Ducktail

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

"Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates systems but also has the capability to automatically create and publish fraudulent ad campaigns. Furthermore, if Ducktail locates a Facebook Business account session cookie, it attempts to add the attacker to the account as an administrator. The use of Ducktail for cyber-attacks became more pronounced in July when threat actors began infecting devices of individuals and employees with access to Facebook Business accounts. Notably, these attacks were not limited to Ducktail; other malware samples like DarkGate, Lobshot, and Redline were used in these campaigns. The same threat actors are believed to be behind NodeStealer, another malware that targets Facebook business accounts for advertising fraud and spreading malware to other users on the social media platform. The emergence of Ducktail and similar malwares signifies a growing trend of Vietnamese threat actors exploiting social media platforms for cybercrime. In fact, this trend has escalated to the point where DarkGate is now sold as Malware-as-a-Service (MaaS) on various cybercrime forums. Cybersecurity firms such as WithSecure and Sekoia have published detailed reports on these threats, highlighting their automated nature and the increasing sophistication of contemporary malware.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Facebook

Malware

Infostealer

Meta

Cybercrime

Phishing

Kaspersky

Fraud

Chrome

Exploits

Skype

Antivirus

Cisco

Downloader

Exploit

Loader Malware

Dropper

Windows

Iran

Zscaler

Outlook

Maas

India

Reconnaissance

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Darkgate	Unspecified	5	DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos
nodestealer	Unspecified	5	NodeStealer, a novel malware family first identified by Meta's security team in January 2023, is designed to exploit Meta's ad network on Facebook and poses a significant threat to user privacy and security. This malicious software operates as an info-stealer capable of hijacking browser cookies and
Redline	Unspecified	2	RedLine is a malware designed to exploit and damage computer systems by stealing personal information, disrupting operations, or even holding data hostage for ransom. It has been identified as a favorite infostealer among threat actors selling logs through the marketplace 2easy, which also sells Rac
Lobshot	Unspecified	2	Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded in
Redline Stealer	Unspecified	2	RedLine Stealer is a type of malware that has been causing significant disruption in the digital landscape. This malicious software infiltrates computer systems, often without the user's knowledge, via suspicious downloads, emails, or websites, and then proceeds to steal personal information, disrup

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
TA577	Unspecified	1	TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicall

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Ducktail Darkgate	Unspecified	1	None

Source Document References

Information about the Ducktail Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	9 months ago	Vietnamese Hackers Hit Digital Marketers With Info Stealers
CERT-EU	a year ago	New NodeStealer Targeting Facebook Business Accounts and Crypto Wallets
CERT-EU	8 months ago	DarkGate Gained Popularity for its Covert Nature and Antivirus Evasion
CERT-EU	8 months ago	DarkGate Internals
Secureworks	a year ago	The Growing Threat from Infostealers
CERT-EU	9 months ago	Vietnamese hackers attack UK, US and India with DarkGate malware
CERT-EU	9 months ago	Vietnamese threat actors linked to DarkGate malware campaign
CERT-EU	9 months ago	Fake Corsair job offers on LinkedIn push DarkGate malware
CERT-EU	9 months ago	Vietnamese Hackers Target U.K., U.S., and India with DarkGate Malware
CERT-EU	9 months ago	Hackers target US Facebook biz accounts with potent malware cocktail
BankInfoSecurity	9 months ago	Vietnamese Hackers Hit Digital Marketers With Infostealers
CERT-EU	9 months ago	DarkGate attacks linked to Vietnam-based cyber criminals – Global Security Mag Online
CERT-EU	9 months ago	DarkGate Malware Campaigns Linked to Vietnam-Based Cybercriminals
CERT-EU	9 months ago	Researchers uncover DarkGate malware's Vietnamese connection - Help Net Security
Checkpoint	a year ago	BYOS - Bundle Your Own Stealer - Check Point Research
CERT-EU	a year ago	Hackers continue to distribute malware through hacked verified pages on Facebook
CERT-EU	a year ago	Criminals target businesses with malicious extension for Meta's Ads Manager and accidentally leak stolen accounts
CERT-EU	a year ago	Python versions of stealer malware discovered targeting Facebook business accounts
Securityaffairs	a year ago	Facebook warns of new information-stealing malware NodeStealer
BankInfoSecurity	9 months ago	Vietnamese Hackers Hit Digital Marketers With Info Stealers