{
	"id": "51d5749a-558f-4d13-a0d1-305c7de5f76d",
	"created_at": "2026-04-06T00:06:59.163668Z",
	"updated_at": "2026-04-10T03:36:48.479266Z",
	"deleted_at": null,
	"sha1_hash": "5c139de724c12a8a2df0f263efe449d16b4ed6ed",
	"title": "Ducktail fashion week",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 181533,
	"plain_text": "Ducktail fashion week\r\nBy Alexander Kryazhev\r\nPublished: 2023-11-10 · Archived: 2026-04-05 23:17:19 UTC\r\nDucktail is a malware family that has been active since the second half of 2021 and aims to steal Facebook\r\nbusiness accounts. WithSecure and GridinSoft have covered Ducktail attacks: the infostealer spread under the\r\nguise of documents relating to well-known companies’ and brands’ projects and products. Both public reports\r\nattribute the Ducktail attacks to a group that presumably hails from Vietnam. We have analyzed a recent campaign\r\nthat ran between March and early October 2023 and targeted marketing professionals. An important feature that\r\nsets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the\r\nprogramming language.\r\nInfection\r\nThe campaign saw the bad actor send out an archive containing images of new products by bona fide companies\r\nalong with a malicious executable disguised with a PDF icon. When started, the malware would open a real,\r\nembedded PDF file that contained the job details. The attack was tailored to target marketing professionals\r\nlooking for a career change. The choice of victims and the distinctive means used by the threat actor led us to\r\nassume early on that the campaign was about spreading a new version of Ducktail.\r\nThe malware would install a browser extension capable of stealing Facebook business and ads accounts, likely for\r\nsubsequent sale.\r\nDucktail and the malicious extension\r\nWe examined a large number of archives from the latest campaign: in each case, a copy of Ducktail was emailed\r\nin the name of a major clothing company.\r\nhttps://securelist.com/ducktail-fashion-week/111017/\r\nPage 1 of 5\n\nThe contents of the malicious archive\r\nIf opened by an interested victim, the malicious file saves a PowerShell script named param.ps1 and a PDF decoy\r\nlocally to C:\\Users\\Public. The script uses the default PDF viewer on the device to open the decoy, pauses for five\r\nminutes, and then terminates the Chrome browser process.\r\nWhile the script stands by, the parent executable saves a malicious library named libEGL.dll to\r\nC:\\Users\\Public\\Libraries\\ and then loads it. When launched, the library goes over every LNK file that it finds in:\r\nC:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\,\r\nC:\\ProgramData\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\,\r\nand on the desktop, altering the launch string for all Chromium-based browsers (Google Chrome, Edge, Vivaldi,\r\nBrave) by adding the following code: --load-extension=\"C:\\Users\\%USERNAME%\\AppData\\Local\\Google\\Chrome\\User\r\nData\\fjoaledfpmneenckfbpdfhkmimnjocfa\"\r\nSome of the library strings required for the malicious code to run are encrypted with the AES-CBC key\r\n“gnghfn47n467n43b” and the initialization vector “dakfhskljh92384h”.\r\nhttps://securelist.com/ducktail-fashion-week/111017/\r\nPage 2 of 5\n\nThe use of the strings containing the AES key and initialization vector as featured in the code\r\nIn addition to launching the library, the parent file saves malicious browser extension files to\r\nC:\\Users\\%USERNAME%\\AppData\\Local\\Google\\Chrome\\User Data\\fjoaledfpmneenckfbpdfhkmimnjocfa. The\r\nextension disguises itself with the Google Docs Offline icon and description text, while the directory that features\r\nin the path (fjoaledfpmneenckfbpdfhkmimnjocfa) is used by the bona fide extension NordVPN. It is worth noting\r\nthat other variants of the malware may use different paths to host the extension.