DarkCloud Stealer has recently emerged as a potent threat targeting financial organizations through convincing phishing campaigns. Adversaries employ weaponized RAR attachments masquerading as legitimate documents to deliver a multi-stage JavaScript-based payload.
Upon opening the archive, victims execute a VBE script that leverages Windows Script Host to initiate a PowerShell downloader hidden in innocuous-seeming image files.
This initial access vector exploits users’ trust in routine financial correspondence, triggering an automated chain of decoding and decryption steps designed to evade conventional security controls.
n early September 2025, security teams observed a dramatic uptick in malicious RAR attachments sent to corporate email accounts within the banking sector.
CyberProof analysts identified that the archive named “Proof of Payment.rar” contains a VBE script which, when executed, calls PowerShell to download an embedded JPG file named universe-1733359315202-8750.jpg.
The stealer’s loader is concealed within this image, and the decoding routine extracts the .NET DLL module directly from image pixel data.
CyberProof researchers noted that the PowerShell script rigorously checks memory offsets to locate a distinct BMP header pattern before carving out the loader DLL.
The following snippet illustrates the core loop used for scanning the downloaded image bytes:-
for ($i=0; $i -lt $data.Length - $header. Length; $i++) {
$match = $true
for ($j=0; $j -lt $header.Length; $j++) {
if ($data[$i + $j] -ne $header[$j]) { $match = $false; break }
}
if ($match) { $offset = $i; break }
}Once the DLL is reconstructed in memory, the script invokes [Reflection.Assembly]::Load() to execute the loader without ever touching disk.
Persistence and Credential Theft
After loading into memory, DarkCloud Stealer establishes persistence by copying a JavaScript payload to the Windows Run registry key under a disguised filename (M3hd0pf.exe masquerading as MSBuild.exe), ensuring execution on every user login.
The stealer then injects into legitimate processes like MSBuild.exe and mtstocom.exe using process hollowing techniques, enabling it to siphon saved credentials from browser databases such as Chrome’s Login Data.
Alerts from endpoint detection platforms confirm DPAPI access events and memory mapping into browser processes, revealing attempts to decrypt stored passwords directly in memory.
Finally, stolen data is staged in user directories and exfiltrated via FTP and HTTP channels to dynamic domain clusters (.shop, .xyz), complicating network-based detection.
Financial institutions are urged to monitor for anomalous VBE/VBS execution, unexpected registry Run key modifications, and JavaScript files in public download folders to rapidly detect and disrupt this insidious campaign.
