Malware

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Clock Icon 11 min read
Related Products
Advanced WildFire iconAdvanced WildFireCloud-Delivered Security Services iconCloud-Delivered Security ServicesCortex iconCortexCortex XDR iconCortex XDRCortex XSIAM iconCortex XSIAMUnit 42 Incident Response iconUnit 42 Incident Response

Executive Summary

In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks.

DarkCloud employs multi-stage payloads and obfuscated AutoIt scripting, making its detection challenging with traditional signature-based methods. Its ability to extract sensitive data and establish command and control (C2) communications highlights the importance of thorough detection and assessment.

Palo Alto Networks customers are better protected from DarkCloud Stealer through our Network Security solutions and Cortex line of products including Advanced WildFire, Cortex XDR and Cortex XSIAM.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Infostealers, AutoIt

History of DarkCloud Stealer

The threat author has advertised DarkCloud Stealer in hacking forums as early as January 2023. Our telemetry reveals that attackers distributing DarkCloud Stealer have targeted various sectors but have notably focused on government organizations.

A February 2025 report from a Polish telecommunications provider notes that DarkCloud Stealer has appeared in attacks against machines in Poland. Initially spotted in 2022, this information stealer is designed to capture sensitive browser data like credit card information, login credentials and other personal data.

The malware is predominantly distributed through email phishing campaigns and is currently undergoing active development.

Activity Timeline

We have been monitoring this malware family since its appearance in 2022, and we have observed multiple samples that we believe are new variants of DarkCloud Stealer in late January 2025. Figure 1 shows a timeline displaying the sample count of the newly observed DarkCloud variant in January and February of 2025.

Bar chart displaying the number of samples collected on various dates. The highest count is 35 samples on 1/31/2025, with other notable counts on 1/28/2025 at 18 samples and 2/2/2025 at 19 samples. The chart includes the Palo Alto Networks and Unit 42 logos.
Figure 1. Timeline of new DarkCloud variant samples observed.

Figure 2 shows one of the samples, an AutoIt-compiled Portable Executable (PE) file in an analysis tool. Figure 3 shows the same sample in another analysis tool. Both tools confirm this sample is an AutoIt compiled PE file.

Screenshot of a software interface showing a highlighted section named "TimeDateStamp" with the value "2025-01-31 18:12:40". Additionally, the software identifies it as "Microsoft Visual C++(2013). AutoIt is also highlighted in red.
Figure 2. Compiled AutoIt PE file as detected by Detect-It-Easy.
Screenshot of a hexadecimal editor displaying various bytes of data with some sections in ASCII format highlighted.
Figure 3. AutoIt compiled script magic bytes in the RCData PE resource as shown by CFF Explorer.

Delivery Mechanism and Updated Infection Chain

We have observed many different attack chains that vary slightly. Since the variations in the attack chains are minor, we are illustrating just two possible attack chains for this article.

This attack chain starts with a phishing email. As shown in Figure 4, the email might contain a RAR archive or a phishing PDF that eventually downloads the RAR archive.

The RAR archive contains an executable file that eventually delivers the malicious payload. The multi-step nature of this attack underscores its intricacy and stealth. The stages of this attack are:

  1. A phishing email containing either a RAR archive or a phishing PDF
    1. In the case of an email with a phishing PDF, the PDF contains a pop-up message asking the victim to download a malicious archive disguised as a software update (from a file-sharing service URL).
  2. The RAR archive contains an AutoIt compiled PE (EXE) file.
  3. In addition to the AutoIt script (AU3 file), the AutoIt compiled EXE is packaged with two encrypted data files. One of the files is an encrypted shellcode, and the other file is the XORed payload.
  4. The AutoIt script builds and runs the final DarkCloud Stealer payload from the two data files.
Diagram depicting a cybersecurity threat where a phishing email with a PDF leads to a file sharing service, followed by a RAR file that contains an AutoIt EXE. This then executes encrypted shell code revealing an XORed payload, resulting in a final payload.
Figure 4. Infection chain of the new DarkCloud Stealer variant.

Figure 5 displays the number of these new AutoIt-based DarkCloud samples observed in various affected industries, while Figure 6 shows the geolocation of the samples we have seen.

