{ "id": "c4a3cbd9-9d8f-496c-9852-32f0da9c5901", "created_at": "2026-04-06T00:15:15.17139Z", "updated_at": "2026-04-10T03:37:08.614552Z", "deleted_at": null, "sha1_hash": "3a9608be95d64f2a3b6a6971e2f2a7f8621cc2c0", "title": "DarkCloud", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9010272, "plain_text": "DarkCloud\r\nBy REXor\r\nArchived: 2026-04-05 15:31:18 UTC\r\n_Overview\r\nDarkCloud is a type of malware categorized as a Stealer, which has evolved over time and positioned itself as one\r\nof the most widely used in its category. DarkCloud began making an impact in 2022 and gained relevance that\r\nsame year and in 2023 by being promoted in various forums showcasing its functionalities. As usual, it was sold\r\nthrough different sources, often leading buyers to communicate via Telegram for its acquisition.\r\nThe execution and distribution of this Stealer have been driven by phishing campaigns, where attackers\r\nimpersonated various companies or disguised their attacks as payment receipts, fines, and other commonly used\r\ntactics aimed at compromising HR departments or similar targets. However, it has also been used in other, less\r\nfrequent campaigns, where users were directed to download or execute malicious samples through infected\r\nproducts or websites, employing techniques such as malvertising, watering hole attacks, or similar methods.\r\nAdditionally, it has occasionally been deployed alongside other malware acting as loaders or launched in\r\nconjunction with similar threats, such as DbatLoader or ClipBanker.\r\n_Technical Analysis\r\nThe distribution method, as we mentioned, can vary, but in the vast majority of samples I have encountered,\r\nphishing has been the primary focus. Therefore, we can say that phishing is the most common distribution\r\ntechnique for DarkCloud, even though it has been associated with other methods. Once the victim accesses the\r\nlink or downloads the file, they may encounter compressed files leading to a loader, documents, or even scripts in\r\ndifferent languages that initiate execution. After this, a loader is executed, which typically downloads the next\r\nstage or contains it within its resources, obfuscated or encrypted, to extract the next module. This module will\r\nexecute DarkCloud in memory before injecting it. The final step is the theft of various types of information,\r\nincluding browser data, FTP credentials, screenshots, keylogging, and more.\r\nA diagram summarizing the most common versions I have encountered and attempting to unify them into a single\r\nrepresentation is as follows:\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 1 of 31\n\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 2 of 31\n\nDuring the analysis process, I have come across various samples that all aim to achieve the same goal—executing\r\nDarkCloud. While respecting the different versions, I will highlight the most relevant and distinct ones I have\r\nfound to provide a clearer understanding of the various existing variables. However, I will avoid excessive detail\r\nto keep the explanation engaging rather than tedious.\r\nAs mentioned earlier, the most common approach involves phishing attempts using documents, compressed files,\r\nor other formats.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 3 of 31\n\nGoing straight to the point, in an initial execution of one of the samples I analyzed, we see a rather extensive\r\nprocess—a succession of execution copies launched in temporary paths.\r\nOnce the victim falls for the phishing attack, they may be led to different types of loaders. Some of these can be\r\nscripts, covering a wide range of formats, from JAR and BAT to PowerShell (PS). It’s quite interesting to see the\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 4 of 31\n\nvariety of types I have encountered, especially considering that I generally do not analyze samples from previous\r\nyears.