’s Threat Response Unit (TRU) has intercepted a spear-phishing campaign aimed at a manufacturing client, ultimately stopping an attempted delivery of DarkCloud, an infostealer that has been quietly evolving into one of the more versatile threats in circulation.

From Phishing Lure to Infostealer Payload

The attack began in September 2025 with an email disguised as banking correspondence, complete with a subject line mimicking a SWIFT transfer and an attached ZIP archive. Inside the archive lurked DarkCloud v3.2, an older but still dangerous build of the malware. If executed, it would have harvested everything from browser-stored passwords and credit cards to cryptocurrency wallets and FTP credentials—sending stolen data to attacker-controlled Telegram bots, FTP servers, or web panels.

This phishing approach, routed through a Zendesk support email, demonstrates how attackers are blending business-as-usual workflows with malicious lures, betting that even seasoned employees can be duped by financial urgency.

DarkCloud’s Underground Evolution

Originally a .NET project sold on the now-defunct XSS.is forum, DarkCloud has since migrated into VB6 with increasingly sophisticated evasion techniques. The latest versions feature Caesar cipher-based string obfuscation, anti-sandbox checks that flag research tools like Wireshark and IDA Pro, and persistence through RunOnce registry keys with randomized names.

Even its development process is peculiar. Builders require the Visual Basic 6 IDE for local compilation, inadvertently introducing risks for the malware authors themselves—mirroring the Redline Stealer debacle, where unauthorized variants proliferated after leaked builds. That risk, however, has not stopped DarkCloud’s operators from actively marketing the tool via Telegram under the alias @BluCoder and through a slick storefront disguised as a password recovery utility.

Identity Security in the Crosshairs

While the malware’s technical profile is alarming, experts stress that the bigger issue lies in what happens after the breach. Henrique Teixeira, SVP of Strategy at Saviynt, explains the broader stakes:

Teixeira notes that credential abuse remains the dominant vector for attackers. Once harvested, stolen data often lands in the hands of Initial Access Brokers (IABs), fueling ransomware, extortion, and third-party compromise. Increasingly, attackers are also exploiting non-human identities—machine accounts and service tokens—which now represent the majority of identity-based compromises.

Why DarkCloud Matters

eSentire’s rapid detection meant the attempted infection was stopped before damage occurred, but the case is a reminder of phishing’s staying power. Despite advances in endpoint detection and sandboxing, a single convincing email remains enough to crack open enterprise defenses.

DarkCloud’s evolution—pivoting between programming languages, adding obfuscation tricks, and expanding its theft capabilities—underscores how malware families adapt not just to evade detection, but to maximize resale value on underground markets.

Lessons for Defenders

The TRU team’s recommendations are clear:

• Block suspicious ZIPs and embedded executables at the email gateway.

• Invest in phishing awareness training to reduce the success of social engineering.

• Employ MDR or EDR tools for round-the-clock threat disruption.

Ultimately, the story of DarkCloud is less about a single piece of malware and more about the systemic weakness it exploits: trust in digital identity. And as long as that remains a “low-hanging fruit” for adversaries, defenders will need to stay just as adaptive.