The Reveal Platform
Intel Name: New infection chain and confuserex-based obfuscation for darkcloud stealer
Date of Scan: August 8, 2025
Impact: High
Summary: Researchers recently identified changes in DarkCloud Stealer’s distribution and obfuscation techniques, first observed in April 2025. These methods include a new infection chain with ConfuserEx obfuscation and a final payload written in Visual Basic 6 (VB6). Previous attacks linked to DarkCloud Stealer also used AutoIt for evasion, detailed in our earlier report. Current attacks involve phishing emails with different archive types (TAR, RAR, or 7Z), each containing a JavaScript or Windows Script File (WSF), with almost every stage now heavily obfuscated.
