DarkCloud Stealer Targets Financial Firms via Weaponized RAR Files

August 2025 saw a dramatic surge in targeted attacks by the DarkCloud Stealer against financial institutions worldwide.

CyberProof’s MDR analysts and threat hunters identified a wave of phishing emails bearing malicious RAR archives designed to prey on Windows users.

Once executed, these archives unleashed a multi‐stage payload engineered to siphon login credentials from email clients, FTP utilities, and web browsers.

EDR alerts revealed sophisticated process injection into MSBuild.exe, and further investigation uncovered a novel DarkCloud loader embedded within a JPEG file, retrieved via PowerShell.

Exfiltration occurs over both FTP and SMTP channels. This article dissects each link in the kill chain—from initial RAR dropper through registry persistence to final data exfiltration—offering defenders precise indicators of compromise and detection strategie

The attack begins with a phishing email containing an attachment named Proof of Payment.rar (SHA256: 0ebc9f70eba3c50c2e6be8307f25e7ca572b1a26a1c37af00b22549f6e0a8129).

Upon extraction, the victim encounters Proof of Payment.vbe (SHA256: 90eefdabd6f33de39071d4bfd540654bfdc60bff3198d5637f82e10b0cabd01d), which is executed via wscript.exe.

This VBE script leverages PowerShell to decode embedded base64 content that instructs the download of universe-1733359315202-8750.jpg (SHA256: 89959ad7b1ac18bbd1e850f05ab0b5fce164596bce0f1f8aafb70ebd1bbcf900).

Inside the JPEG lurks a DLL payload—the DarkCloud loader—encrypted and only recoverable through the script’s reflection‐based decryption routine.

Loader Capabilities

Following decryption, the loader harnesses [Reflection.Assembly]::Load() to instantiate a .NET assembly in memory and invokes its entrypoint.

This loader fetches additional modules from attacker‐controlled infrastructure and establishes persistence by copying a JavaScript file into C:\Users\Public\Downloads\wardian.js.

A registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run is created to launch this JS file at each user login via a cmd.exe invocation.

In a secondary persistence tactic, the stealer drops a masqueraded executable—M3hd0pf.exe—in the user’s AppData Roaming folder, again registering it in the Run key under the guise of msbuild.exe.

Once resident, DarkCloud Stealer conducts code‐injection attacks against legitimate Windows executables.

The primary target is msbuild.exe, hollowing out its memory to load the stealer payload. A subsequent injection into mtstocom.exe triggers routines to extract stored credentials from Chromium‐based browsers and Outlook profiles.

EDR alerts flagged these hollowing events and credential access attempts, providing crucial telemetry for rapid incident response.

The file ‘C:\Users\<user>\AppData\Roaming\Windows Multimedia Platform\M3hd0pf.exe’ was dropped in Run folder which supposedly launches the msbuild.exe.

DarkCloud operators employ a domain generation algorithm to craft ephemeral command‐and‐control endpoints.

Threat hunters observed DNS lookups and HTTP connections to domains including Blurjbxy[.]shop, dmetis[.]xyz, rangersorange[.]click, and financialsecured[.]xyz.

Exfiltration channels encompass both FTP and SMTP protocols, enabling reliable transfer of harvested data. The stealer packages credentials and browser artifacts into encrypted archives before dispatch.

Detection and Hunting Strategies

To empower defenders, CyberProof Threat Intel analysts developed advanced hunting queries: one to detect execution of VBE, VBS, or JS files spawned from Outlook processes, and another to flag suspicious credential accesses from known browser paths.

EDR rules tuned to monitor msbuild.exe and mtstocom.exe for unusual memory mappings can preempt the injection phase.

Network monitoring should focus on irregular connections to uncommon top‐level domains and automated FTP or SMTP sessions originating from user workstations.

The DarkCloud Stealer campaign exemplifies evolving threat actor sophistication—leveraging weaponized archives, image‐based loaders, and dual‐channel exfiltration.

By publicly sharing detailed indicators and mitigation tactics, CyberProof equips organizations to bolster defenses, detect early signs of compromise, and disrupt the attacker kill chain before sensitive financial credentials are lost.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.