A horizontal bar chart illustrating the number of samples across different industries. From top to bottom, the bars represent State and Local Government with 25 samples, Federal Government with 21 samples, High Tech with 12 samples, Finance with 9 samples, Manufacturing with 6 samples, and Media and Entertainment with 3 samples. The chart is branded by Palo Alto Networks and UNIT 42.
Figure 5. A new variant of the DarkCloud Stealer, samples seen for top industries.
Bar chart showing the number of samples from various countries. United States has 27, Brazil has 24, Peru and The Netherlands each have 8, Turkey has 4, and Hungary has 2. Palo Alto Networks and Unit 42 logo.
Figure 6. Geolocation of where we saw samples.

Technical Analysis

This section delves into the attack chain in these recent DarkCloud Stealer campaigns.

Phishing Email to File-Sharing Service

The initial phishing email contains a PDF file that displays a pop-up message stating the victim's Adobe Flash Player is out of date, as shown below in Figure 7. If a victim clicks the “Download Flash” button, this downloads a RAR archive from a file-sharing service. The archive contains the malicious AutoIt compiled executable.

PDF with identifying information is blurred in the background, supposedly for a purchase order. In the center is a popup for an Adobe Flash Player update notification, with the 'Update' and 'Download Flash' buttons visible.
Figure 7. Phishing PDF file.

Below, Figure 8 shows the downloaded RAR file and extracted EXE file.

Screenshot of a computer interface showing a WinRAR archive manager with a file named "olyfl3.rar" highlighted and an executable file for Adobe Reader installation visible.
Figure 8. Downloaded RAR file and extracted sample.

File-sharing services are commonly abused for malware distribution because they offer a convenient way for cybercriminals to host their malicious files. Most of these services can host files that do not require any login credentials or thorough validation of user activities, making them a useful tool in an attack chain.

Another benefit for attackers using file-sharing services is that they can host and remove files for a defined period of time. If someone deletes a file from the server, the attack will eventually cease. But this is also a disadvantage, as the attackers do not have full control compared to owning their own servers. If someone deletes their file-sharing account, the attack chain breaks.

In our case, the malicious RAR file is hosted on the URL hxxps[:]//files.catbox[.]moe/olyfi3.001.

Dropper - AutoIt Compiled Executable

A notable enhancement in this new variant is the incorporation of AutoIt compiled PE files as the dropper component.

AutoIt is a legitimate scripting language for automating the Windows GUI and general scripting tasks. Over the years, criminals have abused it to hide malicious activity. We have published various articles on criminal groups abusing the AutoIt platform.

An AutoIt-compiled executable is typically composed of two parts:

  • A standalone AutoIt interpreter
  • The compiled script bytecode stored as a resource within the PE file

The compression and encryption prevent easy decompilation of the bytecode. The compiled AutoIt binary handles the decompression of the bytecode before interpreting and executing it.

To better understand how this decompression works, we can analyze the AutoIt script extracted from the AutoIt-compiled PE file. At the beginning of the AutoIt script, as illustrated in Figure 9, the Call(), StringLen() and StringMid() function pointers are assigned to obscurely named global variables using the Execute() function. The string-related global variables serve as the building blocks for a string decoding function used for additional obfuscation.

Image showing three lines of colorful programming code with global variables and function calls, written on a dark background.
Figure 9. Variables assigned execution of Call() and Strings operations from the AutoIt script.

Figure 10 shows the subsequent string decoding function.

Screenshot of computer code written in a text editor, featuring a function, with obfuscation.
Figure 10. String decoding function in its original obfuscated form.

Figure 11 shows the deobfuscated version of the same function from Figure 10.

Screenshot of computer code with syntax highlighting featuring a function named StringDecode.
Figure 11. Manually deobfuscated string decoding function.

After implementing the string decoding function, the malware author uses the function to define additional variables, as illustrated in Figure 12. These additional variables use more random names, serving as basic function executions that will be used later.

A screenshot of computer code featuring declarations of global variables in a text editor, with syntax highlighting in purple, green, and yellow colors.
Figure 12. More global variables are assigned to function execution, albeit with an added layer of obfuscation.

Figure 13 displays the deobfuscated version of the same code from Figure 12. These definitions closely resemble the initial function executions presented at the start of the script, albeit with an added layer of string obfuscation.

Image of a colorful computer code snippet showing four lines in a terminal with syntax highlighting. Each line begins with the keyword "Global" followed by a variable and an assignment that involves the "Execute" function with commands like "BinaryLen", "DllStructCreate", "DllStructSetData", and "DllStructGetPtr".
Figure 13. Deobfuscated version of global variables assigned to function execution.

