DarkCloud Infostealer Targets Enterprises With Low-Cost Credential Theft

DarkCloud infostealer sells for $30 on Telegram and clearnet stores. It grabs credentials from browsers, email clients, VPNs, and more. Enterprises face network access sales from this scalable threat. The tool first appeared in 2022 from developer “Darkcloud Coder,” aka “BluCoder.”

Security teams see DarkCloud in phishing ZIPs and RARs. It uses Visual Basic 6 compiled to C/C++ for evasion. Legacy MSVBVM60.DLL runtime dodges modern scanners. VirusTotal tests show VB6 versions detect less.

DarkCloud harvests from Chrome, Edge, Firefox, Brave, Opera, and others. It also targets Outlook, Thunderbird, NordVPN, and FileZilla. Contact lists fuel phishing chains.

Theft Capabilities

Data stages in %APPDATA%\Microsoft\Windows\Templates. Raw DBs go in DBS folder. Parsed text in _ folder. Exfil via SMTP, FTP, Telegram, or HTTP.

Flashpoint states: “DarkCloud gives keys to corporate networks.” 

Evasion Techniques

Strings encrypt with VB Rnd() PRNG and custom seeds. Hex and Base64 hide payloads. Runtime decrypt ensures consistency without net calls.

Code links to earlier BluStealer. Same credit card regex order. Developer refined it over time.

Enterprise Risks

Low price scales attacks. Stolen creds sell for initial access. Email contacts expand breaches. Legacy code slips past EDR.

Phishing drops it fast. No zero-days needed.

Defense Actions

Block the threat now:

• Filter ZIP/RAR email attachments strictly.
• Monitor SMTP/FTP/Telegram exfil.
• Rotate credentials enterprise-wide.
• Detect VB6 runtime on endpoints.
• Scan %APPDATA%\Templates folders.

Use password managers. Enable phishing-resistant MFA.

FAQ