{
  "name": "New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer",
  "slug": "new-infection-chain-and-confuserex-based-obfuscation-for-darkcloud-stealer",
  "description": "Unit 42 researchers have observed changes in the distribution and obfuscation techniques of DarkCloud Stealer. The new infection chain, first seen in April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with a phishing email containing an archive file, which leads to the download and execution of a PowerShell script. This script then drops an executable protected by ConfuserEx, which ultimately injects the DarkCloud Stealer payload into a legitimate process. The malware employs various anti-analysis techniques, including encryption and obfuscation of strings. These changes highlight the evolving evasion strategies of cybercriminals and underscore the need for advanced, behavior-based threat detection approaches.",
  "published": "2025-08-08T06:00:42+00:00",
  "created_at": "2025-08-08T06:00:42+00:00",
  "modified_at": "2025-08-10T17:40:39+00:00",
  "created_at_opencti": "2025-08-08T06:00:42+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-07",
    "2025-08-08",
    "anti-analysis",
    "confuserex",
    "darkcloud stealer",
    "infection chain",
    "infostealer",
    "obfuscation",
    "process-hollowing",
    "runpe",
    "visual basic 6"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "176.65.142.190"
      },
      {
        "id": "",
        "name": "fa598e761201582d41a73d174eb5edad10f709238d99e0bf698da1601c71d1ca"
      },
      {
        "id": "",
        "name": "f6d9198bd707c49454b83687af926ccb8d13c7e43514f59eac1507467e8fb140"
      },
      {
        "id": "",
        "name": "ce3a3e46ca65d779d687c7e58fb4a2eb784e5b1b4cebe33dbb2bf37cccb6f194"
      },
      {
        "id": "",
        "name": "72d3de12a0aa8ce87a64a70807f0769c332816f27dcf8286b91e6819e2197aa8"
      },
      {
        "id": "",
        "name": "bd8c0b0503741c17d75ce560a10eeeaa0cdd21dff323d9f1644c62b7b8eb43d9"
      },
      {
        "id": "",
        "name": "9588c9a754574246d179c9fb05fea9dc5762c855a3a2a4823b402217f82a71c1"
      },
      {
        "id": "",
        "name": "6b8a4c3d4a4a0a3aea50037744c5fec26a38d3fb6a596d006457f1c51bbc75c7"
      },
      {
        "id": "",
        "name": "2bd43f839d5f77f22f619395461c1eeaee9234009b475231212b88bd510d00b7"
      },
      {
        "id": "",
        "name": "24552408d849799b2cac983d499b1f32c88c10f88319339d0eec00fb01bb19b4"
      }
    ],
    "malware": [
      {
        "id": "c7a2ae10-c0a1-4d4b-b2f2-d841d95ea5d2",
        "name": "DarkCloud Stealer",
        "slug": "darkcloud-stealer"
      }
    ],
    "attack_patterns": [
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ]
  },
  "external_refs": [
    "https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/",
    "https://otx.alienvault.com/pulse/6895aeaa72538302a5d75512"
  ]
}