\r\nThe malicious extension as seen in Google Chrome (left) and the authentic Google Docs Offline extension (right)\r\nThe core exception script is obfuscated. It constantly sends the details of all open browser tabs to the command-and-control (C\u0026C) server, and if detecting Facebook-related URLs, checks for ads and business accounts to try\r\nand steal them. In particular, the extension snatches cookies and details of accounts that the victim is signed in to\r\non the device. To bypass two-factor authentication, the extension uses Facebook API requests and Vietnam’s\r\n2fa[.]live service, which offers various auxiliaries for generating one-time access codes, among other things. This\r\nis probably how the hackers log in after the user’s authentication session has expired. Stolen credentials and\r\ncookies are forwarded to a C\u0026C server registered in Vietnam.\r\nMalicious file usage flowchart\r\nhttps://securelist.com/ducktail-fashion-week/111017/\r\nPage 3 of 5\n\nIn this campaign, in addition to the main script, the malware would save to the extension folder a script named\r\njquery-3.3.1.min.js, a corrupted version of the core script from prior attacks.\r\nDuckTail attack geography\r\nAccording to our telemetry, cybercriminals most often attacked users in India. Our solutions also stopped infection\r\nattempts on devices of users in Kazakhstan, Ukraine, Germany, Portugal, Ireland, Greece, Jordan, Pakistan,\r\nVietnam, UAE, USA, Peru and Chile.\r\nMITRE ATT\u0026CK Matrix\r\nTactic Technique ID Technique\r\nInitial Access T1566.001 Phishing: Spearphishing Attachment\r\nPersistence T1176 Browser Extensions\r\nExecution\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1129 Shared Modules\r\nT1204.002 User Execution: Malicious File\r\nEnterprise T1539 Steal Web Session Cookie\r\nResource Development T1583.001 Acquire Infrastructure: Domains\r\nReconnaissance\r\nT1589 Gather Victim Identity Information\r\nT1598.002 Phishing for Information: Spearphishing Attachment\r\nDefense Evasion T1027 Obfuscated Files or Information\r\nCommand and Control\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1132.001 Data Encoding: Standard Encoding\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nIndicators of compromise\r\nc82b959d43789d3dbf5115629c3c01fa8dd599fbec36df0f4bc5d0371296545a\r\n2b3decf08bf9223fb3e3057b5a477d35e62c0b5795a883ceaa9555ca7c28252f\r\n69257876e2ec5bdbe7114d6ce209f13afbfddb2af0006a6d17e6e91578966870\r\nda13db80b0f3c25b512a1692494f303eff1ff1778a837208f79e2f3c81f8192e\r\nbde696a0ae901864716320e3111d5aa49cba3b1d9375dce2903f7433a287b2f2\r\n04dd228d0b088c4116b503c31de22c1746054226a533286bec3a3d0606d73119\r\n89f016d32707f096cc8daf674e5a9fc2ba6cf731d610f5303d997fc848645788\r\nhttps://securelist.com/ducktail-fashion-week/111017/\r\nPage 4 of 5\n\n7da7ca7fcbc6e8bc22b420f82ae5756ecd3ad094b8ebcbd5a78a2362eb87b226\r\n655a8ea3bc1baff01639dcdc43a294f8a5dc622e543d8f51e9d51c6eaaae6f6e\r\n1117a93b4b4b78e4d5d6bd79f5f0e04926759558218df30e868464f05bf1bd3d\r\n554353cda0989c3a141c2ab0d0db06393e4f3fd201727e8cf2ed8d136f87d144\r\nb9a984383a5825868c23bc3afdc70e3af2a56d26d002431940d2429c8e88ace9\r\nc6ae36e28668c6132da4d08bca7ceb13adf576fa1dbdb0a708d9b3b0f140dd03\r\nd03e1a0fce0b112bba4d56380c8d1be671845dd3ed90ec847635ba6015bad84d\r\nab95f377bf7ae66d26ae7d0d56b71dec096b026b8090f4c5a19ac677a9ffe047\r\nf59e2672f43f327c9c84c057ad3840300a2cd1db1c536834f9e2531c74e5fd1c\r\nba8eb1a7f18e4cfca7dd178de1546d42ffb50028c8f3f7ba6551f88c11be75db\r\n06afd110d91419ece0114a7fdeaeba4e79fbc9f2a0450da8b4f264e4ae073a26\r\n64f6cbe9adf91bc4ed457c79643d764a130b0d25364817c8b6da17b03ff91aa7\r\nbdf8dea28f91adcba7780a26951abc9c32a4a8c205f3207fd4f349f6db290da7\r\nd4f10bd162ee77f4778ecc156921f5949cd2d64aab45b31d6050f446e59aed5a\r\nbdf8dea28f91adcba7780a26951abc9c32a4a8c205f3207fd4f349f6db290da7\r\nC\u0026C\r\ndauhetdau[.]com\r\nmotdanvoi20232023[.]com\r\nvoiconprivatesv2083[.]com\r\ncavoisatthu2023asd[.]com\r\nSource: https://securelist.com/ducktail-fashion-week/111017/\r\nhttps://securelist.com/ducktail-fashion-week/111017/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/ducktail-fashion-week/111017/"
	],
	"report_names": [
		"111017"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434019,
	"ts_updated_at": 1775792208,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5c139de724c12a8a2df0f263efe449d16b4ed6ed.pdf",
		"text": "https://archive.orkl.eu/5c139de724c12a8a2df0f263efe449d16b4ed6ed.txt",
		"img": "https://archive.orkl.eu/5c139de724c12a8a2df0f263efe449d16b4ed6ed.jpg"
	}
}