Monday, May 12, 2025
HomeCyber AttackDucktail Operation - Hackers May Steal Your Credentials From Web Browser

Ducktail Operation – Hackers May Steal Your Credentials From Web Browser

Published on

SIEM as a Service

Follow Us on Google News

WithSecure Labs, researchers uncovered a cyber operation named Ducktail in July 2022, where threat actors employed information-stealing malware to specifically target marketing and HR professionals with spear-phishing campaigns through LinkedIn direct messages, focusing on individuals and employees with potential access to Facebook business accounts.

The Ducktail campaign can compromise Facebook business accounts and misuse the ad feature for malicious advertising. While along with Facebook, LinkedIn is also now actively targeted by threat actors for cybercriminal activities. 

Trend Micro’s Managed XDR team in March 2023 found a file that collects user data and connects to Facebook and Telegram domains during their investigation of Ducktail-related incidents.

- Advertisement - Google News
Operation Ducktail

How the Attackers Trick Victim

The sample file’s name, referencing a marketing director job opening, appears specifically tailored to attract marketing professionals by hinting at a higher leadership position.

Although the exact delivery method of these links to the target is uncertain, the historical use of LinkedIn messages by Ducktail suggests it as a potential means.

Experts determined the contents and source of the archive by examining the file name, and upon investigating the domain, they discovered that the malicious file was hosted on Apple’s iCloud service, although the URL is currently inactive.

Upon analyzing the created processes, security researchers identified three, including separate processes for Microsoft Edge and Google Chrome, which collect the victims’ IP addresses and geolocation data.

Here below, we have mentioned the arguments that are used in these processes:-

  • –headless
  • –disable-gpu
  • –disable-logging
  • –dump-dom

The last process is used to open a PDF file, and the complete details about the fake job are embedded inside this PDF. 

The malware operates by extracting browser credentials and acquiring Facebook-related information. At the same time, victims read the spawned PDF file, storing it in a temporary text file before exfiltrating it using Telegram every 10 minutes.

Due to the frequent use of social engineering lures by contemporary threat actors, both individuals and organizations need to exercise caution when opening links or downloading files from unknown sources, regardless of whether they are delivered through renowned social media platforms or means like:-

  • LinkedIn
  • Facebook
  • Email

Security Recommendations

Here below, we have mentioned all the best security practices that could help users mitigate spear-phishing attacks:-

  • Beware of unexpected emails; exercise caution.
  • Always verify the sender’s identity before opening attachments from unknown sources.
  • Avoid suspicious links, especially from unknown or suspicious sources.
  • Educate employees on spear phishing to recognize and avoid it.
  • Enable multi-factor authentication for added security.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...