Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts

Ducktail malware targets users and organizations on Facebook Business and Ads platform in this financially motivated malicious new campaign.

WithSecure (previously F-Secure) researchers have revealed details of a new spear phishing campaign targeting Facebook business accounts. The campaign has been active since at least July 2021.

The attack, according to researchers, entails using an infostealer dubbed Ducktail designed for stealing browser cookies for authentic Facebook sessions and information from the Facebook account. The objective is to hijack every business account the victim can access.

Who are the Targets of Ducktail?

According to WithSecure, Ducktail malware targets those “individuals and organizations” using Facebook Ads and Business services. People involved in digital marketing, managerial jobs, human resources, and digital media are the prime targets.

The Modus Operandi of the campaign involves attackers locating targets through LinkedIn and delivering malware. WithSecure researcher Mohammad Kazem Hassan Nejad wrote the report and stated that most spear phishing campaigns target people via LinkedIn.

“If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.”

Mohammad Kazem Hassan Nejad – WithSecure

Who’s the Attacker?

Researchers are confident that a Vietnam-based threat actor conducts this financially driven campaign. They detected this campaign earlier in 2022. They believe there’s no specific sector or geographic target at the moment. However, the malware has been continuously updated and modified since the second quarter of 2021. However, the threat actor has been active since 2018.

How does the Scam work?

According to WithSecure’s report , malware samples were hosted on Cloud services such as MediaFire, iCloud, and Dropbox. The malware is delivered to the targeted individuals through LinkedIn as they usually have Facebook business accounts.

Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts
Ducktail malware hosted on iCloud (Image: WithSecure)

Ducktail malware is written in .NET Core and compiled in a single file so its binary can run despite the .NET runtime on the victim’s computer. The attacker can use Telegram for C&C by embedding Telegram.Bot client and other external dependencies in one executable.

Ducktail ensures a single instance runs at all times and keeps scanning for installed browsers to identify cookie paths. Ducktail can collect general information and steals Facebook-related data, which is then exfiltrated to Telegram in several scenarios, such as after the hijacking, when the code loop is completed, or when the process crashes/exits.

Ducktail’s new versions run an infinite loop in the background that enables continuous exfiltration of new updates and cookies from the victim’s Facebook account to interact with it and create an email ID with admin access and finance editor roles, controlled by the attacker.

That’s how the attacker gets full control over the account and edits business credit cards or other financial details such as transactions, payment methods, etc.

Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts
Ducktail operation (Image: WithSecure)

Protection from Ducktail Malware

The best way to protect yourself from Ducktail malware is to be vigilant about opening emails and attachments from unknown senders and avoiding clicking on links in email messages.

Avoid clicking links or downloading attachments sent by anonymous users through the LinkedIn chat feature or Facebook Messenger. You should also always use strong passwords and two-factor authentication whenever possible.

You should also keep your device updated with the latest security patches to reduce your risk of being infected with Ducktail or any other malware.

  1. Fake LinkedIn job offers scam spreading More_eggs backdoor
  2. Facebook ads used in spreading Facebook Messenger phishing scam
  3. Facebook Phishing: Crooks Using Messenger Chatbots to Steal Login Data
  4. “I think you appear in this video” phishing scam hijacks Facebook accounts
  5. Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity


I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related News

Portion of Twitter’s proprietary source code leaked on GitHub

Portion of Twitter’s proprietary source code leaked on GitHub

Reportedly, the source code remained public for several months before being taken down by GitHub. According to a news report…
Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

At Pwn2Own 2023, participants were awarded a full bounty (more than $1,000,000) in each round for successful exploits. Pwn2Own, as…
Latitude Financial Data Breach: 14 Million Customers Affected

Latitude Financial Data Breach: 14 Million Customers Affected

The Australian consumer lender, Latitude Financial, has suffered a major cyber attack, leading to a data breach of passport and…