{
	"id": "801cff32-1750-43ac-8a27-ed1d711e9961",
	"created_at": "2026-04-06T00:10:54.726091Z",
	"updated_at": "2026-04-10T13:12:08.156867Z",
	"deleted_at": null,
	"sha1_hash": "1571e53753fb926a9d1f7aeaa9c0fd1cecaae5d0",
	"title": "DuckTail | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1855331,
	"plain_text": "DuckTail | ThreatLabz\r\nBy Sudeep Singh, Naveen Selvan\r\nPublished: 2023-08-30 · Archived: 2026-04-06 00:02:59 UTC\r\nUnveiling DuckTail’s TTPs\r\nOverview of the architecture\r\nThe threat research community is already abundant with great articles that address the technical details of\r\nDuckTail’s malware payload. \r\nDistribution methods and techniques\r\nThe following sections break down:\r\nthe infection vectors employed by Ducktail\r\nwhat those infection campaigns look like\r\nFake Job Posts on LinkedIn\r\nDuckTail primarily reaches victims by posting fake marketing-related job listings on LinkedIn. The threat actors\r\npresume that the marketing professionals who apply likely have access to ad accounts. The image below is an\r\nexample of a fake job post on LinkedIn used by Ducktail to lure an unsuspecting candidate.\r\nhttps://www.zscaler.com/blogs/security-research/look-ducktail\r\nPage 1 of 10\n\nFigure 2: This is what the threat actor sees moments after setting up a fake marketing job post on LinkedIn. It’s worth noting that the post\r\nis promoted.\r\nIn addition to creating fake job posts on LinkedIn, threat actors also set up profiles on LinkedIn impersonating\r\nrecruiters. To facilitate social engineering tactics, in some cases, threat actors add the “Hiring” banner to their\r\nLinkedIn profile picture. This catches the attention of users actively seeking a new job.\r\nOnce a potential victim responds to a bait post, the “recruiter” will send a message on LinkedIn.\r\nHow it works\r\nThe threat actors will ask the interested applicant to review the job application package by:\r\n1. Downloading an archive\r\n2. Opening it on a Windows machine\r\n3. Double-clicking the executable (camouflaged as another type of file) inside it\r\nTo maximize their chance of infection, some threat actors create instructional videos showing victims how to\r\n“properly” infect their own devices. The image below shows this tactic in action:\r\nhttps://www.zscaler.com/blogs/security-research/look-ducktail\r\nPage 2 of 10\n\nFigure 3: “Ashley Swarts” (a fake threat actor account) instructing a victim on how to open the fake job application package.\r\nThe nuances of language\r\nThe threat actor’s English proficiency closely matches the English language skills of an average Vietnamese\r\ncybercriminal, not an American HR professional. \r\nOur team observed threat actors using Google Translate to communicate with potential victims. The image below\r\nshows a threat actor translating messages from English to Vietnamese in real-time as they communicate with a\r\nvictim. The predominant use of the Vietnamese language also supports our attributing DuckTail to Vietnamese\r\nthreat actors.\r\nhttps://www.zscaler.com/blogs/security-research/look-ducktail\r\nPage 3 of 10\n\nFigure 4: A threat actor using Google Translate to communicate in English while handling multiple fraudulent job application\r\nconversations on LinkedIn.\r\nImpersonating real companies\r\nDuckTail threat actors send job offers impersonating popular organizations and brands to entice job seekers.  \r\nIn the image below, a threat actor leveraged a compromised LinkedIn account to message a victim with job\r\nopportunity details. While impersonating a real company called Mondelez International, this threat actor sent the\r\nfollowing in their message:\r\na link to the company's real Wikipedia and Facebook page\r\nan iCloud URL hosting an archive file containing the malware\r\nhttps://www.zscaler.com/blogs/security-research/look-ducktail\r\nPage 4 of 10\n\nFigure 5: A threat actor messaging a victim on LinkedIn and impersonating a real company.\r\nSpear phishing emails\r\nOur team also observed cases where threat actors sent infected archive links through email, after making initial\r\ncontact on LinkedIn. The image below shows a spear phishing email example.\r\nFigure 6: A spear phishing email sent to a victim containing the URL shortener link, which downloads the malicious archive file.\r\n.NET executables as a common thread in DuckTail binaries\r\nhttps://www.zscaler.com/blogs/security-research/look-ducktail\r\nPage 5 of 10\n\nMost commonly, DuckTail’s malware payload is a .NET executable, but this is not always the case. Some Ducktail\r\npayloads come in an Excel add-in or browser extension.\r\nThe .NET executables family associated with the Ducktail variants share the following attributes:\r\nLarge file sizes, in most cases - around 70 MB or more\r\nIncludes a fake Office or PDF document icon\r\nContains a decoy document with details about the fake job offer/marketing advertisement, which opens\r\nright after execution\r\nSigned with valid code-signing certificates belonging to Vietnamese publishers (sometimes)\r\nMakes use of Telegram for C2 communications\r\nThe executable is usually delivered in an archive, together with image and video files. The images below depict\r\ntwo common archive variations.\r\nType 1 Archive\r\nFigure 7: Type 1 Archive - .exe files with fake icons (first row), together with job-related images\r\nType 2 Archive\r\nhttps://www.zscaler.com/blogs/security-research/look-ducktail\r\nPage 6 of 10\n\nFigure 8: Type 2 Archive - .lnk files with PowerShell payloads, plus .scr executables, both obscured by double extensions (.pdf.lnk,\r\n.docx.scr), together with job-related images\r\nCloud hosting and URL shortening services\r\nOur research team noticed the following patterns when investigating DuckTail’s infrastructure:\r\nMalicious archives are often hosted on public cloud hosting services like iCloud, Google Drive, Dropbox,\r\nTransfer.sh, and OneDrive. \r\nIn some cases, threat actors use Trello, a project management platform, as a cloud hosting service by\r\nuploading archives as attachments to Trello cards and providing victims with a direct download link to the\r\ncard.\r\nAnother widely abused platform is Rebrandly (rebrand.ly) - a URL shortener service. Threat actors spread\r\ndownload links generated by Rebrandly to give the download a more legitimate look. You can see the\r\ndifference that Rebrandly makes in the image below.\r\nFigure 9: A redirection chain set up by the threat actor transforms a long, unfriendly Dropbox link into a short rebrand.ly link.\r\nhttps://www.zscaler.com/blogs/security-research/look-ducktail\r\nPage 7 of 10\n\nNewly registered domains used to host payloads\r\nIn addition to disguising links with Rebrandly, threat actors also registered many custom domains through\r\nRebrandly, spreading shortened links with their own fake company name domains.\r\nMost of these custom domains registered by the threat actor use TLDs like:\r\n.social \r\n.software \r\n.sale \r\n.click \r\n.news \r\n.agency \r\n.company\r\nFor a complete list of newly registered domains used by DuckTail, visit the Indicators of Compromise (IOCs)\r\nsection at the bottom of this blog.\r\nMarketing guides and AI tools\r\nAnother method of infection is the creation of web pages pretending to offer marketing guides and marketing\r\nsoftware, but actually serving DuckTail malware.\r\nWe observed the following legitimate marketing and AI tools spoofed:\r\nAdplexity\r\nClickMinded \r\nChatGPT\r\nGoogle BardAI\r\nGenerative AI softwares, like ChatGPT, are prime targets because they are being increasingly utilized by\r\nprofessionals working in digital marketing, content creation, and advertising.\r\nThe image below shows a web page created by a threat actor leveraging ChatGPT for Facebook advertising.\r\nhttps://www.zscaler.com/blogs/security-research/look-ducktail\r\nPage 8 of 10\n\nFigure 10: A screenshot of newguide[.]tech, a website set up by Ducktail to leverage ChatGPT.\r\nBelow, there is another example of a website set up by a threat actor impersonating Adplexity.\r\nhttps://www.zscaler.com/blogs/security-research/look-ducktail\r\nPage 9 of 10\n\nFigure 11: A screenshot of adplexitydesk[.]tech, a website set up by Ducktail impersonating  Adplexity. The download button leads to a\r\nDucktail infected archive.\r\nSource: https://www.zscaler.com/blogs/security-research/look-ducktail\r\nhttps://www.zscaler.com/blogs/security-research/look-ducktail\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/look-ducktail"
	],
	"report_names": [
		"look-ducktail"
	],
	"threat_actors": [],
	"ts_created_at": 1775434254,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1571e53753fb926a9d1f7aeaa9c0fd1cecaae5d0.pdf",
		"text": "https://archive.orkl.eu/1571e53753fb926a9d1f7aeaa9c0fd1cecaae5d0.txt",
		"img": "https://archive.orkl.eu/1571e53753fb926a9d1f7aeaa9c0fd1cecaae5d0.jpg"
	}
}