Tuesday, May 20, 2025
HomeCyber AttackDUCKTAIL Malware Employs LinkedIn Messages to Execute Attacks

DUCKTAIL Malware Employs LinkedIn Messages to Execute Attacks

Published on

SIEM as a Service

Follow Us on Google News

LinkedIn messages were used as a way to launch identity theft attacks in a malicious campaign that Cluster25 detected. 

They send messages from hacked accounts with PDF files that look like job offers. But these files have links to dangerous websites that can steal your data.

Cluster25 is a cybersecurity firm that specializes in threat intelligence and incident response. They discovered this campaign by analyzing the malicious domains and URLs used by the attackers. 

- Advertisement - Google News

The hackers are using a type of malware called DuckTail, which can also take over your Facebook Business account. 

They are mainly targeting people who work in sales and finance in Italy.

How the Scam Works

The hackers send you a message from a hacked LinkedIn account with a PDF file with a job offer. For example, they might offer you a Senior Manager position at Electronic Arts (EA).

The PDF file has two links. One link takes you to a fake website that looks like EA’s website. It asks you to upload your resume and cover letter. 

The other link downloads a ZIP file from Microsoft OneDrive. The ZIP file has some video files and two files that look like Word documents but are malware.

malware files
malware files

The malware files are very hard to detect by antivirus software because they use a special technique called single-file application. They hide the malicious code inside other files of the application.

If you run the malware files, they will infect your computer and try to steal your information, such as cookies, session data, and browser credentials. 

They will also try accessing your Facebook Business account using the linked email.

Some hackers have made a fake DLL file that can spy on your web browser and send your data to them through Telegram. 

They trick you into running this file by sending you a PDF with a LinkedIn job offer.

The DLL file is made with Microsoft .NET and was created on September 18, 2023. It checks if there is another copy of itself running on your computer. 

If not, it makes a file with information about your computer, like your GUID and IP address. It also opens a PDF file with a job description to make you think everything is normal.

The DLL file then contacts the hackers through Telegram, using a BOT ID 6263348871. It sends them a message with your ChatID and some text. 

Then, it sends them ZIP files with your data using the /sendDocument API. The hackers have a configuration file with encryption keys, the Telegram Bot’s Token, the ChatID, and some email addresses.

The DLL file can steal cookies, session information, and saved credentials from web browsers like Microsoft Edge, Google Chrome, Brave Browser, and Mozilla Firefox. 

The hackers can use this data to pretend to be you online and access your accounts.

The DLL file also keeps running in the background, sending more data to hackers. 

It can also try to take over your Facebook Business account by sending links to email addresses from the configuration file. 

If you click on these links, the hackers might get access to your Facebook Business account.

This very dangerous and clever attack targets professionals who use LinkedIn. 

You should be careful about opening files or links from unknown sources and always use antivirus software to protect your computer.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

RedisRaider Campaign Targets Linux Servers by Exploiting Misconfigured Redis Instances

Datadog Security Research has uncovered a formidable new cryptojacking campaign dubbed "RedisRaider," specifically targeting...

Hackers Abuse TikTok and Instagram APIs to Verify Stolen Account Credentials

Cybercriminals are leveraging the Python Package Index (PyPI) to distribute malicious tools designed to...

Regeneron to Buy 23andMe for $256M Amid Growing Data Privacy Concerns

Biotechnology giant Regeneron Pharmaceuticals has emerged as the successful bidder in the bankruptcy auction...

CISA Includes MDaemon Email Server XSS Flaw in KEV Catalog

Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) vulnerability affecting...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

RedisRaider Campaign Targets Linux Servers by Exploiting Misconfigured Redis Instances

Datadog Security Research has uncovered a formidable new cryptojacking campaign dubbed "RedisRaider," specifically targeting...

Hackers Abuse TikTok and Instagram APIs to Verify Stolen Account Credentials

Cybercriminals are leveraging the Python Package Index (PyPI) to distribute malicious tools designed to...

Regeneron to Buy 23andMe for $256M Amid Growing Data Privacy Concerns

Biotechnology giant Regeneron Pharmaceuticals has emerged as the successful bidder in the bankruptcy auction...