DuckTails Blog

Ducktail Malware Focuses on Targeting HR and Marketing Professionals

An Infostealer Malware Exploits Social Media Business Accounts of High-Position Individuals

DUCKTAIL, a financially motivated malware variant, specifically aims at individuals and businesses utilizing a Social Media Business/Ads platform. The malware is created by Threat Actors (TAs) originating from Vietnam. Since the second half of 2021, TAs have been actively involved in developing and distributing malware associated with the DUCKTAIL operation.

The malware is specifically designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. Ultimately, the malware operation aims to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.

Cyble Research and Intelligence Labs (CRIL) recently encountered malware files specifically targeting Marketing and HR professionals.

The figure below displays the filenames employed during this campaign.

Figure 1 – Malware filenames utilized in this campaign

The TA’s strategy involved identifying companies using Social Media’s Business/Ads platform and specifically focusing on individuals in managerial positions within the marketing and HR departments. These individuals held significant access to the Social Media Business platform within their respective organizations, making them prime targets.

The TAs focused on themes related to digital marketing projects, job descriptions, plans for various positions, and policy and salary information associated with companies in the Clothing, Footwear, and Cosmetics industries.

Initial Infection

TAs utilize popular file-sharing services such as Dropbox, Google Drive, and Microsoft OneDrive to host their malware. Their main approach involves employing social engineering tactics to entice victims into downloading and executing the malicious payload.

To initiate the attack, they commonly employ ZIP files to deliver the initial payload. It is important to mention that we only obtained access to the download link and, therefore, cannot confirm the exact method to deliver these links to the intended targets. Considering Ducktail’s past behavior, it is possible that the group also utilizes LinkedIn messages as a distribution method.

The provided Dropbox link leads to downloading a file named “Project Information And Salary Details At AVALON”.

  • hxxps[:]//www[.]dropbox[.]com/s/ng04kf3c1x1nya1/Project%20Information%20And%20Salary%20Details%20At%20AVALON%20ORGANICS[.]zip?dl=1
Figure 2 – Payload downloaded from Dropbox

The following image illustrates the contents of a zip archive file, including PNG/JPG images of beauty products and executable files disguised with Word/PDF icons.

Figure 3 – Contents of a zip archive file

The two executable files, namely ‘Performance Marketing Manager Salary and Benefits.exe’ and ‘The role of Performance Marketing Manager.exe’, specifically target Marketing professionals.

These files, known as the “Ducktail” payload, are disguised with Word/PDF icons, employing a deceptive tactic to deceive victims into thinking they are genuine document files.

Technical Details: Ducktail

The DUCKTAIL operation started in late 2021. The samples associated with these operations are coded in the .NET core and compiled as a single executable file containing libraries and files, including the main assembly.

Stealing Information

Upon execution, the malware conducts a comprehensive scan of the victim’s computer, specifically targeting popular browsers such as:

  • Google Chrome
  • Microsoft Edge
  • Brave Browser
  • Mozilla Firefox

After identifying the browsers, the malware extracts all stored cookies, including any Social Media session cookies that might be present, from each of them.

Additionally, the malware scans for registry data located in HKLM\SOFTWARE\WOW6432Node\Clients\StartMenuInternet to retrieve each installed browser’s name, path, and icon path.

Hijacking Social Media Business   

The malware utilizes the victim’s Social Media session cookie and other obtained security credentials to directly communicate with other Social Media endpoints from the victim’s computer and extracts information from their Social Media account. DUCKTAIL malware also verifies if two-factor authentication (2FA) is mandatory. In such cases, it tries to acquire the recovery codes. In addition to session cookies, the malware can pilfer access tokens, user agents, and IP addresses.

Figure 4 – Hardcoded URL strings present in the malware

Typically, Ducktail gains unauthorized access to Business accounts by utilizing Social Media accounts linked to individuals’ personal identities. By merging the TA’s email addresses with Social Media Business accounts, the malware gains control over these accounts. It gathers various details, including victims’ names, birthdays, email addresses, and user IDs.

Figure 5 – TA’s hardcoded email address

Exfiltration via Telegram

The TAs completely rely on Telegram as their Command and Control (C&C) channel, utilizing the Telegram Bot functionality to exfiltrate the stolen data. DUCKTAIL’s malware component employs Telegram.Bot client library for this purpose.

The provided code snippet below depicts a function that facilitates the uploading of a file to a Telegram chat, utilizing the Telegram Bot functionality.

Figure 6 – Exfiltration via Telegram

Finally, the malware also runs an infinite loop in the background, establishing a continuous exfiltration process.

Figure 7 – Infinite loop


Ducktail is a specifically designed information stealer that can have severe consequences, such as privacy breaches, financial losses, and identity theft. Its constant updates enable it to bypass most Social Media platforms’ security measures, specifically targeting advertising and business accounts. With the ability to hijack Social Media accounts, DUCKTAIL poses a significant threat to user privacy and the overall security of Social Media Business accounts.

CRIL will continue to monitor the latest circulating phishing or malware strains, offering timely blogs that provide actionable intelligence to help users protect themselves against these well-known attacks.

Our Recommendations

  • Avoid downloading applications from unknown sources.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Update your passwords periodically. 
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solutions on employees’ systems. 

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Execution T1204 
User Execution
Windows Management Instrumentation
Command and Scripting Interpreter
Defense EvasionT1497
Virtualization/Sandbox Evasion
Obfuscated Files or Information
Credential AccessT1003OS Credential Dumping
Discovery   T1057
Process Discovery
Query Registry
System Information Discovery
File and Directory Discovery
Security Software Discovery
CollectionT1006Data from Local System

Indicators Of Compromise

IndicatorsIndicator TypeDescription
MD5 SHA1 SHA256Project Information And Salary Details At AVALON
MD5 SHA1 SHA256The role of Performance Marketing Manager.exe
MD5 SHA1 SHA256Performance Marketing Manager Salary and Benefits.exe
hxxps[:]//www[.]dropbox[.]com/s/ng04kf3c1x1nya1/Project%20Information%20And%20Salary%20Details%20At%20AVALON%20ORGANICS[.]zip?dl=1URLDropbox link to download payload

Scroll to Top