\r\n_Script Loader Versions\r\nIn the case of JAR files, they retrieve the information for the next stage using embedded resources—something\r\nthat, as we will see, is not the common trend in DarkCloud.\r\nIn other versions, such as those written in PowerShell, which are more common, we can observe executions\r\nwhere, after multiple and varied obfuscation techniques for each type, the process leads either to a download or to\r\nthe extraction of a binary. This binary, in its resources, contains the next stage, which in this case is an AutoIT\r\nscript.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 5 of 31\n\nAt this stage, several tasks are performed, such as the creation of a VBS file (a very common practice, as you will\r\nsee) in startup-like folders to establish persistence. Ultimately, this specific sample carried out an injection into\r\nsvchost, but we will explore that in more depth later.\r\nTo wrap up the discussion on scripts, another frequent scenario involves encountering VBS/PowerShell scripts—\r\nmore or less obfuscated—that establish a connection to download and execute the payload. This method is similar\r\nto the one previously observed in PowerShell. If the download link is down, however, the process reaches a dead\r\nend—something quite typical for this malware. As I mentioned earlier, a large number of samples follow this step\r\nat some point. Here are some additional examples.\r\n_Most common loader stage\r\nMoving on to another category of samples, where I will expand on the information a bit more, we have those\r\ntypically based on .NET. These can act as loaders or appear in the second stage, depending on the version. Among\r\nthese, there are many similar samples, often utilizing different obfuscators.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 6 of 31\n\nAfter working with several of these obfuscators, we usually reach an initial function where the samples, in\r\ndifferent ways, request the next stage to process it. This poses a problem, as you might expect, because unless the\r\nsample is very recent, it is likely already inactive and cannot be retrieved. This means we get stuck at the dynamic\r\nanalysis stage (debugging and such things), and we will only be able to rely on our sharp eyesight to understand\r\neverything statically. Personally, I dislike this approach, as I prefer to examine all (or most) of the functions to\r\ngain a deeper understanding of everything the malware does.\r\nAs we can see, when we try to load the path and therefore, the binary, it will crash and we will have a dead end.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 7 of 31\n\n_Technical Issues\r\nI wanted to dive deeper into a specific topic in case it helps someone, but it doesn’t affect the overall\r\nunderstanding of the analysis. So, if you’re not interested, feel free to skip it (You can follow the analysis in\r\n“Following the thread” section). In this case, we reached a DarkCloud sample which, in most cases (if we want to\r\nroll back and don’t have fresh samples), makes requests to a specific domain to download the next stage, as we’ve\r\nseen. This might seem like a trivial issue, but it’s actually quite serious if you truly want to analyze in detail how a\r\nsample works—or, in this case, how multiple variants of the same malware behave.\r\nSometimes, it’s a good strategy to try and obtain the file that is being downloaded. Tools like VT (VirusTotal),\r\nAny.Run, JoeSandbox, Tria.ge, and others make this relatively easy, as long as we know the IP or domain the\r\nsample is contacting. We can then pivot and take a more h4ck3r-like approach, capturing packets (.pcap) to inspect\r\nthe received data—how deep you want to go into this is up to you. However, in this case, additional steps were\r\nrequired because the sample requested the file at runtime to modify, process, and then execute or load it. This adds\r\nan extra challenge, as we need to understand the sample, debug it up to the right point, and manipulate it so that it\r\nprocesses correctly.\r\nI came up with three ways to approach this (I know there are many more, and yours is probably better), and to\r\nkeep things simple, I tested them on multiple examples but will only show one to stay focused:\r\n_Setting Up an HTTP Server and Hosting the Sample Locally\r\nThis is probably the simplest option. It involves extracting the sample (which we would have retrieved by pivoting\r\nand identifying what it wants to download), placing it in a directory like C:\\\\ , modifying the hosts file to point to\r\nour local machine, and starting an HTTP server using Python. I chose port 80 even though the request was\r\noriginally HTTPS, because changing an “s” in the debugger is obviously much easier. Once we reach the same\r\nexecution point, we can observe what the sample serves and proceed further.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 8 of 31\n\n_Modifying Traffic with Fiddler\r\nSometimes, I like using Fiddler, so I wanted to test it in this scenario. I simply created a rule that, when the\r\nspecific URL was requested, it would serve the file from my local directory. Some configuration changes were\r\nrequired in Fiddler to redirect traffic to localhost. Of course, I also modified the hosts file. In this case, I set up\r\ntest.com to point to localhost. Once the sample reached the same function, I made the same modification as before\r\n—switching to HTTP—to ensure it received the file at runtime.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 9 of 31\n\n_Combining Techniques\r\nFor the third approach, I experimented with a hybrid method. I kept the same rules as before but changed the URL\r\nto one I was serving on test.com, with the file located in C:. When the execution reached the crucial point, I\r\nchanged the URL, and it loaded successfully.\r\nFollowing the thread\r\nAfter obtaining and loading the file at runtime, the next step involves key generation. As mentioned earlier, it’s\r\nvery common for pre-loader stages to deobfuscate or decrypt some part of the code—or even an entire file.\r\nAt this stage, we can see that the PDF was loaded into an array, and indeed, it matches the one we had retrieved\r\nvia pivoting.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 10 of 31\n\nFrom here, the usual process follows: the code undergoes processing, whether through deobfuscation or\r\ndecryption. In this example, the technique used is Base64 + TripleDES.\r\nWe observe how the keys are processed\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 11 of 31\n\nAfter this we will see that at the end of the function we can obtain the processed binary\r\nAt this point, we can go full h4ck3r mode again and verify that we are on the right track and truly understand the\r\nprocess. For example, we can write Python code to handle the extracted file and perform the decryption ourselves.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 12 of 31\n\nfrom Crypto.Cipher import DES3\r\nimport binascii\r\n#Keys\r\nrgbKey = bytes([0x39, 0x1C, 0x8A, 0x9E, 0x80, 0xC2, 0xF8, 0xDF, 0x36, 0x3E, 0x46, 0xFB, 0xD9, 0x12, 0x09, 0xBA])\r\nrgbIV = bytes([0xA3, 0x4B, 0x1F, 0xEB, 0x28, 0xFE, 0x46, 0xEA])\r\n#Hex data\r\nhex_data = \"\u003credacted\u003e\"\r\nciphertext = binascii.unhexlify(hex_data)\r\n#Decrypt Triple DES (3DES)\r\ncipher = DES3.new(rgbKey, DES3.MODE_CBC, rgbIV)\r\nplaintext = cipher.decrypt(ciphertext)\r\n#Save\r\nwith open(\"output.exe\", \"wb\") as f:\r\n f.write(plaintext)\r\nprint(\"Saved as output.exe\")\r\nIn both cases, we should be able to extract a binary, which is then loaded into memory.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 13 of 31\n\nDecryption Result in a Graphical Format\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 14 of 31\n\nI tested this myself, and as expected, we received the same content in both cases.