DarkCloud Cyber Campaign Targets Spanish Critical Sectors
A sophisticated cyberattack leveraging the DarkCloud information stealer has been targeting Spanish organizations across technology, legal, financial, and government sectors since early April 2025.
Attack Methodology
The malware is distributed through phishing emails containing weaponized .TAR archives disguised as billing-related documents. This marks a significant escalation in DarkCloud’s activity, as attackers refine their techniques to bypass traditional security defenses.
The attack begins with emails titled “Importe: 3.500,00 EUR”, containing a malicious .TAR file (Importe3.50000EUR_Transfer.tar). Once extracted, the archive deploys a DarkCloud binary that steals:
- Login credentials
- Cryptocurrency wallets
- Sensitive documents
Advanced Capabilities
Analysts at Broadcom identified the campaign’s use of social engineering, impersonating a legitimate Spanish skiing equipment vendor to deceive victims.
DarkCloud’s capabilities align with advanced commodity stealers, enabling it to:
- Extract browser credentials from Chrome, Opera, and Yandex
- Monitor clipboard activity
- Hijack cryptocurrency wallet addresses (Bitcoin, Ethereum)
Its modular design allows selective data exfiltration via SMTP, FTP, and Telegram APIs, while its anti-analysis features make it harder to detect and reverse-engineer.
Infection Chain & Execution Flow
The malware follows a multi-stage deployment strategy:
.TAR Archive – Contains an obfuscated executable that drops:
- A configuration file specifying exfiltration endpoints
- A DLL file that handles credential theft
- A watchdog process that ensures persistence
Anti-Analysis Evasion – DarkCloud employs sandbox detection using system fingerprinting:
if (CheckVmRegKeys() || CheckDebuggerPresent()) { ExitProcess(0); }
If a virtual machine or debugger is detected, the malware terminates itself to evade security analysis.
Data Theft & Exfiltration – The stealer:
- Modifies registry settings for persistence
- Searches for .pdf, .xlsx, and cryptocurrency wallet files
- Compresses stolen data into password-protected .ZIP files
- Transmits the stolen information to attackers' servers
Detection & Mitigation
Security firms, including Symantec, have identified DarkCloud’s payload using machine learning models (Heur.AdvML.B) and signature-based detection (Trojan.Gen.MBT). However, the attack highlights the growing need for stronger email security.
Organizations should:
Block .TAR files from unknown senders
Enhance phishing awareness training
Use endpoint protection tools to detect obfuscated malware
Monitor network traffic for unauthorized data transfers
With DarkCloud continuing to evolve, proactive email security and advanced threat detection remain critical in mitigating future attacks.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
