{
	"id": "3d57c181-21f2-48c9-840d-3044d575c408",
	"created_at": "2026-04-06T00:19:03.142235Z",
	"updated_at": "2026-04-10T03:24:29.684846Z",
	"deleted_at": null,
	"sha1_hash": "0cedfdea930f27c3f1c2966fa80238eebdbe3109",
	"title": "Vietnamese Information Stealer Campaigns Target LinkedIn Users | Duckport",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 277594,
	"plain_text": "Vietnamese Information Stealer Campaigns Target LinkedIn Users\r\n| Duckport\r\nPublished: 2026-04-02 · Archived: 2026-04-05 22:44:52 UTC\r\nSECURE NETWORK ACCESS\r\nFelipe Tarijon |November 1, 2023 | 8 minute read\r\nOur Threat Advisory Services Malware Analysis and Research Team (MART) recently found LinkedIn posts from\r\nprofessionals in Brazil warning about opening files sent by unknown recruiters as part of a fictional hiring\r\nprocess. According to the posts, the fake malicious recruiter instructed potential victims to open a PDF file which\r\nwas infected with a virus. Our team obtained these reported files from one of the victims and conducted a\r\nthorough analysis of the attack.\r\nThe viral malware is an information stealer targeting browser data such as credentials, cookie and browsing\r\nhistory. It also focuses on stealing data related to Facebook accounts, including Business accounts and Ads\r\ncampaigns. All the information is encrypted and exfiltrated via Telegram API to a chat controlled by the attacker.\r\nAfter our investigation, we were able to link this campaign to the previously documented Duckport malware based\r\non many TTPs (Tactics Techniques and Procedures) common in multiple campaigns involving this malware.\r\nAccording to The Hacker News, Duckport is operated by Vietnamese threat actors who leverage shared tooling\r\nand tactics to pull off fraudulent schemes and it is a copycat of another threat called Ducktail.\r\nThe stolen data can only be retrieved from the Telegram chat by having a private key necessary for decrypting the\r\ndata. Therefore, it is possible that this malware is used by different threat actors under the malware-as-a-service\r\nmodel. These attacks were carried out by one of many social engineering lures used by this group to disseminate\r\nmalware, so it is safe to say this is a broader campaign not only targeting victims in Brazil, but all over the world.\r\nSocial Engineering and How Victims Get Infected\r\nThese campaigns start with fake job positions offered on LinkedIn that can occur in different ways. Our MART\r\nanalysts investigated two campaigns that ended up infecting machines with different versions of the same malware\r\nfamily.\r\nIn both campaigns, the victims received a PDF file that is not malware per se, but it entices the victim to download\r\na Microsoft OneDrive ZIP file that contains “more details” about the hiring process. In one of the campaigns, the\r\nPDF file’s metadata had its language set to vi-VN (Vietnamese) although its content was written in English.\r\nAs shown below, the ZIP file contains some files disguised as documents that are, in fact, executable files to\r\ntrigger the malicious behavior as pictured below.\r\nhttps://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin\r\nPage 1 of 9\n\nWhat to watch for\r\nBy default, Windows machines are configured to not display known file extensions. Because of that, targeted\r\nvictims may think the files are not executable (.exe) because they have icons related to PDF and documents like\r\nMicrosoft Excel. Depending on the fake document executed, it performs a different deceptive action while it\r\nexecutes the malicious actions in the background. The executable file “Brand_products_10_2023” disguised as a\r\nPDF, for example, downloads a legitimate PDF file from Dropbox that contains information about well-known\r\nbrands with which the candidate could supposedly choose to work.\r\nAll the executable files disguised as documents end up executing an embedded malware. Also, all of them get the\r\nDropbox URL from the online content-hosting domain “note.2fa.live.” During our analysis, we noticed that no\r\nantivirus engines flagged the files as malicious when they were first submitted to VirusTotal. Some days later,\r\nonly two anti-virus engines flagged one of them as malware.\r\nMalware capabilities\r\nWe were able to analyze the malware source code and reproduce its data exfiltration behavior to understand how it\r\nworks from the attacker’s perspective. It all starts with the main function. The malware needs to check if it is not\r\nbeing executed more than once. To assure that, it creates a Mutex that changes its name on every campaign (i.e.,\r\n“ABANDONMT,” “ICollectVASD”).\r\nA mutual exclusion (mutex) prevents simultaneous access to a shared resource. According to SANS, malicious\r\nsoftware often uses mutex objects for the same purpose as legitimate software. Furthermore, malware might use\r\na mutex to avoid reinfecting the host.\r\nAdditionally, the source code contains several modules executed by the main function, and every string used by\r\nthe malware is encrypted with AES in the CBC mode. All encrypted strings have the following format:\r\nThe key and the string are separated by a dot used for retrieving the decrypted string.\r\nAfter decrypting all the strings, we gained a better understanding of the malware’s source code. We noticed that\r\nthere were a lot of strings related to Meta’s Facebook APIs such as:\r\n“business.facebook.com”\r\nhttps://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin\r\nPage 2 of 9\n\n“graph.facebook.com”\r\n“adsmanager-graph.facebook.com”\r\nThe malware has many different modules that are executed altogether. We summarize them below because they\r\nare comprised of many different files and sub modules.\r\nPersistence mechanism\r\nFirst, the malware copies itself to the %LOCALAPPDATA% folder and renames it with the machine’s generated\r\nUUID (Universal Unique Identifier). To achieve persistence and execute itself every time the machine starts, the\r\nmalware adds its path to the Registry key: \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\".\r\nCaching mechanism\r\nThis module can store and retrieve information about the machine using a JSON file. The file is stored in the\r\nWindows TEMP folder with the name “ic” + a number that identifies the campaign version. Examples:\r\n\"%TEMP%/ic303\"\r\n\"%TEMP%/ic300\"\r\nThe information stored in the JSON file comprises:\r\nGUID: Globally unique identifier\r\nRT: Stands for “Ran Times,” the number of times that the malware was executed\r\nCLIENT_IP: IP address retrieved from https://www.whatismybrowser.com/detect/what-is-my-ip-address\r\nCLIENT_ADDRESS: IP address location retrieved from https://www.whatismybrowser.com/detect/ip-address-location\r\nPROFILE_UID_: Used by the Facebook stealer module\r\nUA_PROCESS_: Used by the Facebook stealer module\r\nSOCIAL_PROFILE_: Used by the Facebook stealer module\r\nExample of the JSON file before the malware stealing the social media data: \r\n{\"RT\":\"1\",\"GUID\":\"CF5D9969\",\"CLIENT_ADDRESS\":\" \u003cREDACTED\u003e \",\"CLIENT_IP\":\"\u003cREDACTED\u003e\"}\r\nInformation stealing capabilities\r\nThis malware family focuses on collecting social media-related data and browser data. The social media-related\r\ndata is collected by interacting with several other sub-modules that will retrieve different kinds of information\r\nfrom the following URLs:\r\nhttps://www.facebook.com/adsmanager/manage/campaigns\r\nhttps://business.facebook.com/adsmanager/manage/accounts\r\nhttps://graph.facebook.com/v17.0/me/businesses?fields={0}\u0026limit=50\u0026access_token={1}\r\nWhat to watch for\r\nhttps://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin\r\nPage 3 of 9\n\nIt can also manipulate Ads campaigns by setting up threat actor-controlled email addresses as administrator of the\r\ncampaigns. The emails are retrieved from the malware’s configuration stored in its resources. It targets the\r\nfollowing browsers to steal data:\r\nMicrosoft Edge\r\nGoogle Chrome\r\nBrave\r\nMozilla Firefox\r\nIt decrypts and queries the browsers' data using an SQLite library to get information like credit card data, cookies,\r\ndownloads history, browsing history and saved credentials. Below are all the SQL queries that the malware\r\nperforms in the browsers’ databases:\r\nSELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards\r\nselect name, path, expires_utc, is_secure, is_httponly, host_key, encrypted_value, top_frame_site_key,\r\nsamesite, has_expires from cookies\r\nselect name, path, expires_utc, is_secure, is_httponly, host_key, encrypted_value, samesite, has_expires\r\nfrom cookies\r\nselect name, path, expiry, isSecure, isHttpOnly, host, value, sameSite from moz_cookies\r\nSELECT current_path, end_time, referrer, tab_url, tab_referrer_url, mime_type FROM downloads order\r\nby end_time desc\r\nSELECT url, title, last_visit_time FROM urls WHERE id =\r\nSELECT url FROM visits order by visit_time desc\r\nSELECT action_url, username_value, password_value FROM logins order by date_password_modified\r\ndesc\r\nData exfiltration\r\nThe MainExporter module is responsible for sending all the victim’s data to the attacker via Telegram\r\n(https://api.telegram.org/). It encrypts and compresses all the data into ZIP archives. The malware can send the\r\nfollowing data:\r\nBrowser data (cookies, credit cards, credentials, downloads, and browsing history)\r\nProcesses running on the machine\r\nUser agent\r\nLog information generated during malware execution\r\nIP address\r\nFacebook accounts\r\nFacebook personal information like email, name, data of birth, and phone\r\nOther consolidated information such as: User, IP, OS Name, OS Version, Number of Monitors, CPU, GPU,\r\nRAM, Country, CC (Credit Card), City, Coordinator, Hardware ID, GUID, SDCV (malware/campaign\r\nversion), and FPXUrl (unknown).\r\nTo send the exfiltrated data back to the attacker, this malware uses two different types of cryptography: symmetric\r\n(AES) and asymmetric (RSA). The symmetric one is faster and requires a key (like a password) to encrypt/decrypt\r\nhttps://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin\r\nPage 4 of 9\n\nthe data, therefore it is used to encrypt all the stolen data by generating a random key in the victim’s machine.\r\nThe asymmetric cryptography requires a public key to encrypt the data (stored in the malware) and a private key\r\nto decrypt it (not present in the malware). In this case, the encrypted data is the randomly generated AES key\r\n(password). Therefore, to obtain the stolen data, the attacker needs to decrypt the AES key first by using the\r\ncorresponding private RSA key.\r\nWhat does that mean?\r\nThe malware is generated with a public key that probably only the developer has access to its corresponding\r\nprivate key. This is common in malware-as-a-service businesses where the malware is purchased or rented, and\r\nthe developer wants to prevent people from using it without paying for it, protecting the stolen data from being\r\neasily obtained.\r\nThe encrypted AES key is stored in the text file named “{CYR}.txt” inside one of the ZIP files. The attacker then\r\nreceives the following information on their Telegram chat as depicted below:\r\nThe first message is sent every time the malware is executed. It is identified by the first string “REQ,” followed by\r\nthe victim’s GUID, “READY,” and an integer number which represents the “Ran Times” calculated by the\r\nmalware ... these values are separated by a pipe “|.”