377/68 Wednesday, October 1, 2025
Researchers from the eSentire Threat Response Unit (TRU) have reported the resurgence of the DarkCloud Infostealer with version 4.2, discovered in phishing attack attempts targeting the manufacturing sector in September 2025. The malware has been completely rewritten in VB6, after previously being sold on the cybercrime forum XSS.is (shut down in July 2025) but has since resurfaced, now being distributed through its own website and Telegram channels.
The attack campaign began with phishing emails impersonating financial transactions and containing a compressed file attachment named Swift Message MT103 FT2521935SVT.zip. When opened, the file installed DarkCloud on the victim’s system to steal data. However, TRU was able to detect and stop the malware before it accessed customer information. This incident reinforces that phishing emails remain a primary distribution method for malware.
DarkCloud Infostealer is designed to steal a wide range of information, including browser passwords, credit card numbers, website cookies, FTP credentials, keystrokes, clipboard content, document files (.txt, .pdf, .doc, .xls), cryptocurrency wallets, and email contacts from clients such as Thunderbird, MailMaster, and eM Client. All stolen data is exfiltrated to attackers via Telegram, FTP, email, or a web panel.
TRU researchers have released a tool to help security professionals decrypt and analyze DarkCloud’s code and recommend that organizations deploy email filtering systems capable of blocking compressed files or suspicious attachments to reduce the risk of compromise.
Source https://hackread.com/darkcloud-infostealer-grab-credentials-crypto-contacts/
