Modern software development relies on containers and the use of third-party software modules. On the one hand, this greatly facilitates the creation of new software, but on the other, it gives attackers additional opportunities to compromise the development environment. News about attacks on the supply chain through the distribution of malware via various repositories appears with alarming regularity. Therefore, tools that allow the scanning of images have long been an essential part of secure software development.
Our portfolio has long included a solution for protecting container environments. It allows the scanning of images at different stages of development for malware, known vulnerabilities, configuration errors, the presence of confidential data in the code, and so on. However, in order to make an informed decision about the state of security of a particular image, the operator of the cybersecurity solution may need some more context. Of course, itβs possible to gather this context independently, but if a thorough investigation is conducted manually each time, development may be delayed for an unpredictable period of time. Therefore, our experts decided to add the ability to look at the image from a fresh perspective; of course, not with a human eye β AI is indispensable nowadays.
OpenAI API
Our Kaspersky Container Security solution (a key component of Kaspersky Cloud Workload Security) now supports an application programming interface for connecting external large language models. So, if a company has deployed a local LLM (or has a subscription to connect a third-party model) that supports the OpenAI API, itβs possible to connect the LLM to our solution. This gives a cybersecurity expert the opportunity to get both additional context about uploaded images and an independent risk assessment by means of a full-fledged AI assistant capable of quickly gathering the necessary information.
The AI provides a description that clearly explains what the image is for, what application it contains, what it does specifically, and so on. Additionally, the assistant conducts its own independent analysis of the risks of using this image and highlights measures to minimize these risks (if any are found). Weβre confident that this will speed up decision-making and incident investigations and, overall, increase the security of the development process.
What else is new in Cloud Workload Security?
In addition to adding API to connect the AI assistant, our developers have made a number of other changes to the products included in the Kaspersky Cloud Workload Security offering. First, they now support single sign-on (SSO) and a multi-domain Active Directory, which makes it easier to deploy solutions in cloud and hybrid environments. In addition, Kaspersky Cloud Workload Security now scans images more efficiently and supports advanced security policy capabilities. You can learn more about the product on its official page.
In this post, we analyze DarkCloud, a commercially available infostealer written in Visual Basic 6.0, examine its encryption and evasion techniques, and assess how this low-cost malware can provide threat actors with enterprise-wide access through harvested credentials.
Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape.
First observed in 2022 and attributed to a developer known as βDarkcloud Coderβ (formerly βBluCoderβ on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as βsurveillance software,β its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks.
A screenshot from DarkCloudβs clearnet site calling itself βsurveillance software.β (Source: DarkCloud clearnet site)
At the technical level, DarkCloud is written in Visual Basic 6.0 and compiled into a native C/C++ application. This legacy language choice is unusual in modern malware development β and likely deliberate. By leveraging outdated but still supported runtime components, DarkCloud appears to benefit from lower detection rates while maintaining full credential theft functionality.
Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated. Flashpoint assesses it as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.
The Commercialization of DarkCloud
DarkCloud describes itself as a keylogger despite the original advertisement on XSS describing it as an infostealer. (Source: DarkCloud)
DarkCloud represents a mature example of commodity malware-as-a-service.
It is openly sold through Telegram and a clearnet website, where it is misleadingly labeled as a keylogger. While it does include keylogging capabilities, this is only a minor component of a much broader infostealing toolkit.
Its real value proposition is credential harvesting across browsers, email clients, file transfer applications, VPN software, and more.
This dual positioning β public-facing βsurveillance softwareβ and underground stealer β provides plausible deniability while enabling large-scale credential operations.
Why Visual Basic 6.0 Matters
One of the most notable aspects of DarkCloud is its use of Visual Basic 6.0.
The payload is written in VB6 and compiled into a native C/C++ application. Microsoft no longer supports VB6 in its modern development environment, and VB6 applications rely on legacy components such as MSVBVM60.DLL for execution.
Flashpoint assesses this legacy language choice is deliberate, both for its simplicity and its potential to evade modern detection models.
In testing, Flashpoint analysts generated equivalent payloads in C/C++ and VB6. The VB6 variant produced significantly fewer detections in VirusTotal scans.
The implication is clear: older languages are not necessarily obsolete in adversary tradecraft. In some cases, they may be strategically advantageous.
Encryption and String Obfuscation
DarkCloud employs a layered string encryption scheme that complicates static and dynamic analysis.
Most internal strings are encrypted and decrypted at runtime using Visual Basicβs Rnd() pseudo-random number generator, combined with a custom seed-generation algorithm.
The process involves:
Hex-encoded encrypted strings
Base64-encoded keys
Seed calculation through a custom algorithm
Resetting the VB pseudo-random number generator to a known state
Iterative Rnd() calls to reconstruct plaintext strings
By resetting the PRNG with a known value before applying the calculated seed, the malware ensures deterministic output during decryption.
This approach does not rely on novel cryptography, but rather on abusing legacy language behavior to frustrate reverse engineering.
Credential Theft at Scale
DarkCloudβs primary objective is credential collection.
It targets:
Email clients:
Outlook
eM Client
FoxMail
Thunderbird
163Mail
MailMaster
File transfer applications:
FileZilla
WinSCP
CoreFTP
Browsers:
Google Chrome
Microsoft Edge
Mozilla Firefox
Brave
Opera
Yandex
Vivaldi
(and many additional Chromium- and Firefox-based browsers)
Other applications:
Pidgin
NordVPN
When extracting browser data, DarkCloud steals:
Login credentials
Cookies
Credit card information
Email applications are additionally scraped for contact lists. This is likely intended to seed future phishing campaigns.
DarkCloud stores collected data locally in two directories under %APPDATA%\Microsoft\Windows\Templates. One directory (βDBSβ) stores copied database files, while another (β_β) stores parsed data in unencrypted text format.
