You might assume Visual Basic 6 belongs in a museum. Yet threat intelligence teams are still analyzing, in 2025, malicious payloads compiled in VB6. This paradox — a language over twenty-five years old used in current attacks — is no accident: it rests on specific technical properties, which we examine here from a defensive-analysis standpoint.
This article is purely informational and aimed at analysts and defenders. It describes no actionable offensive technique.
Why VB6 appeals to malware authors
Several characteristics, often cited by security researchers, explain the comeback:
- The runtime is always present.
MSVBVM60.dllships with Windows 10 and 11, so a VB6 payload runs with no dependency to install, across a huge installed base. - Lower visibility to modern tooling. Many detection solutions are tuned to recent frameworks; rarer native VB6 code sometimes flies further under the radar.
- The runtime "noise" complicates analysis. A VB6 executable mixes the author's code with the large VB engine layer, drowning the useful logic and slowing reverse engineering.
- Native code resists debugging. Compiled to machine instructions, with anti-analysis tricks, a VB6 binary is known to be painful to instrument dynamically.
Packers and the RunPE technique
Many malicious VB6 samples aren't "business" programs but packers: their job is to conceal then launch another payload. The most documented technique is RunPE — the industry has also catalogued it under the generic names VBInject or VBCrypt. The principle, publicly described for over a decade: the program relaunches itself as a new process, then overwrites that process's memory with the actually malicious code.
The appeal to attackers is that the unpacking routine, written in VB6, can vary endlessly (simple XOR, encryption, decompression…) and lodge its anti-analysis guards inside the engine's P-Code, making generic signatures hard to build. Microsoft accordingly classes these objects under a generic VirTool:Win32/VBInject detection, precisely because they act as a vehicle for many families.
P-Code as an obfuscation layer
VB6's P-Code mode — which we describe in our article P-Code or Native Code — is a proprietary opcode set, in a complex, poorly tooled format. Researchers (notably at Gen Digital) point out that this format is a still-underexplored obfuscation terrain: to date, P-Code-level manipulations remain rare in the wild, but their very complexity could have let them go unnoticed. For the analyst, it's a reminder that the VB6 binary format still holds areas poorly covered by standard tooling.
A current campaign: DarkCloud
The most telling example today is the DarkCloud infostealer. Observed since 2022 and sold by subscription (at a trivial entry price, on the order of a few dozen dollars, via Telegram), it saw several waves in 2025. Public analyses (Unit 42, Fortinet, Flashpoint) describe multi-stage infection chains, kicked off by phishing emails with archives, leading to intermediate scripts and then a final payload written in Visual Basic 6.
That VB6 payload stacks protections: several hundred encrypted strings, decrypted only at runtime, and an anti-sandbox mechanism monitoring keyboard/mouse activity. DarkCloud's goal is credential theft — browsers, mail clients, file-transfer software, VPNs — that is, potentially the access keys to an entire corporate network.
A phenomenon that isn't new
This isn't the first resurgence. As early as 2014, Virus Bulletin documented renewed interest in VB6 and macro documents as a vector, partly because code, unlike an exploit, doesn't depend on a specific version of the target software. The constant, from then to now: VB6 offers an excellent simplicity-to-opacity ratio.
What this means for analysis
Understanding a malicious VB6 binary means being able to read it — identifying referenced COM/OLE/ActiveX components, inspecting the UI, and decompiling the logic where possible. These are exactly the capabilities a tool like VBReFormer brings to analysts and incident-response teams: where the VB6 format slows generic tools, a specialized decompiler saves precious time. The same technology that helps a company recover its lost source code also serves to dissect a suspicious sample.
Malware reverse engineering must be practiced within a legal, controlled setting (isolated environment, authorization, defensive purpose).
Sources
- Unit 42 (Palo Alto Networks) — New DarkCloud Stealer Infection Chain
- FortiGuard Labs (Fortinet) — New Variant of the DarkCloud Campaign
- Flashpoint — Understanding the DarkCloud Infostealer
- Gen Digital — An Analysis of VB6 P-Code Obfuscation
- Virus Bulletin — The new chic of Visual Basic 6 (2014)
- Microsoft Security Intelligence — VirTool:Win32/VBInject