- $30 DarkCloud info stealer silently harvests credentials in browsers and enterprise software
- Legacy Visual Basic code is unexpectedly helping malware evade some modern detection tools
- Cheap Credential Theft Tools Are Increasingly Leading to Early-Stage Compromise of Corporate Networks
Low-cost malware tools are increasingly available on the dark web and offer credential theft capabilities to people with limited technical knowledge.
Security researchers at Flashpoint recently analyzed a strain of malware known as DarkCloud, which has been circulating through Telegram channels and public stores since around 2022.
Available for about $30, less than the price of many console games, the tool performs large-scale credential harvesting, and the stolen information can include browser logins, cookies, financial data, and contact information from email applications.
Article continues below.
Cheap information thieves reduce the barrier to cybercrime
DarkCloud is advertised as surveillance software on public listings, although its internal functionality focuses on extracting credentials and sensitive data from infected machines.
Researchers say this type of information thief has become a frequent entry point into corporate networks, where compromised credentials often lead to deeper intrusion into the network.
An unusual aspect of DarkCloud is its use of the outdated Visual Basic 6.0 programming environment, as the malware payload is written in this legacy language before being compiled into a native executable.
Visual Basic 6.0 is based on older runtime components that still work on modern Windows systems, and according to Flashpoint analysts, this design choice may reduce detection rates in some security tools because many detection systems focus on more modern development frameworks.
The malware also uses multiple layers of encryption and string obfuscation, which complicates reverse engineering and static analysis.
The internal strings remain encrypted until runtime, where a pseudorandom generator reconstructs them using deterministic processes.
These techniques do not rely on novel cryptography, but instead exploit predictable behaviors within legacy programming environments.
DarkCloud focuses on collecting credentials and application data from a wide range of software, extracting information from web browsers, email clients, file transfer programs and various communication tools.
The collected data is stored locally within directories created in the Windows templates path.
One directory contains copied database files, while another contains parsed information written in clear text format.
This preparation system allows the malware to gather structured logs before transmitting them externally.
The tool supports several methods to transmit stolen information.
These include transmitting email via SMTP, transferring files via FTP servers, communicating via Telegram channels, and direct HTTP uploads.
Because compromised credentials often allow lateral movement within networks, attackers can subsequently deploy ransomware, initiate phishing operations, or maintain persistent access.
Even basic endpoint protection or a properly configured firewall can struggle to detect activity if malware uses legitimate protocols.
Therefore, security teams often rely on layered controls, including credential monitoring and incident response procedures along with malware removal tools.
The continued circulation of low-cost information thieves suggests that low cost of entry, rather than technical sophistication, increasingly drives early-stage network compromise.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
