The cybersecurity threat landscape is facing a growing challenge as infostealers continue to dominate the initial access ecosystem in 2026. Among the latest threats drawing serious attention is DarkCloud, a commercially available credential-harvesting malware that proves even low-cost tools can deliver devastating results against enterprise environments.
The $30 Threat That Can Compromise Entire Networks
DarkCloud was first observed in 2022 and is attributed to a developer known as “Darkcloud Coder,” formerly operating under the alias “BluCoder” on Telegram. The malware is openly sold through Telegram and a clearnet storefront, with subscription tiers starting at just US$30 — a price point that puts it within reach of nearly any aspiring threat actor.
Despite being marketed as “surveillance software,” its actual purpose is far more aggressive: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks.
Flashpoint analysts identified DarkCloud as a potent entry-level threat that can hand adversaries the keys to an entire corporate network through harvested credentials.
Technical Architecture: Legacy Code as a Detection Bypass
The malware is written in Visual Basic 6.0 (VB6) and compiled into a native C/C++ application — a deliberate engineering choice that gives it an unexpected edge against modern detection tools. By relying on legacy runtime components like MSVBVM60.DLL, DarkCloud operates outside the scope of many contemporary security models while retaining full credential theft functionality.
In controlled testing by Flashpoint, the VB6 variant produced significantly fewer detections in VirusTotal scans compared to equivalent C/C++ payloads, confirming that the language choice alone provides a meaningful detection advantage for attackers.
Massive Target Coverage
What makes DarkCloud particularly dangerous for enterprises is its sheer scale of targeting. It collects login credentials, cookies, and credit card data from:
- Browsers: Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, Opera, Yandex, Vivaldi, and other Chromium/Firefox-based browsers
- Email Clients: Outlook, Thunderbird, FoxMail, and eM Client
- File Transfer Tools: FileZilla and WinSCP
- VPN Applications: NordVPN
- Contact Lists: Email contacts scraped for future phishing campaigns
Flexible Data Exfiltration
Stolen data is staged locally in two directories under %APPDATA%\Microsoft\Windows\Templates — one for raw database files and another for parsed, unencrypted text logs — before being exfiltrated through SMTP, FTP, Telegram, or HTTP.
This flexibility in exfiltration methods allows operators to tailor deployments to match their infrastructure preferences and operational security needs, making DarkCloud adaptable across a wide range of attack scenarios.
Encryption Through Legacy Abuse
One of the most technically notable aspects of DarkCloud is its layered encryption scheme. Rather than relying on modern cryptographic libraries, DarkCloud abuses a quirk of the legacy Visual Basic language to hide its internal strings and behavior.
The decryption process uses Visual Basic’s built-in Rnd() pseudo-random number generator (PRNG) combined with a custom seed-generation algorithm. The malware:
- Hex-encodes encrypted strings
- Base64-encodes keys
- Calculates a seed value via custom algorithm
- Resets VB PRNG to known state
- Reconstructs plaintext at runtime via iterative Rnd() calls
Since the PRNG is reset to a deterministic known value before each decryption cycle, the malware guarantees consistent output without needing external keys or network calls that would raise flags in monitored environments.
Lineage: Connection to A310LoggerStealer
Flashpoint researchers identified notable code-level similarities between DarkCloud and A310LoggerStealer (also known as BluStealer). The credit card parsing regular expressions appear in identical order and format. Combined with the developer’s prior alias “BluCoder,” A310LoggerStealer likely represents an earlier version of what eventually became DarkCloud.
Defensive Recommendations
Organizations should implement the following measures to defend against DarkCloud and similar commodity infostealers:
- Treat phishing-delivered ZIP and RAR attachments as high-risk initial access vectors
- Monitor network traffic for abnormal data exfiltration over SMTP, FTP, and Telegram channels
- Audit credential reuse across browser-stored passwords and email applications
- Prioritize credential rotation following any suspected compromise
- Deploy endpoint detection tools capable of monitoring legacy runtime environments, particularly VB6 components like MSVBVM60.DLL
The Identity Perimeter Under Assault
Infostealers like DarkCloud do not rely on zero-day exploits or breakthrough techniques. They exploit scale, accessibility, and identity exposure — and in a landscape where identity is the new perimeter, even a US$30 subscription can cause operationally devastating damage to an enterprise.
Source: Cybersecurity News | Flashpoint Research
