Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Collect sensitive information from the victim’s computer
Severity level: High

Background

In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. I subsequently investigated this campaign and conducted a step-by-step analysis.

DarkCloud is a known stealthy Windows-based information-stealer malware that was first identified in 2022. It is designed to steal sensitive information from the victim’s computer, including saved login credentials, financial data, contacts, and more.

In this analysis, I will show how the campaign initiates on the victim’s computer, how it establishes persistence on the system, how it downloads, decodes, and deploys the fileless DarkCloud payload, the types of sensitive information this variant can harvest from the victim, and how the stolen data is exfiltrated.

Infection Chain

Figure 1 shows the infection chain of this new DarkCloud variant.

Figure 1: New DarkCloud variant infection chain.

Initialization of Phishing Email Attack

The phishing email, shown in Figure 2, lures recipients into opening an attached RAR file under the pretext of providing an urgent quote. Notably, the email contains no message body. Only an attachment is included.

Figure 2: The phishing email with a RAR attachment.

Upon opening the Quote #S_260627.RAR file in WinRAR, the recipient finds a standalone JavaScript file named Quote #S_260627.js inside. Once the recipient double-clicks on the JS file, a Windows default process, WScript.exe, is automatically launched to execute it.

JavaScript & PowerShell

The JS code is obfuscated, as shown in Figure 3. When being executed, it dynamically decodes a piece of PowerShell code from the obfuscated code. It then creates a WScript.Shell object to run the decoded PowerShell code.

Figure 3: Partial code of the JavaScript file.

The cosmea variable holds a decoded string, powershell -w hidden -noprofile -ep bypass -c, while the effortless variable contains the decoded PowerShell code.

The PowerShell code is Base64-encoded and gets decoded at runtime. Figure 4 shows the decoded PowerShell code, which is split into multiple parts.

Figure 4: Base64-decoded PowerShell code.

Figure 5: View of the disguised JPEG file.

According to my analysis, an encrypted .NET DLL is embedded in the background of this JPEG picture.

The PowerShell code then locates the .NET DLL by parsing the JPEG file and loads it using the [Reflection.Assembly]::Load() method and then calls the ClassLibrary1.Home.VAI() method by calling the Invoke() method with an array of parameters carried by the $florinda variable.

Dissecting the .NET Module

The Assembly Name of the .NET DLL is Microsoft.Win32.TaskScheduler. The .NET DLL is disguised as a TaskScheduler-related module, likely intended to confuse both the victim and researchers. Figure 6 displays a debugger view paused at the entry point function VAI()of the .NET DLL.

Figure 6: Viewing the VAI() method in a debugger.

The .NET DLL module performs tasks such as maintaining persistence, downloading and decoding the fileless DarkCloud payload, and deploying the payload in a Windows process using process hollowing.

• Persistence Mechanism

The module copies the JavaScript file to another location by executing this command line: cmd.exe /C copy *.js C:\Users\Public\Downloads\edriophthalma.js. The target folder path and file name are passed by the PowerShell code.

It continues to add an auto-run entry to the system registry under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, as shown in Figure 7.

Figure 7: The auto-run item added to the system registry.

This ensures the copied edriophthalma.js file being executed automatically at system startup.

• Payload Download

As you may have noticed, the first parameter of the VAI() method is a reversed Base64-encoded string (refer to Figure 6). The .NET module decodes the Base64 string into a URL as hxxp://paste[.]ee/d/0WhDakVP/0. By requesting the URL, a reversed PE file can be retrieved in the response, as illustrated in Figure 8.

Figure 8: Reversed DarkCloud payload.

After reversing and converting its content from a hex string to binary, an EXE file will be present in memory, which serves as the fileless payload of this DarkCloud variant.

• Deploy DarkCloud Payload with Process Hollowing

It searches for the MSBuild.exe file in the relevant .NET Framework directories on the victim’s system. The file name is passed by the PowerShell code (see Figure 6 for more information). In my environment, it is %Windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe.

Figure 9: Partial list of Windows APIs used for process hollowing.

It then performs process hollowing on the newly created MSBuild.exe process. To accomplish this, it must call a series of Window APIs, such as those defined in Figure 9.

The steps involved are as follows:

• It newly creates a suspended MSBuild.exe process.
• It copies and deploys the DarkCloud payload into the new process.
• It modifies the EAX register value to point to the entry point of the DarkCloud.
• It resumes the suspended process, allowing the DarkCloud to run inside the new MSBuild.exe process.

The relevant APIs called are:

CreateProcess(), ReadProcessMemory(),VirtualAllocEx(), NtUnmapViewOfSection(), WriteProcessMemory(), GetThreadContext(), SetThreadContext(), and ResumeThread().

A Closer Look at the DarkCloud Payload

The DarkCloud payload is written in Microsoft Visual Basic 6. By analyzing it with the VB Decompiler, we can examine the code structure of DarkCloud, as shown in Figure 10.

Figure 10: The DarkCloud code structure.

As you can see, the DarkCloud variant contains a Form with multiple Timers attached. In Visual Basic (VB), a Timer is a control or object that repeatedly executes a specified timer function at specified time intervals. According to my analysis, Timer4 is the primary worker timer, whose function is called every 150 milliseconds.

Anti-Analysis Technology

• Encrypted Constant Strings

To hinder analysis by security researchers, DarkCloud encrypts most of its constant strings. There are more than 600 encrypted constant strings throughout this payload file, which are decrypted dynamically at runtime. Figure 11 shows an example of decrypting the Unicode constant string VBScript.RegExp.

Figure 11: Decrypted constant strings.

• Anti-Sandbox

In Timer4’s timer function, there is a mechanism to evade automated analysis systems, like sandboxes. It examines whether a real user is interacting with the computer by monitoring the status of the mouse and keyboard activities.

