- $30 DarkCloud infostealer quietly harvests credentials on browsers and enterprise software
- Legacy Visual Basic code unexpectedly helps malware evade some modern detection tools
- Cheap credential theft tools are increasingly causing early compromises on corporate networks.
Low-cost malware tools are increasingly available on the dark web, providing credential theft capabilities to people with limited technical knowledge.
Security researchers at Flashpoint recently analyzed a strain of malware known as DarkCloud, which has been circulating through Telegram channels and public storefronts since around 2022.
Available for around $30, less than the price of many console games, the tool performs credential harvesting on a large scale, with stolen information potentially including browser logins, cookies, financial data and contact information from messaging apps.
Article continues below
Cheap information stealers that reduce barriers to cybercrime
DarkCloud presents itself as monitoring software in public listings, although its internal functionality focuses on extracting credentials and sensitive data from infected machines.
Researchers say this type of information thief has become a frequent entry point into corporate networks, where compromised credentials often lead to deeper intrusion into the network.
An unusual aspect of DarkCloud is its use of the outdated Visual Basic 6.0 programming environment, as the malware payload is written in this older language before being compiled into a native executable.
Visual Basic 6.0 relies on older runtime components that still work on modern Windows systems – and according to Flashpoint analysts, this design choice may reduce detection rates in some security tools because many detection systems focus on more modern development frameworks.
The malware also uses multiple layers of encryption and string obfuscation, making reverse engineering and static analysis difficult.
The internal strings remain encrypted until runtime, where a pseudo-random generator reconstructs them via deterministic processes.
These techniques do not rely on new cryptography, but rather exploit predictable behaviors within existing programming environments.
DarkCloud focuses on collecting credentials and application data from a wide range of software, extracting information from web browsers, email clients, file transfer programs, and several communications tools.
The collected data is stored locally in the directories created under the Windows templates path.
One directory contains the copied database files, while another contains parsed information written in unencrypted text format.
This intermediary system allows the malware to assemble structured logs before transmitting them externally.
The tool supports multiple methods of transmitting stolen information.
These include email transmission via SMTP, file transfer using FTP servers, communication via Telegram channels and direct HTTP downloads.
Because compromised credentials often enable lateral movement within networks, attackers can later deploy ransomware, launch phishing operations, or maintain persistent access.
Even basic endpoint protection or a properly configured firewall may have difficulty detecting activity if the malware uses legitimate protocols.
Security teams therefore often rely on multi-layered controls, including credential monitoring and incident response procedures as well as malware removal tools.
The continued circulation of cheap infostealers suggests that low cost of entry, rather than technical sophistication, increasingly leads to early-stage network compromises.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
