❌

Normal view

AI assistant in Kaspersky Container Security

3 March 2026 at 17:13

Modern software development relies on containers and the use of third-party software modules. On the one hand, this greatly facilitates the creation of new software, but on the other, it gives attackers additional opportunities to compromise the development environment. News about attacks on the supply chain through the distribution of malware via various repositories appears with alarming regularity. Therefore, tools that allow the scanning of images have long been an essential part of secure software development.

Our portfolio has long included a solution for protecting container environments. It allows the scanning of images at different stages of development for malware, known vulnerabilities, configuration errors, the presence of confidential data in the code, and so on. However, in order to make an informed decision about the state of security of a particular image, the operator of the cybersecurity solution may need some more context. Of course, it’s possible to gather this context independently, but if a thorough investigation is conducted manually each time, development may be delayed for an unpredictable period of time. Therefore, our experts decided to add the ability to look at the image from a fresh perspective; of course, not with a human eye β€” AI is indispensable nowadays.

OpenAI API

Our Kaspersky Container Security solution (a key component of Kaspersky Cloud Workload Security) now supports an application programming interface for connecting external large language models. So, if a company has deployed a local LLM (or has a subscription to connect a third-party model) that supports the OpenAI API, it’s possible to connect the LLM to our solution. This gives a cybersecurity expert the opportunity to get both additional context about uploaded images and an independent risk assessment by means of a full-fledged AI assistant capable of quickly gathering the necessary information.

The AI provides a description that clearly explains what the image is for, what application it contains, what it does specifically, and so on. Additionally, the assistant conducts its own independent analysis of the risks of using this image and highlights measures to minimize these risks (if any are found). We’re confident that this will speed up decision-making and incident investigations and, overall, increase the security of the development process.

What else is new in Cloud Workload Security?

In addition to adding API to connect the AI assistant, our developers have made a number of other changes to the products included in the Kaspersky Cloud Workload Security offering. First, they now support single sign-on (SSO) and a multi-domain Active Directory, which makes it easier to deploy solutions in cloud and hybrid environments. In addition, Kaspersky Cloud Workload Security now scans images more efficiently and supports advanced security policy capabilities. You can learn more about the product on its official page.

Understanding the DarkCloud Infostealer

Blogs

Blog

Understanding the DarkCloud Infostealer

In this post, we analyze DarkCloud, a commercially available infostealer written in Visual Basic 6.0, examine its encryption and evasion techniques, and assess how this low-cost malware can provide threat actors with enterprise-wide access through harvested credentials.

SHARE THIS:
Default Author Image
February 25, 2026

Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape.

First observed in 2022 and attributed to a developer known as β€œDarkcloud Coder” (formerly β€œBluCoder” on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as β€œsurveillance software,” its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks.

A screenshot from DarkCloud’s clearnet site calling itself β€œsurveillance software.” (Source: DarkCloud clearnet site)

At the technical level, DarkCloud is written in Visual Basic 6.0 and compiled into a native C/C++ application. This legacy language choice is unusual in modern malware development β€” and likely deliberate. By leveraging outdated but still supported runtime components, DarkCloud appears to benefit from lower detection rates while maintaining full credential theft functionality.

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated. Flashpoint assesses it as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

The Commercialization of DarkCloud

DarkCloud describes itself as a keylogger despite the original advertisement on XSS describing it as an infostealer. (Source: DarkCloud)

DarkCloud represents a mature example of commodity malware-as-a-service.

It is openly sold through Telegram and a clearnet website, where it is misleadingly labeled as a keylogger. While it does include keylogging capabilities, this is only a minor component of a much broader infostealing toolkit.

Its real value proposition is credential harvesting across browsers, email clients, file transfer applications, VPN software, and more.

This dual positioning β€” public-facing β€œsurveillance software” and underground stealer β€” provides plausible deniability while enabling large-scale credential operations.

Why Visual Basic 6.0 Matters

One of the most notable aspects of DarkCloud is its use of Visual Basic 6.0.

The payload is written in VB6 and compiled into a native C/C++ application. Microsoft no longer supports VB6 in its modern development environment, and VB6 applications rely on legacy components such as MSVBVM60.DLL for execution.

Flashpoint assesses this legacy language choice is deliberate, both for its simplicity and its potential to evade modern detection models.

