Understanding the DarkCloud Infostealer

Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape.

First observed in 2022 and attributed to a developer known as “Darkcloud Coder” (formerly “BluCoder” on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as “surveillance software,” its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks.

At the technical level, DarkCloud is written in Visual Basic 6.0 and compiled into a native C/C++ application. This legacy language choice is unusual in modern malware development — and likely deliberate. By leveraging outdated but still supported runtime components, DarkCloud appears to benefit from lower detection rates while maintaining full credential theft functionality.

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated. Flashpoint assesses it as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

The Commercialization of DarkCloud

DarkCloud represents a mature example of commodity malware-as-a-service.

It is openly sold through Telegram and a clearnet website, where it is misleadingly labeled as a keylogger. While it does include keylogging capabilities, this is only a minor component of a much broader infostealing toolkit.

Its real value proposition is credential harvesting across browsers, email clients, file transfer applications, VPN software, and more.

This dual positioning — public-facing “surveillance software” and underground stealer — provides plausible deniability while enabling large-scale credential operations.

Why Visual Basic 6.0 Matters

One of the most notable aspects of DarkCloud is its use of Visual Basic 6.0.

The payload is written in VB6 and compiled into a native C/C++ application. Microsoft no longer supports VB6 in its modern development environment, and VB6 applications rely on legacy components such as MSVBVM60.DLL for execution.

Flashpoint assesses this legacy language choice is deliberate, both for its simplicity and its potential to evade modern detection models.

In testing, Flashpoint analysts generated equivalent payloads in C/C++ and VB6. The VB6 variant produced significantly fewer detections in VirusTotal scans.

The implication is clear: older languages are not necessarily obsolete in adversary tradecraft. In some cases, they may be strategically advantageous.

Encryption and String Obfuscation

DarkCloud employs a layered string encryption scheme that complicates static and dynamic analysis.

Most internal strings are encrypted and decrypted at runtime using Visual Basic’s Rnd() pseudo-random number generator, combined with a custom seed-generation algorithm.

The process involves:

• Hex-encoded encrypted strings
• Base64-encoded keys
• Seed calculation through a custom algorithm
• Resetting the VB pseudo-random number generator to a known state
• Iterative Rnd() calls to reconstruct plaintext strings

By resetting the PRNG with a known value before applying the calculated seed, the malware ensures deterministic output during decryption.

This approach does not rely on novel cryptography, but rather on abusing legacy language behavior to frustrate reverse engineering.

Credential Theft at Scale

DarkCloud’s primary objective is credential collection.

It targets:

Email clients:

• Outlook
• eM Client
• FoxMail
• Thunderbird
• 163Mail
• MailMaster

File transfer applications:

• FileZilla
• WinSCP
• CoreFTP

Browsers:

• Google Chrome
• Microsoft Edge
• Mozilla Firefox
• Brave
• Opera
• Yandex
• Vivaldi
• (and many additional Chromium- and Firefox-based browsers)

Other applications:

• Pidgin
• NordVPN

When extracting browser data, DarkCloud steals:

• Login credentials
• Cookies
• Credit card information

Email applications are additionally scraped for contact lists. This is likely intended to seed future phishing campaigns.

DarkCloud stores collected data locally in two directories under %APPDATA%\Microsoft\Windows\Templates. One directory (“DBS”) stores copied database files, while another (“_”) stores parsed data in unencrypted text format.

This local staging enables continuous exfiltration while maintaining structured log output.

Exfiltration Methods: Flexibility for Threat Actors

DarkCloud supports four exfiltration methods:

• SMTP
• FTP
• Telegram
• HTTP

SMTP and FTP require hardcoded credentials within each binary. Email subjects include the victim machine’s hostname and username, and stolen data is transmitted as attachments.

HTTP exfiltration appears less frequently used, though the capability is present.

This flexibility allows operators to tailor deployments depending on infrastructure preferences and operational security requirements.

From BluStealer to DarkCloud

Flashpoint analysts identified notable similarities between DarkCloud’s regular expressions for credit card parsing and those found in a publicly documented project known as “A310LoggerStealer,” also referred to as BluStealer.

The regex patterns appear in identical order and format.

Combined with the developer’s prior alias “BluCoder,” Flashpoint assesses that A310LoggerStealer likely represents an earlier iteration of what became DarkCloud.

This evolution reflects a common pattern in commodity malware development: incremental refinement rather than radical innovation.

A Potent Entry-Level Threat

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated.

Its marketing as surveillance software attempts to normalize its presence while providing plausible deniability for buyers. Technically, however, its focus is clear: large-scale credential harvesting across browsers, email clients, financial data, and contact networks.

Flashpoint assesses DarkCloud as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

In a landscape where identity is the new perimeter, even a US$30 subscription can be operationally devastating.

Defending Against Commodity Infostealers

Commodity infostealers like DarkCloud may be commercially accessible, but defending against them requires enterprise-grade vigilance.

Organizations should:

• Treat phishing-delivered ZIP/RAR attachments as high-risk initial access vectors
• Monitor for abnormal data exfiltration over SMTP, FTP, and Telegram
• Audit credential reuse across browser and email applications
• Prioritize credential rotation and incident response playbooks following suspected compromise

Infostealers like DarkCloud are not breakthrough malware families. They do not rely on zero-days or advanced exploits.

Instead, they exploit scale, accessibility, and identity exposure.

To understand how credential harvesting campaigns are evolving and to embed real-time intelligence into your detection workflows, request a demo today and see how Flashpoint intelligence strengthens your defense posture.