Attacks leveraging the DarkCloud infostealer against financial organizations saw a “massive rise” in August 2025, according to a CyberProof report published Thursday.The stealer malware targets email, file transfer protocol (FTP) and browser credentials, with attackers using phishing emails with malicious RAR attachments as an initial access vector.In a recent attack against a financial company analyzed by CyberProof Managed Detection and Response (MDR) analysts and threat hunters, an employee downloaded an attachment titled “Proof of Payment.rar” and ran the VBE file contained in the archive.This file retrieved a JPG image hosted on the Internet Archive, which was embedded with the DarkCloud loader as an encrypted .NET file. This use of steganography and the Internet Archive is consistent with previous DarkCloud attacks analyzed by Fortinet’s FortiGuard Labs.The initial VBE file contains the necessary code to extract and decrypt the DarkCloud loader, which is then executed and downloads additional files including the main DarkCloud stealer payload.DarkCloud is injected into MSBuild.exe via process hollowing to conceal its malicious activity — however, it also injects into the mtstocom.exe process while attempting to steal Google Chrome and Microsoft Edge browser credentials, which triggered an endpoint detection and response (EDR) alert, CyberProof reported. The malware attempts to establish persistence in multiple ways, including by creating a Windows Registry Run key for the injected mtsocom.exe process and for a malicious process M3hd0pf.exe masquerading as the legitimate process MSBuild.exe.In this attack, DarkCloud attempted to connect to eight different external domains for data exfiltration over HTTP (port 80), including sites with uncommon top-level domains (TLDs) such as .xyz, .click and .biz. CyberProof noted that DarkCloud also supports both FTP and simple mail transfer protocol (SMTP) for data exfiltration.CyberProof provides IoCs for this recent campaign and recommends organizations be on alert for suspicious RAR attachments, VBE, VBS or JS file execution — especially from temporary folders or the Outlook content folder — process injection and processes other than msedge.exe or chrome.exe attempting to access browser login data.The researchers also recommended blocking outbound connections to uncommon TLDs such as those used in the DarkCloud campaign (.xyz, .click, .shop etc.) as these are commonly used in infostealer campaigns.
Malware, Email security, Data Security, Threat Intelligence
DarkCloud infostealer attacks against financial organizations on the rise
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds