The new Ducktail campaign victimises LinkedIn professionals

Ducktail Phishing Campaign Victim LinkedIn Professionals Fraudsters

LinkedIn professionals have become the newest target of threat actors that leverage the job hunting platform in their attacks. Dubbed ‘Ducktail,’ experts explained that the attackers victimise their targets to hack their Facebook business accounts that manage advertising for their companies.

The Ducktail campaign has a specialised scope of targets since the attackers have to carefully select their victims, specifically those with administrator privileges on their company’s social media accounts like Facebook.

According to the researchers, they had been eyeing a Vietnam-based threat actor since 2021 that could have been associated with the new campaign, whose malicious activities were tracked as far as 2018. The perpetrator of this LinkedIn scheme contacts an employee that likely has a Facebook business account access.


The Ducktail operators typically use social engineering tactics to deceive victims into downloading a malicious file hosted via a cloud application.


The downloaded archive encloses a JPEG image which displays information relevant to the threat actor and its victim’s discussion. Additionally, the archive holds a separate PDF file that holds the malicious executable payload.

Once opened by the victim, the PDF file will launch a [.]NET-based malware containing all required dependencies that could run on any operating system. Upon running inside the victim’s compromised machine, the malware will immediately search for session cookies on any existing browsing applications, such as Edge, Firefox, and Google Chrome, until it locates the victim’s Facebook credentials.

The objective of the malware is to collect multiple access tokens from the corporate Facebook pages and use them for uninterrupted endpoint interaction for their next attack stages. The collected data include session cookies, IP addresses, account data, MFA codes, and geolocations. This information is vital for the attackers to use as they continue the operation from their machines.

Further details on the attack revealed that the attackers do not only steal data from the corporate Facebook pages but also hijack the entire account so they can access it in full control. As they were able to hijack the accounts, they would replace the financial details, redirecting clients’ payments onto their banking accounts instead.

Security experts believe that the threat operators of the Ducktail campaign are financially motivated entities, focusing on a sector that would take some time before detecting the attack.

About the author

Leave a Reply