New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer
Essential information
- Published
- 08/08/2025 08:00
- Modified
- 10/08/2025 19:40
- Tags
- 2025-08-07 2025-08-08 anti-analysis confuserex darkcloud stealer infection chain infostealer obfuscation process-hollowing runpe visual basic 6
- Related entities
- 10 observables, 5 techniques (mitre), 1 malware
Description
Unit 42 researchers have observed changes in the distribution and obfuscation techniques of DarkCloud Stealer. The new infection chain, first seen in April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with a phishing email containing an archive file, which leads to the download and execution of a PowerShell script. This script then drops an executable protected by ConfuserEx, which ultimately injects the DarkCloud Stealer payload into a legitimate process. The malware employs various anti-analysis techniques, including encryption and obfuscation of strings. These changes highlight the evolving evasion strategies of cybercriminals and underscore the need for advanced, behavior-based threat detection approaches.