Keypoints
- Primary distribution is LinkedIn social engineering: fake recruiter profiles and promoted job posts lure marketing professionals to download infected archives.
- Infection chain: victim downloads an archive, extracts and opens a camouflaged executable or shortcut (.exe, .lnk) which launches the payload.
- Common payloads are large .NET executables (≈70 MB) with fake Office/PDF icons and decoy documents; other variants include .lnk/PowerShell, .scr, Excel add-ins, and browser extensions.
- Threat actors host malicious archives on public cloud services (iCloud, Google Drive, Dropbox, OneDrive, Transfer.sh) and Trello, and use Rebrandly (and custom domains) to shorten/disguise links.
- Post-compromise actions include cookie theft to access Facebook/TikTok/Google Ads, adding attacker emails, changing passwords/recovery, enabling Facebook Encrypted Notifications, and using residential proxies to evade detections.
- Command-and-control and exfiltration commonly use Telegram (bots and API), and stolen accounts are sold via Vietnamese Telegram underground markets using business-manager invites, credentials, or exported cookies.
MITRE Techniques
- [T1204.001] User Execution: Malicious Link – Used when victims execute a shortcut (.lnk) file to start the infection. Quote: (‘User executes the shortcut .lnk file’)
- [T1204.002] User Execution: Malicious File – Victims run compressed/executable files extracted from archives. Quote: (‘User executes the attached compressed/executable file’)
- [T1027.001] Obfuscated Files or Information: Binary Padding – Binaries are inflated to avoid sandbox detection. Quote: (‘Binary inflated in order to avoid sandboxing’)
- [T1036.005] Masquerading: Match Legitimate Name or Location – Malware uses fake Office/PDF icons and drops binaries into legitimate paths to masquerade as benign files. Quote: (‘Drops malicious binaries into legitimate paths’)
- [T1057] Process Discovery – Payload checks for known security/analysis tools on the host. Quote: (‘Checks for well known security software analysis tools’)
- [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Stolen data and session artifacts are exfiltrated via Telegram API/cloud services. Quote: (‘Telegram API used to exfiltrate user data’)
- [T1070.006] Indicator Removal: Timestomp – Attackers tamper with PE timestamp headers to hinder forensic timelines. Quote: (‘PE’s Timestamp header value are tampered’)
Indicators of Compromise
- [Domains] Fake/host sites used to serve malware and spoof brands – adplexitydesk[.]tech, newguide[.]tech, and ~80 other domains listed in the report
- [File types/names] Malicious delivery artifacts and payloads – .lnk shortcuts (used to kick off infections), .exe (.NET executables with fake icons), .scr, and double-extension lure files like .pdf.lnk or .docx.scr
- [Cloud hosting locations] Public cloud/file-hosting contexts used to store malicious archives – iCloud URLs, Google Drive links, Dropbox/OneDrive, Transfer.sh, and Trello card attachments
- [URL shortener/custom domains] Shortened and custom domain redirectors used to disguise downloads – Rebrandly (rebrand.ly) links and custom TLD domains (e.g., marketingagency[.]social, adplexitydesk[.]tech)
- [Code-signing certificates] Signed binaries – valid code-signing certificates belonging to Vietnamese publishers observed on some payloads
DuckTail uses a consistent social-engineering delivery flow: actors create promoted LinkedIn job posts and recruiter profiles (sometimes compromised legitimate accounts) to message targets and provide download links. Victims are instructed to download an archive hosted on cloud services or Trello; after extracting, they are guided to double-click an executable or open a shortcut (.lnk) that executes embedded PowerShell or drops a .NET binary. To increase success, actors include decoy documents or instructional videos in the archive and frequently wrap payloads in large binaries (≈70 MB) with fake Office/PDF icons to masquerade as legitimate job materials.
Payloads are primarily .NET executables but also include Excel add-ins and browser extensions; common techniques observed include binary padding (to evade sandboxing), masquerading by placing binaries in expected locations, and process discovery to detect analysis environments. Communication and exfiltration leverage Telegram (bots and the Telegram API) for C2 and data transmission. Hosting and distribution patterns include iCloud, Google Drive, Dropbox, OneDrive, Transfer.sh, Trello attachments, and Rebrandly-shortened links or attacker-registered custom domains to hide the true download source.
After execution the malware harvests saved browser session cookies and other account artifacts enabling direct takeover of Facebook, TikTok Business, and Google Ads accounts. Post-compromise control actions include adding attacker-controlled email addresses, changing account passwords and recovery settings, enabling Facebook’s Encrypted Notifications to block recovery emails, and using residential proxy services to perform logins from plausible geolocations. Compromised accounts (or exported cookies/credentials) are then transferred or sold in Vietnamese-language underground markets—transfer methods include Business Manager invites, direct credentials, or exported browser cookies to preserve long-term access.
Read more: https://www.zscaler.com/blogs/security-research/look-ducktail