.jpg)
%20Abstract%20Background%20112024%20SOURCE%20Amazon.jpg)
![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
DarkCloud Stealer Attacking Organizations with Weaponized .TAR Archive to Steal Passwords
A sophisticated cyber campaign leveraging the DarkCloud information stealer has targeted Spanish organizations across multiple critical sectors since early April 2025. The malware, distributed via weaponized .TAR archives embedded in phishing emails, exploits billing-themed lures to compromise technology, legal, financial, and government entities. This represents an escalation in DarkCloud’s activity since its initial emergence in […] The post DarkCloud Stealer Attacking Organizations with Weaponized .TAR Archive to Steal Passwords appeared first on Cyber Security News.
A sophisticated cyber campaign leveraging the DarkCloud information stealer has targeted Spanish organizations across multiple critical sectors since early April 2025.
The malware, distributed via weaponized .TAR archives embedded in phishing emails, exploits billing-themed lures to compromise technology, legal, financial, and government entities.
This represents an escalation in DarkCloud’s activity since its initial emergence in 2022, with attackers refining their evasion techniques to bypass traditional security measures.
The attack begins with emails titled “Importe: 3.500,00 EUR” containing a malicious .TAR file (Importe3.50000EUR_Transfer.tar).
Upon extraction, the archive deploys a DarkCloud binary designed to harvest credentials, cryptocurrency wallets, and sensitive documents.
Broadcom analysts identified the campaign’s broad sectoral impact, noting its tailored social engineering approach to impersonate a legitimate Spanish skiing equipment vendor.
DarkCloud’s technical capabilities align with advanced commodity stealers, including browser credential extraction from Chrome, Opera, and Yandex, clipboard monitoring, and wallet address hijacking for cryptocurrencies like Bitcoin and Ethereum.
Its modular design enables selective data exfiltration through SMTP, FTP, and Telegram APIs while employing anti-analysis checks to hinder reverse engineering.
Infection Chain and Execution Flow
The attack’s efficacy stems from its multi-stage deployment strategy. The .TAR archive acts as a container for a heavily obfuscated executable that drops three components: a configuration file defining exfiltration endpoints, a DLL implementing credential-grabbing routines, and a watchdog process ensuring persistence.
Researchers observed the malware employing system fingerprinting to bypass sandboxed environments:-
cpp if (CheckVmRegKeys() || CheckDebuggerPresent()) { ExitProcess(0); }
This anti-analysis technique precedes the stealer’s primary payload, which initiates registry modifications to establish autostart entries.
DarkCloud then performs targeted file searches for documents (.pdf, .xlsx) and cryptocurrency wallet.dat files, compressing them into password-protected .ZIP archives for exfiltration.
Symantec’s countermeasures, including the Heur.AdvML.B machine learning model and signature-based Trojan.Gen.MBT detection, currently intercept payload execution.
However, the campaign underscores the need for enhanced email security protocols to flag .TAR files from untrusted sources, particularly in multilingual organizational environments.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
The post DarkCloud Stealer Attacking Organizations with Weaponized .TAR Archive to Steal Passwords appeared first on Cyber Security News.
