Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins with a phishing email containing a RAR archive or a PDF that downloads the archive. The archive contains an AutoIt-compiled executable that decrypts and executes the final DarkCloud Stealer payload. The malware steals sensitive data including browser passwords, credit card information, and email client credentials. It employs anti-analysis techniques and achieves persistence through registry modifications. The campaign has targeted various sectors, with a focus on government organizations, particularly in Poland.