\r\nAs soon as the malware runs its collector module, it stores all stolen data into those ZIP files, and sends them as\r\ndocuments to the Telegram chat along with the following message:\r\n“LOG|\u003cGUID\u003e_\u003cPROFILE NAME\u003e|PUSH|\u003cCAMPAIGN_VERSION\u003e_\u003cRAN TIMES\u003e”\r\nAs explained earlier, to decrypt the stolen data, it is necessary to decrypt the AES key (inside the “{CYR}.txt”\r\nfile) by using a private RSA key that only the attacker has. Finally, the AES key can be used to decrypt all the\r\nstolen data. Decrypting the stolen data manually can take some time, so probably the malware developer created a\r\nscript that gets and decrypts the data from the Telegram chat and shows it in a web panel for example.\r\nAttribution: Identifying the malware family\r\nhttps://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin\r\nPage 5 of 9\n\nBased on the IOCs (Indicators of compromise) and TTPs (Tactics, Techniques, and Procedures), we found similar\r\ncampaigns (WithSecure, Cyble, and Meta) with the same modus operandi:\r\nFake job offering approach on LinkedIn that sends a ZIP file containing the same structure analyzed in this\r\nreport.\r\nUsage of 2fa.note.live service.\r\nExecutable files disguised as documents with low detection rate.\r\nUsage of SmartAssembly and .NET Framework to build the malware samples.\r\nAES + RSA Cryptography.\r\nMeta/Facebook hijacking capabilities.\r\nData exfiltration via Telegram.\r\nTherefore, it's safe to attribute this attack to the Vietnamese Duckport malware, active since late March 2023 that\r\nperforms information stealing alongside Meta Business account hijacking. Duckport is described by WithSecure’s\r\nresearch as Ducktail’s copycat. Ducktail is said to be one of the many Vietnamese threat actors leveraging shared\r\ntooling and tactics to pull off such fraudulent schemes, according to The Hacker News.\r\nThe campaigns analyzed by our MART researchers have many of the TTPs found in common with the other\r\npreviously documented attacks. Also, the fact that it is a Vietnamese threat is supported by the metadata found in\r\nthe fake documents.\r\nConclusion\r\nThis attack shows how creative threat actors can be to infect victims using LinkedIn fake job positions as social\r\nengineering. We spotted these campaigns because potential victims from Brazil suspected the fake recruiters'\r\napproach and complained in a post on LinkedIn. After that, more than 6,000 people liked and interacted with the\r\npost, indicating that a lot of them were also targeted.\r\nHowever, these campaigns are just the tip of the iceberg. After we linked this campaign to the previously\r\ndocumented Duckport threat group, we learned that the attackers use many different lure themes to infect victims’\r\ndevices across the world.\r\nGiven the usage of a random AES key encrypted with RSA for securing the stolen data, it’s possible that this\r\nthreat is distributed in the malware-as-a-service model. The stolen data can only be retrieved if the attacker has the\r\ncorrect private key that was carefully generated along with the public key stored in the malware in an obfuscated\r\nformat.\r\nIt’s also important to note that information stealer threats can easily sell their established access within\r\ncompromised devices and sell the data (including personal and business related) to other attackers. Other threat\r\nactors then can use this to carry out more dangerous attacks such as ransomware, data extortion, and even\r\nespionage attacks against victims’ organizations.\r\nTo protect against this type of threat, we recommend not downloading software from unknown websites, including\r\nif they are advertised at the top of the results by search engines. If you receive a job offer and the recruiter sends a\r\nsuspicious file to be executed, beware and don’t do anything! If you are using a corporate device, always report\r\nsuspicious behavior to your IT department.