In testing, Flashpoint analysts generated equivalent payloads in C/C++ and VB6. The VB6 variant produced significantly fewer detections in VirusTotal scans.

The implication is clear: older languages are not necessarily obsolete in adversary tradecraft. In some cases, they may be strategically advantageous.

Encryption and String Obfuscation

DarkCloud employs a layered string encryption scheme that complicates static and dynamic analysis.

Most internal strings are encrypted and decrypted at runtime using Visual Basic’s Rnd() pseudo-random number generator, combined with a custom seed-generation algorithm.

The process involves:

  • Hex-encoded encrypted strings
  • Base64-encoded keys
  • Seed calculation through a custom algorithm
  • Resetting the VB pseudo-random number generator to a known state
  • Iterative Rnd() calls to reconstruct plaintext strings

By resetting the PRNG with a known value before applying the calculated seed, the malware ensures deterministic output during decryption.

This approach does not rely on novel cryptography, but rather on abusing legacy language behavior to frustrate reverse engineering.

Credential Theft at Scale

DarkCloud’s primary objective is credential collection.

It targets:

Email clients:

  • Outlook
  • eM Client
  • FoxMail
  • Thunderbird
  • 163Mail
  • MailMaster

File transfer applications:

  • FileZilla
  • WinSCP
  • CoreFTP

Browsers:

  • Google Chrome
  • Microsoft Edge
  • Mozilla Firefox
  • Brave
  • Opera
  • Yandex
  • Vivaldi
  • (and many additional Chromium- and Firefox-based browsers)

Other applications:

  • Pidgin
  • NordVPN

When extracting browser data, DarkCloud steals:

  • Login credentials
  • Cookies
  • Credit card information

Email applications are additionally scraped for contact lists. This is likely intended to seed future phishing campaigns.

DarkCloud stores collected data locally in two directories under %APPDATA%\Microsoft\Windows\Templates. One directory (β€œDBS”) stores copied database files, while another (β€œ_”) stores parsed data in unencrypted text format.

This local staging enables continuous exfiltration while maintaining structured log output.

Exfiltration Methods: Flexibility for Threat Actors

DarkCloud supports four exfiltration methods:

  • SMTP
  • FTP
  • Telegram
  • HTTP

SMTP and FTP require hardcoded credentials within each binary. Email subjects include the victim machine’s hostname and username, and stolen data is transmitted as attachments.

HTTP exfiltration appears less frequently used, though the capability is present.

This flexibility allows operators to tailor deployments depending on infrastructure preferences and operational security requirements.

From BluStealer to DarkCloud

Flashpoint analysts identified notable similarities between DarkCloud’s regular expressions for credit card parsing and those found in a publicly documented project known as β€œA310LoggerStealer,” also referred to as BluStealer.

The regex patterns appear in identical order and format.

Combined with the developer’s prior alias β€œBluCoder,” Flashpoint assesses that A310LoggerStealer likely represents an earlier iteration of what became DarkCloud.

This evolution reflects a common pattern in commodity malware development: incremental refinement rather than radical innovation.

A Potent Entry-Level Threat

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated.

Its marketing as surveillance software attempts to normalize its presence while providing plausible deniability for buyers. Technically, however, its focus is clear: large-scale credential harvesting across browsers, email clients, financial data, and contact networks.

Flashpoint assesses DarkCloud as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

In a landscape where identity is the new perimeter, even a US$30 subscription can be operationally devastating.

Defending Against Commodity Infostealers

Commodity infostealers like DarkCloud may be commercially accessible, but defending against them requires enterprise-grade vigilance.

Organizations should:

  • Treat phishing-delivered ZIP/RAR attachments as high-risk initial access vectors
  • Monitor for abnormal data exfiltration over SMTP, FTP, and Telegram
  • Audit credential reuse across browser and email applications
  • Prioritize credential rotation and incident response playbooks following suspected compromise

Infostealers like DarkCloud are not breakthrough malware families. They do not rely on zero-days or advanced exploits.

Instead, they exploit scale, accessibility, and identity exposure.

To understand how credential harvesting campaigns are evolving and to embed real-time intelligence into your detection workflows, request a demo today and see how Flashpoint intelligence strengthens your defense posture.

