A newly uncovered spear-phishing campaign is deploying DarkCloud, a sophisticated modular malware suite, in an effort to harvest keystrokes, FTP credentials, and system metadata from targeted victims.
Over the past month, threat actors have been sending emails that imitate legitimate software updates or corporate invoices. These messages include a Microsoft Word document attachment that, when opened and macros enabled, triggers a multi-stage infection chain.
The attack starts when a user enables macros in the document. Inside is a hidden Visual Basic for Applications (VBA) script that connects to a command and control (C2) server and downloads the DarkCloud loader. The loader is designed to operate in memory, avoiding traditional disk-based indicators and making forensic detection more difficult.
DarkCloud’s loader also includes anti-analysis checks: it looks for virtual machine artifacts or sandbox environments and may delay execution or abort if such analysis tools are detected. Once active, the loader injects a dynamic-link library into standard system processes (e.g. explorer.exe, svchost.exe), and hooks keylogging APIs to capture typed input, including credentials used in FTP clients.
Stolen data is encrypted with a custom XOR routine and exfiltrated under the cover of HTTPS traffic, blending with normal network flows. Beyond credential theft, DarkCloud collects system information (running processes, installed software, open network sessions) to tailor subsequent plugin deployment, such as remote file exfiltration or screen capture modules.
Because DarkCloud functions modularly and primarily in memory, it minimizes its footprint on disk and complicates traditional detection methods. The campaign’s operators are observed to switch modules dynamically based on operational needs and reconnaissance feedback.
Security analysts cite eSentire’s work in identifying its core keylogging module hours after detection, underscoring the advanced nature of the threat. The loader’s ability to evade sandboxing and disguise its traffic patterns makes it especially dangerous for high-value targets.
Security teams are urged to monitor for anomalous HTTPS sessions to unfamiliar hosts and use behavior-based detection tools that can surface system API hook injections. Employing endpoint behavioral analytics, robust EDR (Endpoint Detection and Response) systems, and continuous threat intelligence sharing is essential to preempt DarkCloud’s evolving tactics.
Training users to avoid enabling macros and reinforcing strict email attachment policies also remain critical. When dealing with highly targeted campaigns like this, human vigilance plus technical safeguards offer the best defense.