The AutoIt compiled EXE does not simply run the AU3 script alone. The EXE is compiled with two additional files, likely via the native AutoIt FileInstall() function. Specifically, in this sample, the filenames are iodization and plainstones.

Upon closer examination, we see plainstones is an XOR-encrypted PE file. Iodization appears to contain a shellcode pattern. This pattern consists of a series of characters representing hex values, interspersed with a static 8-digit numeric string.

Figure 14 displays a snapshot of the iodization file with the shellcode representation. Upon careful reading, the concatenated values form 0x558bec, which corresponds to the prologue of a subroutine.

Image featuring a repeated pattern of numerical values and vertical red lines on a black background.
Figure 14. A data blob that decodes into a PE file.

Indeed, we can locate the shellcode builder AutoIt script snippet as depicted in Figure 15.

Screenshot of a computer screen displaying code in a text editor with syntax highlighting. The code includes variable declarations and conditional statements in a programming language.
Figure 15. Code snippet for extracting shellcode from the encrypted dropped file.

Additionally, the deobfuscated version of this code is shown in Figure 16.

A screenshot displaying a script in a coding environment with variables and conditional structures. The script includes string manipulation functions and a loop, primarily in blue and green text on a black background.
Figure 16. Deobfuscated code snippet for extracting shell code from the encrypted dropped file.

Our analysis led to the following three insights.

  • In some samples of this malware, the associated global variable linking to the execution of StringLower() is not defined. This could potentially be a bug in the malware authors' toolchain.
  • The extractShellCode() function shown above in Figure 16 includes case sensitivity as an optional parameter, although it is not used in this case. This suggests the existence of potential variants with higher levels of obfuscation that use upper and lower case letters to encrypt the binary data file.
  • The same extractShellCode() function also includes the capability of bitwise AND assignment (&=) for encryption that is not used in this context. Once again, this indicates the possibility of variants with additional obfuscation methods applied to encrypt the binary data file.

The AutoIt script first creates a DllStructure to host the shellcode. It then calls VirtualProtect() to change the memory protection to PAGE_EXECUTE_READWRITE. Finally, the script executes the shellcode using CallWindowProc().

Figure 17 displays the deobfuscated code showing these functions. Notably, the entry point of the shellcode is not at the beginning of the injected blob but at the 9168th byte (or 0x23D0 in hex), as indicated by the parameters of CallWindowProc.

Screenshot of code with syntax highlighting that demonstrates how the shell code is executed.
Figure 17. A code snippet showing how the shellcode is eventually executed.

Upon examining the entry point of the shellcode, as depicted in Figure 18, we observed that soon after the 558BEC prologue, the code promptly initiates the construction of a string in memory. This string serves as the XOR decryption key for the previously mentioned plainstones file.

A screenshot displaying a section of assembly language code with various operation commands like 'mov', 'push', and register manipulations, commonly used in software development and debugging. A section in the upper middle is highlighted in grey.
Figure 18. Entry point of shellcode and string building as shown in IDA Pro.

Figure 19 displays the decrypted output as a PE file. Subsequently, the shellcode builds this PE file in memory and eventually executes it.

Screenshot of a CyberChef interface showing various cryptographic operations being performed with input, recipe, and output sections visible.
Figure 19. Decrypted DarkCloud payload as shown in CyberChef.

Payload - DarkCloud Executable

This section shows various functionalities employed by the final DarkCloud payload. First, as shown in Figure 20 below, we can identify the final payload executable as DarkCloud Stealer because of the DARKCLOUD signature string found in the sample.

Text on a computer screen displaying credentials including a username and password for an application named PIDGIN. Below, a file named recentServers.xml is mentioned, showing details of an FTP server including URL, host, and port. The background is dark with green text.
Figure 20. Strings from the DarkCloud Stealer sample as displayed in Hacker’s View.

In general, DarkCloud Stealer is a comprehensive data-stealing malware that collects and exfiltrates information such as:

  • Computer names
  • Usernames
  • Screenshots
  • Contacts
  • Browser passwords
  • Email client passwords

This infostealing functionality is shown in Figure 21 below.

Screenshot of a programming code in an IDE, featuring variables and functions, highlighted with syntax coloring. Some portions are highlighted in red boxes.
Figure 21. Various infostealing capabilities of the DarkCloud payload as shown by IDA Pro.

