Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DarkCloud

106
Global rank
54 infographic chevron month
Month rank
42 infographic chevron week
Week rank
0
IOCs

DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.

Stealer
Type
Unknown
Origin
1 November, 2022
First seen
11 February, 2025
Last seen

How to analyze DarkCloud with ANY.RUN

Type
Unknown
Origin
1 November, 2022
First seen
11 February, 2025
Last seen

IOCs

IP addresses
103.14.121.180
184.170.144.21
167.99.35.88
198.38.82.23
181.214.142.230
Domains
a.kah.kz
ns1.biopliko.at
dns3.rioss.ru
ns1.spexcxc.ru
mondaystart.su
ns3.mogomix.ru
c.aasxmaoo.net
truefish.ru
ns1.mtygansk.at
ns1.kineshevasto.ru
winpter.ru
32v235235n645645435.org
nomorgx.su
standupscom.com
paperty.ru
surheadquarters.com
ns3.audiaturs.ru
ns1.fgfj.at
ns2.biopliko.at
ns1.free-dns-service.biz
URLs
http://showip.net/
https://api.telegram.org/bot6107929879:AAHV6JwXs7rcYzMGLe3_opR5_gdKAC16Ye4/sendMessage
https://api.telegram.org/bot8171626722:AAGIo9PvRpFrmWwamfv0SMURLy1PCYFG9a8/sendMessage
https://api.telegram.org/bot7664186157:AAHBDRAKxcixTkc-YXHNylLjI0ZkZfIUxE8/sendMessage
https://api.telegram.org/bot8181099166:AAHWiTz10g_-_BPRNk3yroxe3fl_IXTpU7s/sendMessage
https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage
https://api.telegram.org/bot5168654140:AAE_I-CRa2apQXXWxhBTEaeIEr1Ln5pw69s/sendMessage
https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendMessage
https://api.telegram.org/bot8136579075:AAGj0tA4jaUAY9OKp-x5cJn4qOrj2emlQuE/sendMessage
https://api.telegram.org/bot7824077250:AAFcoqx_HuY2oC2csA-0G-hez0Tv78Sn08E/sendMessage
https://api.telegram.org/bot7445405280:AAEJ_GT4WPzyc4zhBSNoaA4ZnBnixbthzkw/sendMessage
https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendMessage
https://api.telegram.org/bot6686872771:AAGUwkUh0LMB8XwZ6Sv6jR4DHAsdZafImc0/sendMessage
https://api.telegram.org/bot7698096781:AAGQLD6o1kzjfTe7ym-NWYz9KeQ-WUS_Q04/sendMessage
https://api.telegram.org/bot7583426817:AAE6Rp0SEWFrRdtVPoi6UBYXkQm2kRC4tzU/sendMessage
https://api.telegram.org/bot8069816150:AAGUqkcMn6u9wnhjGwn59_cFD18VE7JaJgI/sendMessage
https://api.telegram.org/bot7931237700:AAFORR1Anw56W1hHiiNueaGqnQE3qJUmrxQ/sendMessage
https://api.telegram.org/bot5723230539:AAHXr6rmQsEsq1CdwKBxLF-mnANEsBE4mYk/sendMessage
https://api.telegram.org/bot6201772437:AAE8z2HCV4dlViF8O7_bVozdyvuR6EkBCPA/sendMessage
https://api.telegram.org/bot6843160964:AAF3CXe6SpPYlr6PSxsfXFuMMbuXMIkkNtE/sendMessage
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is DarkCloud malware?

DarkCloud is a stealer malware written in Visual Basic. The core functionality of the malicious software is collecting and exfiltrating sensitive information from infected machines. The type of data stolen by DarkCloud ranges from user credentials to credit card details in browsers.

The malware has been active since the end of 2022 and has been widely used in attacks in 2023. DarkCloud is sold by its creators on DarkNet forums who also provide customization options, including the additional clipper module, allowing the malware to monitor the content saved by victims to the clipboard.

The most common infection chain for DarkCloud is spam emails, targeting a variety of users. The malware is usually distributed in the form of a malicious attachment. Once downloaded and launched by the user, the malware gets installed on the device and begins its malicious activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the DarkCloud malicious software

DarkCloud can engage in the following operations on the infected system:

  • Steal information: It can pull data from different browsers and FTP clients, as well as the clipboard.
  • Capture screenshots: DarkCloud can take screenshots of the user’s activities.
  • Record keystrokes: The malware has the keylogging capability, letting it keep track of everything typed on the keyboard by the victim.
  • Exfiltrate files: It is capable of grabbing files of different formats, such as .txt, .rtf, and .pdf.
  • Communicate with the C2: DarkCloud supports several communication protocols, including SMTP and via Telegram, used for relaying stolen data to the attacker.

Additionally, similar to LaplasClipper, DarkCloud is equipped with a crypto swapper, enabling it to replace the user’s crypto wallet addresses with those of the attacker.

The malware can create a Task Scheduler entry in order to gain persistence on the system.

Execution process of DarkCloud

In order to examine the entire execution chain of DarkCloud in more detail, we can upload its sample to the ANY.RUN sandbox.

As stealers strive to conceal their activities, the DarkCloud stealer employs a deliberately straightforward execution chain to minimize visibility. Consequently, the infected operating system experiences a limited number of processes, and the malware refrains from utilizing system tools. Once the payload infiltrates the compromised system, it promptly initiates its execution.

The analyzed sample injects the system binary "AppLaunch" and subsequently executes it. After initiating, DarkCloud employs time-based evasion techniques in an attempt to conceal itself from sandboxes. However, it was detected, and the configuration was successfully extracted. It then starts a process executing all malicious activities, encompassing data theft and communication with the Command and Control (C&C) server.

DarkCloud process graph shown in ANY.RUN DarkCloud's process graph demonstrated in ANY.RUN

Distribution methods of the DarkCloud malware

Just like in the case of other stealer malware, such as Formbook and Lokibot, the most common way used by attackers to distribute DarkCloud is via emails. In most cases, criminals employ social engineering and craft their messages to look legitimate. This is why victims often receive fake invoice payment requests and similar emails with files attached to them. Users who fail to recognize a scam end up downloading the malicious attachment and running it on their system, thus triggering the infection process.

Conclusion

In order to avoid falling victim to DarkCloud, it is vital to follow strict security practices. One of them is analyzing suspicious files and links in a malware sandbox. ANY.RUN is a cloud-based service that lets you investigate any email attachment or URL sent to you by an unknown sender and determine whether it poses any risk.

ANY.RUN’s interactive approach to malware analysis enables you to engage with the files and the system just like on your own computer, performing all the necessary actions to execute malicious software fully. The service provides you with comprehensive threat reports that contain details about the attack, indicators of compromise (IOCs), and other relevant information.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Fog Ransomware screenshot
Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More