{
  "name": "DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt",
  "slug": "darkcloud-stealer-comprehensive-analysis-of-a-new-attack-chain-that-employs-autoit",
  "description": "Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins with a phishing email containing a RAR archive or a PDF that downloads the archive. The archive contains an AutoIt-compiled executable that decrypts and executes the final DarkCloud Stealer payload. The malware steals sensitive data including browser passwords, credit card information, and email client credentials. It employs anti-analysis techniques and achieves persistence through registry modifications. The campaign has targeted various sectors, with a focus on government organizations, particularly in Poland.",
  "published": "2025-05-14T14:58:52+00:00",
  "created_at": "2025-05-14T14:58:52+00:00",
  "modified_at": "2025-05-21T18:05:52+00:00",
  "created_at_opencti": "2025-05-14T14:58:52+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-14",
    "anti-analysis",
    "autoit",
    "credential-theft",
    "darkcloud stealer",
    "information-stealing",
    "infostealer",
    "multi-stage payload",
    "obfuscation",
    "phishing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "bf3b43f5e4398ac810f005200519e096349b2237587d920d3c9b83525bb6bafc"
      },
      {
        "id": "",
        "name": "9940de30f3930cf0d0e9e9c8769148594240d11242fcd6c9dd9e9f572f68ac01"
      },
      {
        "id": "",
        "name": "30738450f69c3de74971368192a4a647e4ed9c658f076459e42683b110baf371"
      },
      {
        "id": "",
        "name": "1269c968258999930b573682699fe72de72d96401e3beb314ae91baf0e0e49e8"
      }
    ],
    "malware": [
      {
        "id": "c7a2ae10-c0a1-4d4b-b2f2-d841d95ea5d2",
        "name": "DarkCloud Stealer",
        "slug": "darkcloud-stealer"
      }
    ],
    "attack_patterns": [
      {
        "id": "7e3e3784-9547-42ca-b888-482972d14be3",
        "name": "T1528"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "3be1a227-bbd0-4e76-9422-40e4078224f9",
        "name": "T1007"
      },
      {
        "id": "3245033a-53c4-454c-873a-fb653af0bf8a",
        "name": "T1552"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "29398669-98ed-4766-9dac-f9632f7175ff",
        "name": "T1518"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-31324"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Poland"
      },
      {
        "id": "",
        "name": "Telecommunications"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/",
    "https://unit42.paloaltonetworks.com/wp-content/uploads/2025/05/01_Hactivism_Overview_1920x900.jpg",
    "https://otx.alienvault.com/pulse/6824cbccc06b226e68c5b4b5"
  ]
}