Begin your free trial today.

The post Understanding the DarkCloud Infostealer appeared first on Flashpoint.

Check Point Named Leader in GigaOm Radar for Cloud Network Security For 3 Years in a Row – Protects 22 Cloud Vendors

17 February 2026 at 13:00

In today’s multi-cloud world, businesses deploy workloads across dozens of public and private clouds, each with their own network topology, security controls, and operational quirks. Over time this flexibility comes at a cost of increasing complexity and risk. How can budget minded IT team sanely enforce complex security policies, prevent AI-powered cyber breaches by foreign entities, and maintain geographical compliance across such a diverse environment?Β  They can do so with a partner that leads with an open garden, agnostic approach. Check Point cloud firewalls, called CloudGuard Network Security, provide integrations across 22 leading public and private cloud vendors from AWS, […]

The post Check Point Named Leader in GigaOm Radar for Cloud Network Security For 3 Years in a Row – Protects 22 Cloud Vendors appeared first on Check Point Blog.

WAF Security Test Results 2026: Why Prevention-First Matters More Than Ever

11 February 2026 at 13:00

Introduction: Security Testing Must Evolve with Attacks As cyber threats rise, web applications, GenAI workloads, and APIs have become prime targets. WAFs remain a critical first line of defense, but as attackers move beyond basic OWASP Top 10 techniques, WAF testing must evolve. Modern attacks increasingly rely on evasion methods, payload padding, and zero-day techniques designed to bypass signature-based WAFs. The WAF Comparison Project 2026 presents the results of our third annual, real-world evaluation of WAF efficacy (see the last year result here), using over 1 million legitimate requests and 74,000 malicious payloads to assess 14 leading WAF vendors, including […]

The post WAF Security Test Results 2026: Why Prevention-First Matters More Than Ever appeared first on Check Point Blog.

Check Point Supports Google Cloud Network Security Integration

7 January 2026 at 13:00

Simplifying Cloud Network Security When securing cloud landscapes, it’s critically important to eliminate any downtime or performance degradation that firewall or gateway implementation may cause. To address these challenges, Check Point is proud to announce our support for Google Cloud Network Security Integration. This innovation creates a nondisruptive approach to cloud firewall deployment, increasing network security without negatively impacting performance. Scaling Hybrid Cloud Network Security Network security and performance are critical to any organization, but this is especially true for industries under heavy regulations like financial services, healthcare, and government. So over time these organizations gain comfort, expertise, and confidence […]

The post Check Point Supports Google Cloud Network Security Integration appeared first on Check Point Blog.

Reconnaissance: Azure Cloud w/ Kevin Klingbile

By: BHIS
7 October 2024 at 17:16

This webcast was originally published on September 26, 2024. In this video, Kevin Klingbile from Black Hills Information Security discusses the intricacies of Azure Cloud services and M365, focusing on […]

The post Reconnaissance: Azure Cloud w/ Kevin Klingbile appeared first on Black Hills Information Security, Inc..

Introducing GraphRunner: A Post-Exploitation Toolset for Microsoft 365

By Beau Bullock & Steve Borosh TL;DR We built a post-compromise toolset called GraphRunner for interacting with the Microsoft Graph API. It provides various tools for performing reconnaissance, persistence, and […]

The post Introducing GraphRunner: A Post-Exploitation Toolset for Microsoft 365 appeared first on Black Hills Information Security, Inc..

Deploy REMnux to the Cloud, Reverse Engineering Malware in the Cloud

By: BHIS
1 February 2018 at 16:48

Carrie Roberts //* REMnuxΒ is a free virtual machine image with Reverse Engineering Malware tools preinstalled.Β REMnux is maintained byΒ Lenny ZeltserΒ with extensive help fromΒ David Westcott and is available from https://remnux.org. I have […]

The post Deploy REMnux to the Cloud, Reverse Engineering Malware in the Cloud appeared first on Black Hills Information Security, Inc..

Storm Chasing: How We Hacked Your Cloud

Beau Bullock // Overview The traditional methodology of a remote attacker who has no preconceptions of a target network used to be fairly static. With organizations moving to β€œthe cloud”, […]

The post Storm Chasing: How We Hacked Your Cloud appeared first on Black Hills Information Security, Inc..

❌