The malware calls the GetAsyncKeyState() API to check the status of the keys. If any key or mouse button is pressed, it returns 0x8001. DarkCloud repeatedly calls the API and checks its result until it detects that a key has been pressed, as shown in Figure 12.

On the other hand, the malware remains idle if no mouse and keyboard activity occurs.

Figure 12: Code snippet for checking the victim’s input event.

Collecting Sensitive Information

• Basic information:

DarkCloud retrieves the Computer Name and Username from the compromised system by calling the rtcEnvironVar() API.

It also obtains the victim’s public IP address by sending a request to http://showip.NET.

• Credentials and Payment Information

The malware harvests saved credentials and payment information from some popular web browsers.

Figure 13: Browser profile paths.

DarkCloud traverses the profile paths of the browsers listed in Figure 13 to access sensitive data stored in the Login Data and WebData data files. Both of them are saved in SQLite3 database format.

It executes two SQL queries, which are decrypted constant strings, to retrieve the data for the logins and credit_cards tables

SELECT origin_url, username_value, password_value FROM logins
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

It utilizes relevant SQLite APIs, such as sqlite3_prepare_v2(), sqlite3_column_text(), and sqlite3_column_blob(), to extract sensitive data.

Some of the retrieved data, like saved passwords, is encrypted. DarkCloud drops and executes another EXE file that extracts the decryption key. It enables the malware to decrypt these passwords with the decryption key.

All collected sensitive data is written into a local text file (see Figure 14), which is later submitted to the attacker.

Figure 14: Example of credentials and payment information collected from Chrome.

Besides web browsers, DarkCloud can also collect credentials from email clients, FTP clients, and sensitive data stored in the following profile folders.

%AppData%\Adobe
%AppData%\dnSpy
%AppData%\FileZilla
%AppData%\IDMComp
%AppData%\Mozilla
%AppData%\SweetScape
%AppData%\Wireshark

Relevant software list:

Google Chrome, Microsoft Edge (and Edge-based Browsers), Mozilla Firefox, Brave Browser, FoxMail, eM Client, Microsoft Outlook, CoreFTP, WinSCP, Adobe, dnSpy, FileZilla, IDMComp, Mozilla, SweetScape, and Wireshark.

• Email Contacts:

DarkCloud has the capability to retrieve the victim’s email contacts from multiple email clients installed on the compromised computer. Like the credentials, the harvested email contacts are saved in local text files.

The following text files (they are also decrypted constant strings) correspond to each email client and are submitted to the attacker.

ThunderBirdContacts.txt
163MailContacts.txt
EMClient10Contacts.txt
OutlookContacts.txt

Email clients list:

Mozilla Thunderbird, NetEase MailMaster, eM Client, and Microsoft Outlook.

Submission over SMTP

DarkCloud supports both FTP and SMTP protocols to exfiltrate collected data to the attacker.

This variant uses the SMTP protocol. All the relevant strings, including SMTP server domain, login email account and password, and recipient email address, are decrypted constant strings.

Figure 15: Malware about to send collected data over SMTP.

Figure 15 shows an example of DarkCloud submitting collected credentials and payment information as a text file attachment in an email. DarkCloud uses the same method to submit collected email contacts to the attacker.

The email subject contains basic information from the victim’s system, including the computer name, username, and public IPv4 address, which is shown at the bottom of Figure 15.

Figure 16 presents a screenshot of the SMTP traffic generated when transmitting the text file containing the collected credentials and payment information.

Figure 16: Collected data sent via SMTP over TLS.

Conclusion

In this analysis, we examined a new DarkCloud campaign discovered by Fortinet’s FortiGuard Labs. The campaign begins with a phishing email containing a malicious RAR archive that lures the recipient into executing a JavaScript file within the attached RAR archive. This script decodes and launches PowerShell code, then loads an encrypted, fileless .NET DLL masquerading as a legitimate Task Scheduler module.

The .NET DLL establishes persistence, downloads and reverses a payload from a remote URL, and uses process hollowing to inject the final DarkCloud payload into MSBuild.exe.

The payload, written in VB6, performs anti-analysis checks by monitoring keyboard and mouse activity to evade sandbox detection.

The analysis also focuses on what sensitive information the malware collects from the compromised system, such as credentials, payment information stored in web browsers, FTP clients, and email clients. It also collects the email contacts from the victim’s email client software.

Finally, I explained how the collected data saved in text files is submitted to the attacker via the SMTP protocol.

Fortinet Protections

Fortinet customers are already protected from this campaign with FortiGuard’s AntiSPAM, Web Filtering, IPS, and AntiVirus services as follows:

The relevant URL downloading the image file and DarkCloud payload are rated as “Malicious Websites” by the FortiGuard Web Filtering service.

FortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing provided by FortiSandbox embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions provides advanced protection against both known and unknown phishing attempts.

FortiGuard Antivirus service detects the malicious JS file, the fileless DarkCloud payload file with the following AV signatures.

JS/DarkCloud.ACVJ!tr
W32/DarkCloud.QU!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each solution. As a result, customers who have these products with up-to-date protections are already protected.

To stay informed of new and emerging threats, you can sign up to receive future alerts.

We also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, a module on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs:

URLs:

hxxps://archive[.]org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg
hxxp://paste[.]ee/d/0WhDakVP/0

Relevant Sample SHA-256:

[Quote #$_260627.js]
381AA445E173341F39E464E4F79B89C9ED058631BCBBB2792D9ECBDF9FFE027D

[DarkCloud payload]
82BA4340BE2E07BB74347ADE0B7B43F12CF8503A8FA535F154D2E228EFBEF69C