A sophisticated cyber campaign leveraging the DarkCloud information stealer has targeted Spanish organizations across multiple critical sectors since early April 2025. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. DarkCloud’s technical capabilities align with advanced commodity stealers, including browser credential extraction from Chrome, Opera, and Yandex, clipboard monitoring, and wallet address hijacking for cryptocurrencies like Bitcoin and Ethereum. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. DarkCloud then performs targeted file searches for documents (.pdf, .xlsx) and cryptocurrency wallet.dat files, compressing them into password-protected .ZIP archives for exfiltration. The .TAR archive acts as a container for a heavily obfuscated executable that drops three components: a configuration file defining exfiltration endpoints, a DLL implementing credential-grabbing routines, and a watchdog process ensuring persistence. This represents an escalation in DarkCloud’s activity since its initial emergence in 2022, with attackers refining their evasion techniques to bypass traditional security measures. However, the campaign underscores the need for enhanced email security protocols to flag .TAR files from untrusted sources, particularly in multilingual organizational environments. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Broadcom analysts identified the campaign’s broad sectoral impact, noting its tailored social engineering approach to impersonate a legitimate Spanish skiing equipment vendor. Its modular design enables selective data exfiltration through SMTP, FTP, and Telegram APIs while employing anti-analysis checks to hinder reverse engineering. The malware, distributed via weaponized .TAR archives embedded in phishing emails, exploits billing-themed lures to compromise technology, legal, financial, and government entities. Upon extraction, the archive deploys a DarkCloud binary designed to harvest credentials, cryptocurrency wallets, and sensitive documents. A sophisticated ransomware operation known as Hunters International emerged in October 2023, with strong evidence suggesting connections to the formerly dismantled Hive ransomware group. Symantec’s countermeasures, including the Heur.AdvML.B machine learning model and signature-based Trojan.Gen.MBT detection, currently intercept payload execution. This anti-analysis technique precedes the stealer’s primary payload, which initiates registry modifications to establish autostart entries.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Apr 2025 15:45:25 +0000