Threat Advisories:
🎧 Hive Force Labs: October First Threat Research
👥 Play Count: Loading...

DarkCloud Rising: Spear-Phishing Campaign Targets Manufacturing Sector

Amber | Attack Report
Download PDF

DarkCloud Rising: Spear-Phishing Campaign Targets Manufacturing Sector

Summary

In September 2025, HiveForce Labs identified a global spear-phishing campaign targeting the manufacturing sector. The attack leveraged DarkCloud malware, a commercially available information stealer designed for Windows systems, to harvest sensitive data such as browser passwords, keystrokes, FTP credentials, and cryptocurrency wallets. Delivered via a phishing email disguised as routine banking correspondence, DarkCloud demonstrates how widely marketed tools with advanced evasion techniques can empower attackers to compromise organizations worldwide. This incident underscores the persistent threat of commodity malware and the importance of proactive monitoring to prevent large-scale data theft.


Attack Details

In September 2025, threat actors launched a spear-phishing campaign against a global manufacturing organization. A malicious ZIP file attached to a fake banking email targeted the address procure@bmuxitq[.]shop, deploying DarkCloud v3.2 under the guise of financial documents.

DarkCloud, openly marketed on underground platforms such as darkcloud.onlinewebshop[.]net and Telegram (@BluCoder), supports theft from web browsers, email clients, FTP tools, and VPN applications. Its builder tool, tied to the legacy VB6 IDE, leverages Caesar-style cipher obfuscation, system reconnaissance via WMI, and sandbox/VM evasion. Persistence is established through registry RunOnce entries, while data exfiltration occurs over SMTP, FTP, Telegram, and web panels, often in JSON format with victim IPs included.

The malware’s focus on cryptocurrency wallets, credentials, and system intelligence highlights the financial and operational risks posed by this commercial-grade stealer


Recommendations

  • Be Cautious with Emails: Verify unexpected financial communications via trusted channels before opening attachments or links.

  • Strengthen Email Security: Use filtering tools to block suspicious archives (e.g., ZIP files) and train employees to detect phishing attempts.

  • Monitor for Compromise: Watch for registry changes, abnormal logins, or unusual outbound traffic to Telegram or FTP servers.

  • Enhance Endpoint Protection: Deploy NGAV and EDR solutions with behavioral analysis and machine learning to identify malicious activity.


Indicators of Compromise (IoCs)

SHA256 Hashes

  • e013fb82188cb7ea231183197e12c189b4637e7d92e277793d607405e16da1e2

  • 6a3b4e62a8262a0bf527ad8ea27eb19a0fcb48a76d6fc2868785362e40491432

Domain

  • mail[.]apexpharmabd[.]com

Email Address

  • procure@bmuxitq[.]shop


MITRE ATT&CK TTPs

  • Initial Access – T1566, T1566.001 (Phishing, Spearphishing Attachment)

  • Execution – T1059, T1059.005 (Command Interpreter, Visual Basic)

  • Persistence – T1547, T1547.001 (Registry Run Keys/Startup)

  • Defense Evasion – T1027, T1036, T1497 (Obfuscation, Masquerading, Sandbox Evasion)

  • Credential Access – T1056, T1056.001, T1115, T1555, T1555.003 (Keylogging, Clipboard Data, Browser Credential Theft)

  • Discovery – T1047, T1082 (WMI, System Information)

  • Collection – T1005 (Data from Local System)

  • Exfiltration – T1048, T1567 (Alternative Protocols, Web Services)

  • User Execution – T1204, T1204.002 (Malicious Files)


References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox

Cybersecurity Leaders Dinner In Houston

Learn how to reduce your exposure to imminent risk & Network with Industry Peers

Hosted by former CISO, Al Lindseth and Threat Exposure Evangelist, Critt Golden.

Tuesday, October 7th, 2025
6.00 pm to 9.00 pm
Del Friscos Double Eagle Steakhouse, Houston TX