This local staging enables continuous exfiltration while maintaining structured log output.
Exfiltration Methods: Flexibility for Threat Actors
DarkCloud supports four exfiltration methods:
SMTP
FTP
Telegram
HTTP
SMTP and FTP require hardcoded credentials within each binary. Email subjects include the victim machineβs hostname and username, and stolen data is transmitted as attachments.
HTTP exfiltration appears less frequently used, though the capability is present.
This flexibility allows operators to tailor deployments depending on infrastructure preferences and operational security requirements.
From BluStealer to DarkCloud
Flashpoint analysts identified notable similarities between DarkCloudβs regular expressions for credit card parsing and those found in a publicly documented project known as βA310LoggerStealer,β also referred to as BluStealer.
The regex patterns appear in identical order and format.
Combined with the developerβs prior alias βBluCoder,β Flashpoint assesses that A310LoggerStealer likely represents an earlier iteration of what became DarkCloud.
This evolution reflects a common pattern in commodity malware development: incremental refinement rather than radical innovation.
A Potent Entry-Level Threat
Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated.
Its marketing as surveillance software attempts to normalize its presence while providing plausible deniability for buyers. Technically, however, its focus is clear: large-scale credential harvesting across browsers, email clients, financial data, and contact networks.
Flashpoint assesses DarkCloud as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.
In a landscape where identity is the new perimeter, even a US$30 subscription can be operationally devastating.
Defending Against Commodity Infostealers
Commodity infostealers like DarkCloud may be commercially accessible, but defending against them requires enterprise-grade vigilance.
Organizations should:
Treat phishing-delivered ZIP/RAR attachments as high-risk initial access vectors
Monitor for abnormal data exfiltration over SMTP, FTP, and Telegram
Audit credential reuse across browser and email applications
Prioritize credential rotation and incident response playbooks following suspected compromise
Infostealers like DarkCloud are not breakthrough malware families. They do not rely on zero-days or advanced exploits.
Instead, they exploit scale, accessibility, and identity exposure.
To understand how credential harvesting campaigns are evolving and to embed real-time intelligence into your detection workflows, request a demo today and see how Flashpoint intelligence strengthens your defense posture.
In todayβs multi-cloud world, businesses deploy workloads across dozens of public and private clouds, each with their own network topology, security controls, and operational quirks. Over time this flexibility comes at a cost of increasing complexity and risk. How can budget minded IT team sanely enforce complex security policies, prevent AI-powered cyber breaches by foreign entities, and maintain geographical compliance across such a diverse environment?Β They can do so with a partner that leads with an open garden, agnostic approach. Check Point cloud firewalls, called CloudGuard Network Security, provide integrations across 22 leading public and private cloud vendors from AWS, [β¦]
Introduction: Security Testing Must Evolve with Attacks As cyber threats rise, web applications, GenAI workloads, and APIs have become prime targets. WAFs remain a critical first line of defense, but as attackers move beyond basic OWASP Top 10 techniques, WAF testing must evolve. Modern attacks increasingly rely on evasion methods, payload padding, and zero-day techniques designed to bypass signature-based WAFs. The WAF Comparison Project 2026 presents the results of our third annual, real-world evaluation of WAF efficacy (see the last year result here), using over 1 million legitimate requests and 74,000 malicious payloads to assess 14 leading WAF vendors, including [β¦]
Simplifying Cloud Network Security When securing cloud landscapes, itβs critically important to eliminate any downtime or performance degradation that firewall or gateway implementation may cause. To address these challenges, Check Point is proud to announce our support for Google Cloud Network Security Integration. This innovation creates a nondisruptive approach to cloud firewall deployment, increasing network security without negatively impacting performance. Scaling Hybrid Cloud Network Security Network security and performance are critical to any organization, but this is especially true for industries under heavy regulations like financial services, healthcare, and government. So over time these organizations gain comfort, expertise, and confidence [β¦]
In this video, John Strand discusses the complexities and challenges of penetration testing, emphasizing that it goes beyond just finding and exploiting vulnerabilities.
This webcast was originally published on September 26, 2024. In this video, Kevin Klingbile from Black Hills Information Security discusses the intricacies of Azure Cloud services and M365, focusing on [β¦]
| Nigel Douglas As a Developer Advocate working on Project Falco, Nigel Douglas plays a key role in driving education for the Open-Source Detection and Response (D&R) segment of cloud-native [β¦]
By Beau Bullock & Steve Borosh TL;DR We built a post-compromise toolset called GraphRunner for interacting with the Microsoft Graph API. It provides various tools for performing reconnaissance, persistence, and [β¦]
Mike Felch// How to Purge Google and Start Over β Part 1 Brief Recap In part 1, we discussed a red team engagement that went south when the Google SOC [β¦]
Mike Felch// A Tale of Blue Destroying Red Let me start by sharing a story about a fairly recent red team engagement against a highly-secured technical customer that didnβt end [β¦]
John StrandΒ talks about how BHIS pen tests companies who use the cloud. Want to know how you can defend against attacks in your cloud infrastructure? Keep your eyes peeled for [β¦]
Carrie Roberts //* REMnuxΒ is a free virtual machine image with Reverse Engineering Malware tools preinstalled.Β REMnux is maintained byΒ Lenny ZeltserΒ with extensive help fromΒ David Westcott and is available from https://remnux.org. I have [β¦]
Carrie Roberts* // How does password cracking in the cloud compare to down here on earth? Maybe not as heavenly as imagined. I saw this on the web and got [β¦]
Beau Bullock // Overview The traditional methodology of a remote attacker who has no preconceptions of a target network used to be fairly static. With organizations moving to βthe cloudβ, [β¦]