\r\nhttps://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin\r\nPage 6 of 9\n\nOur Threat Advisory Services Malware Analysis and Research Team (MART) frequently monitors and reports on\r\ntrends like this to keep you up-to-date on emerging threats.\r\nIOCs\r\nCampaign #1\r\nFiles\r\nDetails_Advertisement_Campaign_2023_MCMA.zip\r\nHash sha256: b5cd6b969e8b29d3102800ca64b575fec6f28a4f477a31177bb263559eb964c8\r\nBrand_products_10_2023.exe\r\nHash sha256: 61cfe06e6db1c93b8bbb63fdf3f58538edab85dafc4f8c65d9403bf89bd540dd\r\nBrand_products_10_2023.pdf\r\nHash sha256: 2843b74a2f6013b93e0344cdfac6fc68f321bb45ab352d28681fb16a319eb503\r\nCompany_Salary_10_2023.exe\r\nHash sha256: 284a8c7ea86b9e8694ecbfc38d0808f2afc1fede2dd749700bee62a61091f997\r\nCompany_Salary_10_2023.docx\r\nHash sha256: 3c03cb70625d9ccfd41c288bfd6dfc9632cfb3fc7093395146b5149bc41974c9\r\nDetailsSalary_ RevenueBonus_Excel_10_2023.exe\r\nHash sha256: 1d941cb5dcb8bfa06f300a50da871118d693234e005f58fdfc4b6bb69258f70c\r\nDetailsSalary_ RevenueBonus_Excel_10_2023.xlsx\r\nHash sha256: 2f75be8ab634b69d101d827099c486ba41d88c8477339b1fff70b16bb06f4b3b\r\nOverlay (embedded malware):\r\nHash sha256: 2a2e189d5d778bf443419ee1b3289e8a11404f20b5cd261ce86fecaabbe6636e\r\nURLs\r\nhxxps://note.2fa[.]live/note/Brand_products_10_2023\r\nhxxps://www.dropbox[.]com/scl/fi/coflcpbv8kjwdsl7akwtj/Brand_products_2023_Pdf.pdf?\r\nrlkey=2d8srnf18ep9t9eli40jzsn8p\u0026dl=1\r\nhxxps://note.2fa[.]live/note/Company_Salary_10_2023\r\nhxxps://www.dropbox[.]com/scl/fi/dak1zudqyo7nu4uzpwrw7/Company_Salary_2023_Word.docx?\r\nrlkey=6wbv7uhj1z20fw21e525gnkek\u0026dl=1\r\nhxxps://note.2fa[.]live/note/DetailsSalary_ RevenueBonus_Excel_10_2023\r\nhttps://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin\r\nPage 7 of 9\n\nhxxps://www.dropbox[.]com/scl/fi/h4ddsyhsdw5gs6airlhqd/DetailsSalary_-RevenueBonus_Excel.xlsx?\r\nrlkey=y9kdl3dlntva1djzly4ua8zua\u0026dl=1\r\nPaths\r\nJSON file containing the infected machine’s data:\r\n%temp%\\ic303\r\nPersistence mechanism (malware is copied to the folder below and renamed with the machine’s GUID) to execute\r\nmalware every time machine is initialized:\r\n%localappdata%\\\u003cGUID\u003e.exe\r\nCampaign #2\r\nFiles\r\nSenior_Manager_EA_Sport.zip\r\nHash sha256: 054822987c6597d7a916f6ea29333f20767c1f65e6b5f8edab1f328f3c749dc\r\nJob_Description_of_Senior_Manager.exe, Salary_and_Comprehensive_Benefits_Package.exe\r\nHash sha256: 3097d80d4aa3abf2599058bf58d85aa8cec6ca6894c13c6d360dce162a5dd626\r\nJob_Description_of_Senior_Manager.pdf\r\nHash sha256: 14feebb67d7c46a63afe94149d4f3607ef8d0ed9ccefdcc4615a9fa8b3fe5ec0\r\nOverlay (embedded malware)\r\nHash sha256: ed73b42ea6d26324d3a6cd3f8217b177d68f1d44d5eefaaaef23ee4b4a5787ac\r\nURLs\r\nhxxps://onedrive.live[.]com/download?resid=7531E499827B967F!163\u0026authkey=!AO41K9-bCwOPW64\r\nhxxps://note.2fa[.]live/note/Job_Description_of_Senior_Manager\r\nhxxps://www.dropbox[.]com/scl/fi/xlljfln36gg3vhl6v8mhn/Job_Description_of_Senior_Manager.pdf?\r\nrlkey=jlcq8jiu77myq1rj9rtlyjq8g\u0026dl=1\r\nPaths\r\nJSON file containing the infected machine’s data:\r\n%temp%\\ic300\r\nPersistence mechanism:\r\n%localappdata%\\\u003cGUID\u003e.ex\r\nhttps://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin\r\nPage 8 of 9\n\nSource: https://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin\r\nhttps://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin"
	],
	"report_names": [
		"vietnamese-information-stealer-campaigns-target-professionals-on-linkedin"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434743,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0cedfdea930f27c3f1c2966fa80238eebdbe3109.pdf",
		"text": "https://archive.orkl.eu/0cedfdea930f27c3f1c2966fa80238eebdbe3109.txt",
		"img": "https://archive.orkl.eu/0cedfdea930f27c3f1c2966fa80238eebdbe3109.jpg"
	}
}