A Vietnam-based cybercrime operation named Ducktail is continuously evolving and expanding its operations against individuals and companies operating on Facebook's Ads and Business platform.

The recent changes

WithSecure researchers have published an advisory about new developments of the Ducktail infostealer. The recent campaigns feature new tricks to spear-phish targets via WhatsApp.
  • Since early September, the attackers were using a new malware variant compiled using the .NET 7 NativeAOT feature but based on the same code base as before.
  • In October, the attackers switched back to self-contained .NET Core 3 Windows binaries that contain anti-analysis code copied from GitHub to avoid detection. It features a more robust method to obtain attacker-controlled email addresses from its C2 server.
  • Developers have made the malware look more legitimate by launching dummy files to hide its malicious intent, such as a document, spreadsheet, or video. Moreover, the operators have relatively increased the size of the operational team.

Additional enhancements

Researchers have identified several multi-stage variants of Ducktail, including an Excel add-in file (.xll) and a .NET downloader. These variants deliver the main information stealer as a final payload.
  • The attackers have been signing the malware with EV (extended validation) certificates to evade detection and changing these certificates in the middle of the campaign after they were revoked.
  • The group has set up fake businesses in Vietnam for resource development and operational expansion. For code signing certificates seven such firms have been identified, to date.
  • The group is using Telegram for C2 purposes, however, it has associated multiple administrator accounts to Telegram channels to onboard affiliates into the operation.

Attack tactics

  • Researchers noted some incidents where victims were targeted with archive files using WhatsApp. The initial vector for the campaigns cannot be determined due to insufficient evidence.
  • However, when the attackers fail to add their email address to the intended Facebook business account due to the lack of sufficient permissions, they gathered enough information to impersonate the victim and achieve their objective via hands-on activity.

The group is financially motivated and has caused losses ranging between $100,000 and $600,000, depending on the victim.


Ducktail has been adopting advanced and continuous defense evasion methods by changing the file format, compilation, and countersigning certificates. With the increased activity, new affiliates, and fake businesses, it can cause substantial financial and reputational damage in the foreseeable future. Researchers recommend organizations ensure that their employees have separate accounts for personal and business purposes.
Cyware Publisher