DarkCloud Infostealer Targets Enterprises With Low-Cost Credential Theft
DarkCloud infostealer sells for $30 on Telegram and clearnet stores. It grabs credentials from browsers, email clients, VPNs, and more. Enterprises face network access sales from this scalable threat. The tool first appeared in 2022 from developer “Darkcloud Coder,” aka “BluCoder.”
Security teams see DarkCloud in phishing ZIPs and RARs. It uses Visual Basic 6 compiled to C/C++ for evasion. Legacy MSVBVM60.DLL runtime dodges modern scanners. VirusTotal tests show VB6 versions detect less.
DarkCloud harvests from Chrome, Edge, Firefox, Brave, Opera, and others. It also targets Outlook, Thunderbird, NordVPN, and FileZilla. Contact lists fuel phishing chains.
Theft Capabilities
Data stages in %APPDATA%\Microsoft\Windows\Templates. Raw DBs go in DBS folder. Parsed text in _ folder. Exfil via SMTP, FTP, Telegram, or HTTP.
| Target Category | Examples |
|---|---|
| Browsers | Chrome, Edge, Firefox, Brave, Opera, Vivaldi |
| Email Clients | Outlook, Thunderbird, FoxMail, eM Client |
| VPN/FTP | NordVPN, FileZilla, WinSCP |
| Other | Credit cards, contacts |
Flashpoint states: “DarkCloud gives keys to corporate networks.”
Evasion Techniques
Strings encrypt with VB Rnd() PRNG and custom seeds. Hex and Base64 hide payloads. Runtime decrypt ensures consistency without net calls.
Code links to earlier BluStealer. Same credit card regex order. Developer refined it over time.
Enterprise Risks
Low price scales attacks. Stolen creds sell for initial access. Email contacts expand breaches. Legacy code slips past EDR.
Phishing drops it fast. No zero-days needed.
Defense Actions
Block the threat now:
- Filter ZIP/RAR email attachments strictly.
- Monitor SMTP/FTP/Telegram exfil.
- Rotate credentials enterprise-wide.
- Detect VB6 runtime on endpoints.
- Scan %APPDATA%\Templates folders.
Use password managers. Enable phishing-resistant MFA.
FAQ
VB6 malware stealing creds for $30 subscriptions.
VB6 runtime and Rnd() string encryption.
Browsers, email, VPNs like NordVPN.
Telegram and clearnet stores.
Filter attachments, monitor exfil, rotate creds.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages