{ "id": "c46996bc-afcc-4328-afdb-3f67b1c42771", "created_at": "2026-04-06T00:09:19.442986Z", "updated_at": "2026-04-10T13:12:50.789473Z", "deleted_at": null, "sha1_hash": "976f643175481553827b2eb243f37997af9e3120", "title": "DarkCloud Infostealer Being Distributed via Spam Emails", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2294833, "plain_text": "DarkCloud Infostealer Being Distributed via Spam Emails\r\nBy ATCP\r\nPublished: 2023-05-16 · Archived: 2026-04-05 22:51:41 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently discovered the DarkCloud malware being\r\ndistributed via spam email. DarkCloud is an Infostealer that steals account credentials saved on infected systems,\r\nand the threat actor installed ClipBanker alongside DarkCloud.\r\n1. Distribution Method\r\nThe threat actor sent the following email to induce users to download and execute the attachment.\r\nhttps://asec.ahnlab.com/en/53128/\r\nPage 1 of 7\n\nThe contents of this email prompt users to check the attached copy of the payment statement sent to the company\r\naccount. When the attachment is uncompressed, normal users are likely to execute the contained malware as it is\r\ndisguised with a PDF icon.\r\nThe file attached to the email is a dropper that is responsible for generating and executing DarkCloud and\r\nClipBanker. If a user downloads the attached file in the email and executes it after decompressing, various account\r\ncredentials present on the infected system can be stolen. Additionally, if the user copies a cryptocurrency wallet\r\naddress to their clipboard, there is a risk of it being replaced with the threat actor’s address, resulting in funds\r\nbeing sent to the threat actor’s wallet during transactions.\r\n2. Malware Attachment\r\nThe file attached to the email is a dropper that first copies itself to the\r\n%APPDATA%\\Zwldpcobpfq\\Gdktpnpm.exe path before registering itself to the Run key so that it can operate\r\neven after reboots. Afterward, it generates and executes two individual malware in the %TEMP% path.\r\n2.1. ClipBanker\r\n“Lilgghom.exe”, which is the first malware generated and executed, is the ClipBanker. ClipBanker resides on the\r\nsystem and, when the user copies a Bitcoin or Ethereum cryptocurrency wallet address, it replaces it with the\r\nthreat actor’s wallet address. A coin wallet address normally has a certain form, but it is difficult to memorize as\r\nthe string is long and complicated. Hence, users are likely to copy and paste the address when using it. Should the\r\nhttps://asec.ahnlab.com/en/53128/\r\nPage 2 of 7\n\nwallet address change at this stage, users who want to deposit money to a certain wallet may end up depositing it\r\nto a different wallet because the address is changed to that of the attacker’s wallet.\r\nThe ClipBanker used in the attack was created under the name “Get Cliboard Address.exe” and monitors the\r\nclipboard. When an entry that matches the following regular expressions is saved, it is changed to the wallet\r\naddress defined by the threat actor.\r\nBitcoin: “(?\u003c!\\w)[a-zA-Z0-9]{34}(?!\\w)”\r\nEtherium: “(?\u003c!\\w)0x[a-zA-Z0-9]{40}(?!\\w)”\r\nMonero: “(?\u003c!\\w)[a-zA-Z0-9]{95}(?!\\w)”\r\nAdditionally, “Get Cliboard Address.exe” supports various features according to its configuration.\r\nConfiguration Description Data\r\nB\r\nBitcoin wallet\r\naddress to change\r\nbc1q462me7gxcwh0xgsja7x808a9zgr6vjmx7rt9km\r\nE\r\nEthereum wallet\r\naddress to change\r\n0x006Cb3C0469040e84f2D12a8aec59c34CE00aa31\r\nX\r\nMonero wallet\r\naddress to change\r\nN/A\r\nStartup\r\nCopy to the Startup\r\nfolder\r\nTrue\r\nREG\r\nRegister to the Run\r\nkey\r\nFalse\r\nSHORTCUT\r\nCreate a shortcut in\r\nthe Startup folder\r\nFalse\r\nTable 1. Configurations provided by ClipBanker\r\n2.2. DarkCloud\r\nhttps://asec.ahnlab.com/en/53128/\r\nPage 3 of 7\n\nThe malware “Ckpomlg.exe” that is generated and executed next functions as an Infostealer, responsible for\r\ncollecting and stealing various user credentials stored on the infected system. Different from the other malware\r\nthat have recently been in distribution, this malware was developed with the VB6 language.\r\nLike the average Infostealer, DarkCloud steals the account credentials of users that have been saved on web\r\nbrowsers, FTP, and email clients. It is also similar to other Infostealers like AgentTesla and SnakeKeylogger as it\r\nuses SMTP or the Telegram API to send the collected information to the C\u0026C server.\r\nAdditionally, the DarkCloud being analyzed in this post cannot be logged into as the threat actor’s SMTP account\r\ncredentials were changed. However, the presence of the AgentTesla malware using the same email account in the\r\npast suggests that the threat actor may have used not only DarkCloud but also the AgentTesla Infostealer in their\r\nspam email attack campaigns.\r\nHost: logxtai[.]shop\r\nUser: sender-a3@logxtai[.]shop\r\nPassword: f9;2H%A)IpgE\r\nReceiver: ambulancelog@logxtai[.]shop\r\nDarkCloud has “vbsqlite3.dll” within its resources section which is necessary for collecting account credentials,\r\nand it is generated and loaded in the “%PUBLIC%\\Libraries” path while DarkCloud is running.\r\nhttps://asec.ahnlab.com/en/53128/\r\nPage 4 of 7\n\nAccount credential information is exfiltrated from Chromium and Firefox-based web browsers, email clients such\r\nas Outlook, ThunderBird, and FoxMail, and FTP client programs such as CoreFTP and WinSCP. Of course, a\r\nvariety of other user information can be stolen besides these such as credit card information stored on browsers.\r\nThe stolen information is stored in a folder generated within the “%PUBLIC%\\Libraries” path. As shown below,\r\n“DARKCLOUD” can be confirmed on the signature string of the stolen information.\r\nThe DarkCloud being analyzed here uses both the SMTP protocol and the Telegram API when exfiltrating the\r\ncollected information.\r\nhttps://asec.ahnlab.com/en/53128/\r\nPage 5 of 7\n\n3. Conclusion\r\nUsers must practice strict caution when handling attachments in emails from unknown sources or executables\r\ndownloaded from the web. It is advised to download products including utility programs and games from their\r\nofficial websites.\r\nUsers should also apply the latest patch for operating systems and programs such as internet browsers, and update\r\nV3 to the latest version to prevent malware infection in advance.\r\nFile Detection\r\n– Trojan/Win.Generic.C5416010 (2023.04.21.01)\r\n– Trojan/Win.Generic.R578585 (2023.05.16.02)\r\n– Malware/Win32.RL_Generic.C4250411 (2020.12.04.01)\r\nBehavior Detection\r\n– Infostealer/MDP.Behavior.M1965\r\nMD5\r\n7c4f98ca98139d4519dc1975069b1e9f\r\n9441cdbed94f0fd5b20999d8e2424ce4\r\n991a8bd00693269536d91b4797b7b42b\r\nhttps://asec.ahnlab.com/en/53128/\r\nPage 6 of 7\n\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//api[.]telegram[.]org/bot5520455072[:]AAHt-MFGFCUL3S_w3BTtc7meWUZSJFJduq0/sendMessage\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/53128/\r\nhttps://asec.ahnlab.com/en/53128/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/53128/" ], "report_names": [ "53128" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434159, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/976f643175481553827b2eb243f37997af9e3120.pdf", "text": "https://archive.orkl.eu/976f643175481553827b2eb243f37997af9e3120.txt", "img": "https://archive.orkl.eu/976f643175481553827b2eb243f37997af9e3120.jpg" } }