- $30 DarkCloud infostealer quietly harvests credentials across browsers and enterprise software
- Older Visual Basic code unexpectedly helps malware evade some modern detection tools
- Inexpensive credential-stealing tools are increasingly driving corporate networks to compromise
Inexpensive malware tools are increasingly available on the dark web and offer credential theft opportunities to people with limited technical knowledge.
Security researchers at Flashpoint recently analyzed a malware strain known as DarkCloud that has been circulating via Telegram channels and public storefronts since approximately 2022.
Available for about $30, less than the price of many console games, the tool performs large-scale credential harvesting, with stolen information can include browser logins, cookies, financial data and contact information from email applications.
The article continues below
Cheap info thieves lower the barrier to cybercrime
DarkCloud advertises itself as surveillance software in public listings, although its internal functionality focuses on extracting credentials and sensitive data from infected machines.
Researchers say this type of info stealer has become a frequent entry point into corporate networks, where compromised credentials often lead to deeper network intrusions.
An unusual aspect of DarkCloud is its use of the deprecated Visual Basic 6.0 programming environment, as the malware payload is written in this older language before being compiled into a native executable.
Visual Basic 6.0 relies on legacy runtime components that still work on modern Windows systems—and, according to Flashpoint analysts, this design choice may reduce the detection speed of some security tools because many detection systems focus on more modern development frameworks.
The malware also uses multiple layers of string encryption and obfuscation, complicating reverse engineering and static analysis.
Internal strings remain encrypted until runtime, when a pseudo-random generator reconstructs them through deterministic processes.
These techniques do not rely on new cryptography, instead exploiting predictable behavior in older programming environments.
DarkCloud concentrates on collecting credentials and application data from a wide range of software, extracting information from web browsers, email clients, file transfer programs and numerous communication tools.
Collected data is stored locally in folders created under the Windows template path.
One folder contains copied database files, while another contains parsed information written in clear text format.
This staging system allows the malware to assemble structured log files before transmitting them externally.
The tool supports multiple methods to transfer stolen information.
These include email transmission via SMTP, file transfer using FTP servers, communication via Telegram channels and direct HTTP uploads.
Because compromised credentials often allow lateral movement within networks, attackers can later deploy ransomware, launch phishing operations, or maintain persistent access.
Even basic endpoint protection or a properly configured firewall can have difficulty detecting activity if the malware uses legitimate protocols.
Security teams therefore often rely on layered controls, including credential monitoring and incident response procedures along with malware removal tools.
The continued proliferation of cheap info thieves suggests that low access costs, rather than technical sophistication, are increasingly driving the early-stage network.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
