Unveiling a New Variant of the DarkCloud Campaign www.fortinet.com/blog/thre…

In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. I subsequently investigated this campaign and conducted a step-by-step analysis.

DarkCloud is a known stealthy Windows-based information-stealer malware that was first identified in 2022. It is designed to steal sensitive information from the victim’s computer, including saved login credentials, financial data, contacts, and more.

In this analysis, I will show how the campaign initiates on the victim’s computer, how it establishes persistence on the system, how it downloads, decodes, and deploys the fileless DarkCloud payload, the types of sensitive information this variant can harvest from the victim, and how the stolen data is exfiltrated.