Stealing Browser and Mail Client Data

The payload attempts to retrieve saved usernames and passwords from various Chrome-based and Gecko-based browsers. Figure 22 shows a list of folders that the DarkCloud sample iterates through to scan for files such as logins.json, key4.db and signons.sqlite.

Code with most of the information redacted. An arrow points to the portion that hides various browser paths.
Figure 22. List of targeted browser data folders (displayed in Hacker’s View).

Figure 23 shows that the malware then checks each profile from the mail client and gathers saved credentials and data. Once it collects all the data, the malware consolidates it into a single file that it can exfiltrate from the victim's machine to the C2 server.

Image displaying a computer screen with various lines of code and data structures in a programming environment. Key terms visible include "UTF-16LE," "SOFTWARE," and references to "aData" and "LoginData". Portions redacted in green indicate a "Path to Mail Client" with arrows.
Figure 23. Disassembled code showing information-stealing functions from a mail client.

This sample checks for user accounts and credit card details from various Chromium-based and Gecko-based browsers. It searches for information from various types of popular credit cards, as shown in Figure 24 below.

Credit Card Information Stealing

The image displays two side-by-side screenshots of computer code with text and syntax highlighting, primarily featuring SQL database queries and assembly language instructions.
Figure 24. Disassembled code that shows credit card information stealing functionality.

SMTP and FTP Credential Stealing

This sample attempts to retrieve saved login credentials from various FTP client applications and decrypts them for exfiltration as shown in Figure 25.

Screenshot of code with various commands highlighted in pink and purple, and a section labeled "FTP Client Application" in a green box at the top, which is redacted in the image and indicated by an arrow.
Figure 25. Disassembled code indicating the malware steals credentials from a well-known FTP client.

Anti-Analysis and Other Crucial Functionalities

DarkCloud incorporates numerous anti-analysis techniques, including checks for analysis tools such as:

  • WinDbg
  • Fiddler
  • TCPView
  • Process Explorer
  • VMWare Tools
  • Wireshark
  • Process Monitor

The sample uses typical junk code and fake API calls to make analysis more difficult. This sample also checks for the victim’s public IP address using the web services below to obtain geolocation.

  • hxxp://showip[.]net
  • hxxp://www[.]mediacollege[.]com/internet/utilities/show-ip.shtml

Lastly, persistence is achieved through an addition to the RunOnce registry key:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

Conclusion

DarkCloud Stealer has been active since 2022 and is continuously evolving. Attackers often modify their techniques for delivering malware, making detection and prevention more difficult. Palo Alto Networks monitors these campaigns, using a range of static and dynamic techniques to detect and prevent them.

Stealers of this type are well-known elements of the threat landscape, and there are many approaches to protecting customers from these evolving attacks. These methods include dynamic and behavioral detections, as well as more reactive signature or pattern-based solutions.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Initial Access  T1566.001  Phishing
Execution  T1204 

T1053 

 User Execution 

Scheduled Task/Job
Persistence  T1053  Scheduled Task/Job 
Defense Evasion  T1140 Deobfuscate/Decode Files or Information
Credential Access T1555

T1539

T1552

T1528

 Credentials from Password Stores

Steal Web Session Cookie

Unsecured Credentials

Steal Application Access Token
Discovery T1087

T1518

T1057

T1007

 Account Discovery

Software Discovery

Process Discovery

System Service Discovery

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
  • Cortex XDR and XSIAM are designed to:
    • Prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

SHA256 hash for the malicious PDF file:

  • bf3b43f5e4398ac810f005200519e096349b2237587d920d3c9b83525bb6bafc

SHA256 hash for the downloaded RAR archive:

  • 9940de30f3930cf0d0e9e9c8769148594240d11242fcd6c9dd9e9f572f68ac01

SHA256 hash of AutoIt-compiled EXE for DarkCloud Stealer:

  • 30738450f69c3de74971368192a4a647e4ed9c658f076459e42683b110baf371
  • 1269c968258999930b573682699fe72de72d96401e3beb314ae91baf0e0e49e8

URL hosting malicious RAR archive:

  • hxxps[:]//files.catbox[.]moe/olyfi3.001

Additional Resources

Tags

Table of Contents

Related Articles

Related Malware Resources

Enlarged Image

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow