Security Experts:

Connect with us

Hi, what are you looking for?



Vietnam-Based Ducktail Cybercrime Operation Evolving, Expanding

The Ducktail information stealer has been updated with new capabilities and the threat actors that use it have been expanding their operation, according to WithSecure, formerly known as F-Secure Business.

The Ducktail information stealer has been updated with new capabilities and the threat actors that use it have been expanding their operation, according to WithSecure, formerly known as F-Secure Business.

Initially detailed earlier this year, Ducktail is a piece of malware specifically targeting Facebook business users and is likely operated by Vietnamese-speaking individuals. Ducktail’s operators have been active since at least 2018, while the malware has been in use since the second half of 2021.

Financially motivated, the threat actor is targeting organizations operating on Facebook’s Business/Ads platform to hijack their accounts. Earlier this year, the Ducktail infostealer was being delivered via LinkedIn, but the operators have changed techniques, to evade detection.

Following public disclosure, the digital certificate used in the campaign was revoked, which resulted in the attackers attempting to use invalid certificates. After discovering that the efforts were not paying off, the attackers stopped the malware distribution in August, WithSecure says.

In September, however, the attackers resumed their activity, using a new malware variant compiled using the .NET 7 NativeAOT feature but based on the same code base as before. The malware would fetch email addresses from its command-and-control (C&C) server and was seen encrypting the data exfiltrated to the C&C.

In October, the attackers switched back to self-contained .NET Core 3 Windows binaries that featured anti-analysis code copied from GitHub. The malware was seen launching a dummy file to hide its malicious intent, such as a document (.docx), spreadsheet (.xlsx), or video (.mp4).

WithSecure also identified several multi-stage variants of Ducktail that would deliver the main information stealer as a final payload. These include an Excel add-in file (.xll) and a .NET downloader.

To evade detection, the threat actor has been signing the malware with EV (extended validation) certificates, and has been observed changing these certificates after revocation, mid-campaign.

While Telegram continues to be used for C&C purposes, the threat actor has associated multiple administrator accounts to Telegram channels, which suggests that they might be running an affiliate program as part of their expansion efforts, WithSecure says.

Code signing certificates have been acquired via businesses registered in Vietnam, with seven such firms identified to date. The first of these was registered in 2017, but it made the first certificate purchase only in 2021.

While investigating Ducktail incidents, WithSecure discovered that some victims were targeted with archive files via WhatsApp. When the victim lacked sufficient permissions to add the attackers’ email address to the intended Facebook business account, the adversary gathered enough information to impersonate the victim and achieve their objective via hands-on activity.

“One of these hands-on incidents involved a victim operating entirely within the Apple ecosystem that had not logged on to their Facebook account from any Windows machine. The initial vector for this incident has been left undetermined due to insufficient evidence. The investigation found no sign of malware usage or host compromise across user devices,” WithSecure says.

The cybersecurity firm estimates that the financial losses caused by Ducktail range between $100,000 and $600,000, depending on the victim.

Related: New Ducktail Infostealer Targets Facebook Business Accounts via LinkedIn

Related: New Infostealer Malware ‘Erbium’ Offered as MaaS for Thousands of Dollars

Related: New Vidar Infostealer Campaign Hidden in Help File

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.