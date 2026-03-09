$30 DarkCloud infostealer quietly harvests credentials across browsers and enterprise software

Legacy Visual Basic code is unexpectedly helping malware evade some modern detection tools

Cheap credential-stealing tools are increasingly driving early-stage corporate network compromises

Low-cost malware tools are increasingly available on the dark web, offering credential theft capabilities to individuals with limited technical knowledge.

Security researchers at Flashpoint recently analyzed a malware strain known as DarkCloud, which has circulated via Telegram channels and public storefronts since approximately 2022.

Available for roughly $30, less than the price of many console games, the tool performs large-scale credential harvesting, with stolen information may include browser logins, cookies, financial data, and contact information from email applications.

Cheap infostealers lowering barrier to cybercrime

DarkCloud advertises itself as surveillance software in public listings, although its internal functionality focuses on extracting credentials and sensitive data from infected machines.

Researchers say this type of infostealer has become a frequent entry point into corporate networks, where compromised credentials often lead to deeper network intrusion.

One unusual aspect of DarkCloud is its use of the outdated programming environment Visual Basic 6.0, as the malware payload is written in this legacy language before being compiled into a native executable.

Visual Basic 6.0 relies on older runtime components which still function on modern Windows systems - and according to Flashpoint analysts, this design choice may reduce detection rates in some security tools because many detection systems focus on more modern development frameworks.

The malware also uses multiple layers of string encryption and obfuscation, complicating reverse engineering and static analysis.

Internal strings remain encrypted until runtime, where a pseudo-random generator reconstructs them through deterministic processes.

These techniques do not rely on novel cryptography, instead they exploit predictable behaviors inside legacy programming environments.

DarkCloud concentrates on collecting credentials and application data from a wide range of software, extracting information from web browsers, email clients, file transfer programs, and several communication tools.

Collected data is stored locally inside directories created under the Windows templates path.

One directory holds copied database files, while another contains parsed information written in unencrypted text format.

This staging system allows the malware to assemble structured logs before transmitting them externally.

The tool supports several methods for transmitting stolen information.

These include email transmission through SMTP, file transfer using FTP servers, communication through Telegram channels, and direct HTTP uploads.

Because compromised credentials often allow lateral movement inside networks, attackers may later deploy ransomware, launch phishing operations, or maintain persistent access.

Even basic endpoint protection or a properly configured firewall may struggle to detect activity if the malware uses legitimate protocols.

Security teams therefore frequently rely on layered controls, including credential monitoring and incident response procedures alongside malware removal tools.

The continued circulation of inexpensive infostealers suggests that low entry cost, rather than technical sophistication, increasingly drives early-stage network compromise.

