VERY IMPORTANT

Unit 42 researchers have identified a shift in the delivery method and obfuscation techniques used for distributing DarkCloud Stealer. The new infection chain, observed since April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with phishing emails containing compressed archives (TAR, RAR, or 7Z) that include JavaScript or Windows Script files. These files download and execute a PowerShell script, which then drops an executable protected by ConfuserEx. The final payload is a VB6 executable injected into a legitimate process using RunPE techniques. The malware employs various obfuscation methods, including anti-tampering, symbol renaming, and proxy call methods, to complicate analysis and evade detection.