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 15 of 31\n\nTo make the binary extraction process more visual, here’s a summary in graphical form:\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 16 of 31\n\nOnce we reach this stage, what we obtain in most cases is a library that loads the code into memory. However, it\r\nalso performs other tasks, such as creating additional persistence mechanisms.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 17 of 31\n\nAfter loading the library module, it carries out actions like creating scripts in temporary folders or startup-type\r\ndirectories. We’ve seen this before, but it’s not the only persistence mechanism I’ve encountered—some samples\r\nalso modify registry settings or scheduled tasks.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 18 of 31\n\nExamples of Different Persistence Methods\r\nschtasks.exe /Create /TN \"Updates\\\u003cRandName\u003e\" /XML \"C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\\u003cDroppedFile\u003e\"\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\u003cRandName\u003e.vbs\r\nKey: *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce - Data: *\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\\u003c\r\nUltimately, everything culminates in the injection of a VB-based binary, which is the Stealer. This gets injected\r\ninto a process of its choosing. I’ve seen a variety of targets, ranging from RegSvc to .NET files, and even the\r\nloader process itself. As is common with RATs and Stealers, this technique is designed to evade detection and\r\ncomplicate analysis. It is much easier to spot an unusual process or file than to analyze or detect something that\r\nresides in the memory of a legitimate system process.\r\nHere’s a list of the most commonly used processes I’ve observed:\r\nSvchost\r\nInstallUtil\r\nMSBuild\r\nItself\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 19 of 31\n\nI didn’t want to go too deep into the extraction of the second binary, since it follows a similar process but from a\r\nsecond-stage library. The end result is a VB-based binary with extensive capabilities, which I will now present in a\r\nmore accessible format.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 20 of 31\n\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 21 of 31\n\nOnce injected, DarkCloud exhibits a wide range of malicious activities. It systematically gathers information from\r\nweb browsers, collects system data, and even harvests credit card details. Additionally, it closely monitors running\r\nprocesses and logs keystrokes, making it a highly capable and well-rounded piece of malware.\r\nAs a curiosity, while I was collecting all the command lines it executes, as well as the registry entries and other\r\naccessed locations, I noticed that the credit card-related regex used by DarkCloud had been copied in order from a\r\nsite on GitHub (@michaelkeevildown)\r\nmichaelkeevildown Github\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 22 of 31\n\nI leave you with the compilation of interesting paths/logs/cmd that I have compiled based on the extracted\r\nsamples.\r\nFeatures\r\nScreenshot\r\nKeylogger\r\nGet credentials\r\nGet Computer Name/Users\r\nMail Info\r\nIMAP/HTTP/SMTP/FTP/NNTP/NNTP/POP3 Info\r\nPassword managers\r\nRouter info\r\nPaths/Files accessed\r\n\\Default\\Login Data\\\r\n\\User Data\\\r\n\\WebData\\\r\n\\Logins.json\r\n\\key3.db\r\n\\key4.db\r\n\\keyDBPath.db\r\n\\signons.sqlite\r\n\\keyDBPath.sqlite\r\nStorage\\\r\nmail\\\r\nData\\\r\n\\Accounts\\Account.rec0\r\n\\Accounts\\Account.tdat\r\n\\Account.stg\r\n\\Account.rec0\r\n\\Local State\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 23 of 31\n\n\\Microsoft\\Windows\\Templates\\\r\n\\accounts.xml\r\n\\recentservers.xml\r\n\\sitemanager.xml\r\nSoftware\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\\r\nSoftware\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\\r\nSoftware\\Microsoft\\Windows Messaging Subsystem\\Profiles\\\r\nSoftware\\FTPWare\\COREFTP\\Sites\r\nSoftware\\Martin Prikryl\\WinSCP 2\\Sessions\r\n\\Google\\Chrome\\User Data\r\n\\Opera Software\\Opera Stable\r\n\\Yandex\\YandexBrowser\\User Data\r\n\\360Chrome\\Chrome\\User Data\r\n\\Comodo\\Dragon\\User Data\r\n\\MapleStudio\\ChromePlus\\User Data\r\n\\BraveSoftware\\Brave-Browser\\User Data\r\n\\7Star\\7Star\\User Data\r\n\\CocCoc\\Browser\\User Data\r\n\\uCozMedia\\Uran\\User Data\r\n\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer\r\n\\CatalinaGroup\\Citrio\\User Data\r\n\\NETGATE Technologies\\BlackHawK\\Profiles\r\n\\8pecxstudios\\Cyberfox\\Profiles\r\nSoftware\r\nOutlook\r\nfoxmail\r\npidgin\r\nCoreFTP\r\nWinSCP\r\nFTPWare\r\nFileZilla\r\nChrome\r\nOpera\r\nYandex\r\n360Chrome\r\nComodo\r\nMapleStudio\r\nChromium\r\nTorch\r\nBrave\r\nIridium\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 24 of 31\n\n7Star\r\nAmigo\r\nCentBrowser\r\nChedot\r\nCocCoc\r\nElements Browser\r\nEpic Privacy Browser\r\nKometa\r\nOrbitum\r\nSputnik\r\nuCozMedia\r\nVivaldi\r\nFenrir Inc\r\nCitrio\r\nCoowon\r\nliebao\r\nQIP Surf\r\nMicrosoft Edge\r\nMozilla\r\nWaterfox\r\nK-Meleon\r\nThunderbird\r\nCyberfox\r\nBlackHawK (NetGate)\r\nRegex\r\nProto\r\n^([a-zA-Z0-9_\\-\\.]+)@([a-zA-Z0-9_\\-\\.]+)\\.([a-zA-Z]{2,5})$\r\n^(?!:\\/\\/)([a-zA-Z0-9-_]+\\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\\.[a-zA-Z]{2,11}?$\r\nAccounts (I don't put more because you have them in the github)\r\n^3[47][0-9]{13}$\r\nAmex\r\n^(6541|6556)[0-9]{12}$\r\nBCGlobal\r\n^389[0-9]{11}$\r\nCarte Blanche Card\r\n^3(?:0[0-5]|[68][0-9])[0-9]{11}$\r\n…\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 25 of 31\n\nQueries\r\nSELECT origin_url, username_value, password_value FROM logins\r\nSELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards\r\nSELECT origin_url, username_value, password_value, length(password_value) FROM logins\r\nSELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins\r\nSELECT item1 FROM metadata WHERE id = 'password';\r\nSELECT a11,length(a11) FROM nssPrivate\r\nSelect * from Win32_Process\r\nSelect * from Win32_LogicalDisk\r\nSelect * from Win32_ComputerSystem\r\nSELECT * FROM Win32_Processor\r\nRegKeys\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Foxmail.url.mailto\\Shell\\open\\command\\\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\r\nBlackList Process\r\nfiddler\r\nvxstream\r\ntcpview\r\nprocexp\r\nvmtools\r\nautoit\r\nwireshark\r\nprocmon\r\nidaq\r\nautoruns\r\napatedns\r\nwindbg\r\nIP public\r\nhttp://showip.net\r\nhttp://www.mediacollege.com/internet/utilities/show-ip.shtml\r\n_Outro\r\nAfter the analysis, I checked what was going on in Telegram groups as well as in more exclusive groups. The truth\r\nis, they don’t have much activity or don’t present themselves as openly as other groups do. Moreover, there is\r\nquite a bit of confusion in the logs when differentiating between the botnet and the Stealer, which appears in\r\nalmost all forums.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 26 of 31\n\nIt is interesting to see how many of the samples communicate via bots, making it relatively easy to find\r\ninformation about them.\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 27 of 31\n\nAdditionally, there are various tools that I am using for these tasks which, although they don’t need much\r\nintroduction in my opinion, I’ll list here for reference.\r\n@Gi7w0rm - Teletoken Web\r\n@0x6rss - Matkap Github \u0026 New Matkap in Web\r\nFinishing the analysis, I must say that I was surprised by the great variety of loaders I found for DarkCloud. It has\r\nbeen a challenge to unify all the versions I encountered into a coherent explanation, but it was truly interesting. I\r\nwill continue working on the bot-related aspects to develop further analyses with a stronger focus on this area and\r\ngain deeper insight into the infrastructure used by those who deploy it\r\nFinally, I would like to thank you for reading this analysis and for supporting me :)\r\n_Detection Opportunities\r\n[TA0005][T1036] Duplication of original files or loaders in temporary paths\r\n(WriteFile) C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\*.exe|.vbs\r\n(WriteFile) C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*.exe|.vbs\r\n(WriteFile) C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\*.exe|.vbs\r\n(WriteFile) C:\\Users\\Public\\*.exe|.cmd|.vbs\r\n[TA0003][T1547.001] Startup vbs loader creation to persistence\r\n(WriteFile) C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\u003cRandName\u003e.vbs\r\n[TA0003][T1547.001] Registry RunOnce persistence\r\n(Registry) *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\n(ValueData) *\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\\u003cRandName\u003e.exe\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 28 of 31\n\n[TA0007][T1217] Queries to browser paths or third-party software to obtain information\r\n(Registry/Path query) \\Default\\Login Data\\ | \\User Data\\ | \\WebData\\ | \\Logins.json | \\key3.db | \\key4.db | \\ke\r\n[TA00011][T1071] Connection via noncommon process to TG bots\r\nWe can take into account the injected processes I mentioned before or processes in strange paths (Svchost,\r\nInstallUtil, MSBuild, injected Itself)\r\n(OutBound connection) https?:\\/\\/api\\.telegram\\.org\\/bot\\d+:[A-Za-z0-9_-]+\\/\r\n_TTP\r\n[TA0001][T1566.001] SpearPhishing\r\n[TA0002][T1059] Command and Scripting Interpreter\r\n[TA0002][T1129] Shared Modules\r\n[TA0002][T1204] User Execution\r\n[TA0003][T1053] Scheduled Task/Job\r\n[TA0003][T1547.001] Registry Run Keys / Startup Folder\r\n[TA0005][T1027] Obfuscated Files or Information\r\n[TA0005][T1027.002] Software Packing\r\n[TA0005][T1036] Masquerading\r\n[TA0005][T1055] Process Injection\r\n[TA0005][T1140] Deobfuscate/Decode Files or Information\r\n[TA0005][T1497] Virtualization/Sandbox Evasion\r\n[TA0007][T1016] System Network Configuration Discovery\r\n[TA0007][T1033] System Owner/User Discovery\r\n[TA0007][T1057] Process Discovery\r\n[TA0007][T1082] System Information Discovery\r\n[TA0007][T1518] Software Discovery\r\n[TA0009][T1005] Data from Local System\r\n[TA0009][T1056.001] Keylogging\r\n[TA0009][T1113] Screen Capture\r\n[TA0009][T1114] Email Collection\r\n[TA0009][T1115] Clipboard Data\r\n[TA0009][T1560] Archive Collected Data\r\n[TA0011][T1071] Application Layer Protocol\r\n[TA0011][T1105] Ingress Tool Transfer\r\n_Some Any.Run samples\r\nhttps://app.any.run/tasks/f3c56abe-04b8-432a-8011-4135871daedc\r\nhttps://app.any.run/tasks/b3aa2be4-c06e-4bfc-a05a-00b6b5a32c88\r\nhttps://app.any.run/tasks/4e1b98c5-2d9d-4eca-80cf-42d7de800376\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 29 of 31\n\nhttps://app.any.run/tasks/a2aa4e72-1e7b-4819-8a85-77f5145b884b\r\nhttps://app.any.run/tasks/a36a7b27-c600-4512-92f8-a50e3b43b9f2\r\nhttps://app.any.run/tasks/62189938-c9aa-4faf-af83-6f34934fc0e0\r\nhttps://app.any.run/tasks/44386e5b-f252-4cd3-a759-9cea86266838\r\nhttps://app.any.run/tasks/358ae682-9667-4538-8e03-231f8b550c08\r\nhttps://app.any.run/tasks/53830d3d-1413-417e-bcc2-02266e731c1a\r\nhttps://app.any.run/tasks/1564deb3-8c01-4334-a392-3579ff05e5e7\r\nhttps://app.any.run/tasks/9f89708d-7f12-4fc0-9cb3-2c37bb40db63\r\nhttps://app.any.run/tasks/74e6dfbb-7997-416b-af72-276e06692a7c\r\nhttps://app.any.run/tasks/216ec201-b361-4b74-a063-0c7ed1736cbc\r\nhttps://app.any.run/tasks/6787a231-8ae4-40f6-b9b6-9b6f8c5fdc99\r\nhttps://app.any.run/tasks/ca51f009-cf34-4bc6-b382-69ea5165ca73\r\nhttps://app.any.run/tasks/7a152247-6048-4721-96cf-df6266638678\r\nhttps://app.any.run/tasks/e692ced4-8033-4021-943a-a7bbae338678\r\n_IOC\r\nI’m sorry because there is a lot, but I review many samples, it is interesting to see how they have affected different\r\nwebsites in different parts of the world to host the first stage (the section where loader download the sample).\r\n970791d129721273f0d53c1b4c352c689d3992ec3a236bfa5b4c39804821f64d\r\n20dc4ffc31f978e2c822878b11a4d59c3ad6da9898a7028d75d3c9079598de18\r\n5e45f400b15d22d484430e07d36c9b01eef5bc3069faa8c9fa8b1b88be93ef9a\r\necbdaea604f259a7535b32c7abcd25139af9b8abe04a45d24614212c9d8ea67c\r\n930715d4311f4b71e77c5baf6a90d5e9383dbb8d2557e8316054d4e46f019404\r\n8eed39069dfa0574b41e3e3f426809e29f9b108d5106670e07b2c1524085b6e6\r\n869ab9858bfbbb0e479ec4f2f3776ec952cdada4898e9f26d3322cb931c75cab\r\n78c596ef6b627c0210c528adda497162ef323dcb880edc19a1baa67c34e04906\r\n3477d3838f634d4e5489d7d16de56b91bf0bf31b32ac7e2dbccf657a24d487bc\r\n9687a5f5f5b2625642144b433b807c37f968ba696722c1c173a0d7d5ece4d0d9\r\n89b0fa84da8c99eed3aba8a931afb5a032ea0a47cb4b692a15e7b3aef7104ba8\r\nb07a092954cc148342cdd4725f5e9d487155d22b794b273dc874dcf5f144de4e\r\ne25450236e49bbb61e175e39eb46a2f3a1258e8ba8fe7a2c6d8b2f17e85cc167\r\nf18d276ce3ec088f6d446e409489bad5c9b613d6c1f10a6538724749c7cf2af6\r\n73ea9482307e2db84538256bcee3a207fbc8bf512715316c82f3b4cebe46d8b1\r\nd148996c99c0e59c40792ce17a1531480168eb0e05d015ddd6f0fed9ce9478e5\r\nf18d276ce3ec088f6d446e409489bad5c9b613d6c1f10a6538724749c7cf2af6\r\n73ea9482307e2db84538256bcee3a207fbc8bf512715316c82f3b4cebe46d8b1\r\nd59dbca0d404218e0f1729294f30c85d7f61b6e28cc7872d8ce1afb94cb3be42\r\naa653ad0d107b2d7ab98d4ede0eef147b73fbd7eb2f522f0bf608f833daebe34\r\n688c929b7be5c31a2a5410394024f9dea1bcfc62af0c24237d2b23b8fea70055\r\n80742a25d1550dd0f7ccb299672a5d9de889f57c0e53e3e8eea0e50d6b7ae33b\r\nb7d2a499355e0ff23ee3abd5dcf62b27bfa1a993cb8e53b8a0600c0e4d4e4c56\r\n093f9c611518f42f00826d8134b4860080b690678b27a469a33a529f7706b87f\r\ndda65ed23373504099b4ef1fd883eca088c8664db398909dda87af9d4a02bdf1\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 30 of 31\n\na23430fb24ff7cf5506c58a46a33a1572a5c724fd9b4e0e88228584f6ec6001e\r\n250fa7da2da2ff7e1e1f7e3bb2ff9ae8b363facb00973455e9fe1900e6195c41\r\n8306710e0292b8c88b537bf427a9d651cfdf4d86ad2f7690b47f766b4354faaa\r\n45b104579f856aba3d99b5370360240a3f9f95b82969e3f7ba12c14b0d7abb7f\r\n7c8bcd4345ec5eb572bf25a4831ebf09c98bc92c0847662fd68f7cfefce4a27f\r\nafce524a6ff12252be335bfa95209bc37ca8de86e45b2c34634cc6223fe83263\r\n8616ff3374bcb45c5eda66c11ffa3fbef9e7e00e2ad21e752c10bf94bdd7a28d\r\ndb03cf79dd756e39c7036b3541c2b560b4b3a7f0ccd4b896de47ba743745726d\r\nB4bb90f3a33ac5c78672efc80987f80e0885753b8559bf1d258acf99d04dfd1b\r\nB2fe3bf20cb54f650d4b191315cf9247b653a5c3552f9f3d6598990b58139114\r\nB4bb90f3a33ac5c78672efc80987f80e0885753b8559bf1d258acf99d04dfd1b\r\nDd12a49d57b0dbc1acbfc1493529128a8c9017835a5a008397be8ba2641cbfee\r\n9726f460c40a7274eb35203cec6400f3d3de9dcf5e841ffc78bec26057cc2d6e\r\n782529daacf0b40364707f5b98f01b13a2a5f3d2b48fee351723495affc03940\r\n196[.]251[.]92[.]64\r\n144[.]91[.]79[.]54\r\n87[.]120[.]120[.]56\r\n161[.]132[.]98[.]130\r\n165[.]154[.]217[.]184\r\n204[.]44[.]192[.]90\r\n190[.]171[.]170[.]94\r\n161[.]132[.]98[.]130\r\n176[.]65[.]144[.]3\r\n144[.]91[.]79[.]54\r\n//Affected websites\r\nkrupasindhudevelopers[.]com\r\nwww[.]arandelasespeciales[.]com\r\nalcomax[.]com[.]co\r\ntoyscenter[.]cl\r\ncenturyharvestlink[.]com\r\ngugaequiposyservicios[.]com[.]mx\r\nhngandpartners[.]com\r\nSource: https://rexorvc0.com/2025/03/31/DarkCloud/\r\nhttps://rexorvc0.com/2025/03/31/DarkCloud/\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://rexorvc0.com/2025/03/31/DarkCloud/" ], "report_names": [ "DarkCloud" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434515, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a9608be95d64f2a3b6a6971e2f2a7f8621cc2c0.pdf", "text": "https://archive.orkl.eu/3a9608be95d64f2a3b6a6971e2f2a7f8621cc2c0.txt", "img": "https://archive.orkl.eu/3a9608be95d64f2a3b6a6971e2f2a7f8621cc2c0.jpg" } }