New DarkCloud Stealer Uses AutoIt for Stealthy Login Credential Theft

Cybersecurity researchers at Unit 42 identified a surge in attacks deploying the DarkCloud Stealer, an infostealing malware actively leveraging AutoIt scripting to evade traditional security detection.

The latest campaign utilizes a multi-stage attack chain, distributing the malware via phishing emails and using publicly accessible file-sharing servers to host malicious payloads.

AutoIt: A Double-Edged Sword

AutoIt, a legitimate scripting language for automating Windows tasks, is at the core of DarkCloud’s obfuscation strategy.

Attackers compile the malicious script into a Portable Executable (PE) format, packaging it alongside encrypted data files within a RAR archive.

According to Unit42 Report, this approach complicates static detection and hampers reverse engineering.

Decompilation is impeded by compression and encryption layers; only at runtime does the AutoIt interpreter decompress and execute the malicious instructions.

Technical analysis revealed that the initial infection vector is a phishing email containing either a malicious PDF or directly a RAR archive.

The PDF masquerades as a legitimate document but prompts victims to download a fake software update, which is the RAR archive hosting the AutoIt-compiled EXE.

Upon execution, the AutoIt dropper reconstructs and decrypts additional payloads: specifically, an encrypted shellcode blob and the XOR-obfuscated DarkCloud payload itself.

The dropper modifies memory protections and executes the shellcode, which in turn decrypts and executes the final DarkCloud binary in-memory, minimizing on-disk footprints.

Stealthy Data Exfiltration

Once resident, DarkCloud Stealer aggressively searches for sensitive information on the victim’s machine.

It targets browser-stored credentials (logins, keys, credit card data), mail client profiles, and credentials from popular FTP and SMTP applications.

The malware consolidates harvested data, including screenshots and system identifiers, before exfiltrating it to a remote command-and-control (C2) server.

Advanced anti-analysis features complicate detection and analysis. The malware checks for the presence of debugging tools (e.g., WinDbg, Fiddler, Wireshark) and virtualization artifacts, employs junk code, and leverages obfuscated API calls.

It conducts external IP checks via online web services to profile victims and achieve geolocation awareness.

For persistence, DarkCloud creates entries in the Windows RunOnce registry key, ensuring execution on the next system boot.

Initial telemetry and reporting highlight increased targeting of government organizations, high-tech, finance, and manufacturing sectors.

Polish telecommunications firms noted DarkCloud activity on endpoints within Poland as of February 2025, while broader distribution was observed in the United States, Brazil, the Netherlands, and Turkey.

Despite its origins in 2022, the malware family has seen continuous updates and obfuscation improvements, with as many as 35 variant samples detected on a single day.

Given the sophistication and frequent mutation of DarkCloud Stealer, traditional signature-based protection alone is inadequate.

Behavioral and dynamic analysis-such as those deployed by Palo Alto Networks’ Advanced WildFire, Cortex XDR, and XSIAM-are effective in identifying and blocking both known and evolving strains.

Organizations are urged to reinforce phishing awareness training, implement robust endpoint monitoring, and investigate suspicious outbound data flows. If compromise is suspected, prompt incident response engagement is essential.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates