The cybersecurity landscape in 2026 is grappling with the escalating threat posed by infostealers, a category of malware increasingly dominating initial access into enterprise networks. Among the most concerning new entrants is DarkCloud infostealer, a commercially available and surprisingly affordable credential-harvesting tool that demonstrates how low-cost malware can inflict significant damage on large organizations.
First observed in 2022, DarkCloud is developed by an individual known as “Darkcloud Coder,” previously active as “BluCoder” on Telegram. The malware is readily available for purchase on both Telegram and a clearnet storefront, with subscription plans beginning as low as $30 USD. Despite being marketed as “surveillance software,” its core function is high-volume data theft, specifically targeting login credentials, financial information, and contact networks across various digital platforms.
How DarkCloud Infostealer Operates and Evades Detection
Flashpoint analysts highlight DarkCloud as a potent tool for entry-level threat actors, capable of granting them access to an entire corporate network through stolen credentials. The malware’s design, written in Visual Basic 6.0 (VB6) and compiled into a native C/C++ application, presents a unique challenge to modern security solutions. By leveraging legacy runtime components like MSVBVM60.DLL, DarkCloud can bypass many contemporary security models while still effectively harvesting sensitive data.
The danger DarkCloud poses to enterprises lies in its broad targeting capabilities. It systematically extracts login credentials, cookies, and credit card details from major web browsers. These include Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, Opera, Yandex, and Vivaldi, alongside numerous other Chromium and Firefox-based browsers. Furthermore, it targets popular email clients such as Outlook, Thunderbird, FoxMail, and eM Client, file transfer tools like FileZilla and WinSCP, and VPN applications including NordVPN. The malware also scrapes email contact lists, potentially for use in future phishing campaigns against the victim’s associates.
Stolen data is initially stored locally in two directories within the %APPDATA%MicrosoftWindowsTemplates path: one for raw database files and another for parsed, unencrypted text logs. Subsequently, this data is exfiltrated through multiple channels, including SMTP, FTP, Telegram, or HTTP. This adaptability in exfiltration methods allows operators to customize their deployments based on their infrastructure and operational security requirements, making DarkCloud a versatile threat across diverse attack scenarios.
DarkCloud’s Encryption Techniques for Evasion
A particularly notable technical aspect of DarkCloud is its layered encryption scheme, designed to impede both static and dynamic analysis. Instead of employing modern cryptographic libraries, DarkCloud exploits a characteristic of the legacy Visual Basic language to conceal its internal strings and behaviors from security tools and analysts. The majority of DarkCloud’s internal strings are encrypted and then decrypted at runtime. This process utilizes Visual Basic’s built-in Rnd() pseudo-random number generator (PRNG) in conjunction with a custom seed-generation algorithm.
The decryption sequence is precise: encrypted strings are first hex-encoded, keys are Base64-encoded, a custom algorithm computes a seed value, the VB PRNG is reset to a known state using this seed, and iterative Rnd() calls reconstruct the original plaintext strings during execution. Because the PRNG is deterministically reset before each decryption cycle, the malware consistently produces the same output without relying on external keys or network communications that could trigger security alerts in monitored environments.
Flashpoint analysts observed that this method does not rely on novel cryptographic techniques but rather weaponizes the predictable behavior of an outdated language runtime to slow down reverse engineering efforts. When tested in controlled environments, the VB6 variant of DarkCloud resulted in significantly fewer detections on VirusTotal scans compared to its C/C++ equivalent, indicating that the choice of programming language alone provides a tangible detection advantage for attackers.
Additionally, Flashpoint researchers identified discernible similarities at the code level between DarkCloud and a previously documented malware known as “A310LoggerStealer,” also referred to as BluStealer. The order and format of regular expressions used for credit card parsing in both tools are identical. Coupled with the developer’s former alias “BluCoder,” Flashpoint assesses that A310LoggerStealer likely represents an earlier iteration of what eventually evolved into DarkCloud, reflecting a common pattern of incremental refinement seen in the development of commodity malware.
Organizations aiming to defend against DarkCloud and similar commodity infostealers should implement robust security measures. This includes treating phishing-delivered ZIP and RAR attachments as high-risk initial access vectors and enforcing strict email attachment filtering policies. Monitoring network traffic for anomalous data exfiltration patterns over SMTP, FTP, and Telegram channels is also crucial. Enterprises should audit credential reuse across browser-stored passwords and email applications, and enforce comprehensive enterprise-wide password management policies.
Prioritizing credential rotation and activating incident response playbooks immediately following any suspected compromise are essential steps. Deploying endpoint detection tools capable of monitoring legacy runtime environments, particularly those utilizing VB6 runtime components such as MSVBVM60.DLL, will enhance defense capabilities. Infostealers like DarkCloud do not rely on zero-day exploits or groundbreaking techniques; they capitalize on accessibility, scale, and identity exposure. In an era where identity is increasingly becoming the new perimeter, even a low-cost $30 subscription can lead to operationally devastating consequences for an enterprise.