{ "id": "dabae024-fb0e-49c2-9837-3d4ec1b368c6", "created_at": "2026-04-06T00:16:00.452201Z", "updated_at": "2026-04-10T03:32:21.638056Z", "deleted_at": null, "sha1_hash": "cfa3501cd90852369b33fa561ff25a8dbe68dc33", "title": "New Voldemort Malware Espionage Campaign | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10128566, "plain_text": "New Voldemort Malware Espionage Campaign | Proofpoint US\r\nBy Tommy Madjar, Pim Trouerbach, Selena Larson and the Proofpoint Threat Research Team\r\nPublished: 2024-08-29 · Archived: 2026-04-05 17:36:19 UTC\r\nResearch update (October 22nd, 2024)\r\nProofpoint analysts now attribute this campaign to the China-aligned threat group TA415 (also known as APT41 and Brass\r\nTyphoon).  This attribution is based on multiple newly identified high confidence links between the campaign distributing\r\nVoldemort and known TA415-attributed infrastructure, including overlaps with activity publicly reported by Mandiant in\r\nJuly 2024.\r\nFurthermore, in late August 2024, Proofpoint identified a targeted campaign featuring an almost identical attack chain to\r\ndeliver the Voldemort backdoor. This activity spoofed a Taiwanese aerospace industry association and repeatedly targeted\r\nfewer than five aerospace companies in the US and Taiwan, aligning with more typical targeting associated with TA415 and\r\nother China-aligned actors. A machine translated version of a phishing email associated with this campaign is shown below\r\n(originally written in Traditional Chinese).\r\nIn this campaign, TA415 began using Google AMP Cache URLs that redirected to password protected 7-Zip files hosted on\r\nOpenDrive. These archives contained malicious Microsoft Shortcut (LNK) files that attempted to download a Python script\r\nhosted on paste[.]ee. This activity continued into late September 2024 and also targeted a small number of organizations in\r\nthe chemicals, insurance, and manufacturing industries.\r\nKey findings \r\nProofpoint researchers identified an unusual campaign delivering malware that the threat actor named “Voldemort”.  \r\nProofpoint assesses with moderate confidence the goal of the activity is to conduct espionage.  \r\nThe activity impersonated tax authorities from governments in Europe, Asia, and the U.S. and targeted dozens of\r\norganizations worldwide. \r\nThe ultimate objective of the campaign is unknown, but Voldemort has capabilities for intelligence gathering and to\r\ndeliver additional payloads.  \r\nVoldemort’s attack chain has unusual, customized functionality including using Google Sheets for command and\r\ncontrol (C2) and using a saved search file on an external share.  \r\nOverview \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 1 of 28\n\nIn August 2024, Proofpoint researchers identified an unusual campaign using a novel attack chain to deliver custom\r\nmalware. The threat actor named the malware “Voldemort” based on internal filenames and strings used in the malware. \r\nThe attack chain comprises multiple techniques currently popular within the threat landscape as well as uncommon methods\r\nfor command and control (C2) like the use of Google Sheets. Its combination of the tactics, techniques, and procedures\r\n(TTPs), lure themes impersonating government agencies of various countries, and odd file naming and passwords like “test”\r\nare notable. Researchers initially suspected the activity may be a red team, however the large volume of messages and\r\nanalysis of the malware very quickly indicated it was a threat actor.  \r\nProofpoint assesses with moderate confidence this is likely an advanced persistent threat (APT) actor with the objective of\r\nintelligence gathering. However, Proofpoint does not have enough data to attribute with high confidence to a specific named\r\nthreat actor (TA). Despite the widespread targeting and characteristics more typically aligned with cybercriminal activity, the\r\nnature of the activity and capabilities of the malware show more interest in espionage rather than financial gain at this time. \r\nVoldemort is a custom backdoor written in C. It has capabilities for information gathering and to drop additional payloads.\r\nProofpoint observed Cobalt Strike hosted on the actor's infrastructure, and it is likely that is one of the payloads that would\r\nbe delivered.  \r\nCampaign details \r\nVolume and targeting \r\nBeginning on 5 August 2024, the malicious activity included over 20,000 messages impacting over 70 organizations\r\nglobally. The first wave of messages included a few hundred messages daily but then spiked on 17 August with nearly 6,000\r\ntotal messages.  \r\nMessages purported to be from various tax authorities notifying recipients about changes to their tax filings. Throughout the\r\ncampaign the actor impersonated tax agencies in the U.S. (Internal Revenue Service), the UK (HM Revenue \u0026 Customs),\r\nFrance (Direction Générale des Finances Publiques), Germany (Bundeszentralamt für Steuern), Italy (Agenzia delle\r\nEntrate), and from August 19, also India (Income Tax Department), and Japan (National Tax Agency). Each lure was\r\ncustomized and written in the language of the authority being impersonated. \r\nProofpoint analysts correlated the language of the email with public information available on a select number of targets,\r\nfinding that the threat actor targeted the intended victims with their country of residence, rather than the country that the\r\ntargeted organization operates in, or country or language that could be extracted from the email address. For example,\r\ncertain targets in a multi-national European organization received emails impersonating the IRS because their publicly\r\navailable information linked them to the US. In some cases, it appears that the threat actor mixed up the country of residence\r\nfor some victims when the target had the same (but uncommon) name as a more well-known person with a more public\r\npresence.   \r\nEmails were sent from suspected compromised domains, with the actor including the real domain of the agency in the email\r\naddress. For example, an email impersonating the U.S. IRS appeared to be: \r\n        From: Federal IRS \u003cno_reply_irs[.]gov@amecaindustrial[.]com\u003e  \r\nOther sender domains included: \r\n        tblsys[.]com \r\n        joshsznapstajler[.]com \r\n        ideasworkshop[.]it \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 2 of 28\n\nEmails impersonating HRMC and DGFIP.  \r\nThe threat actor targeted 18 different verticals, but nearly a quarter of the organizations targeted were insurance companies.\r\nAerospace, transportation, and university entities made up the rest of the top 50% of organizations targeted by the threat\r\nactor.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 3 of 28\n\nVertical targeting breakdown of Voldemort malware email campaigns. \r\nAttack chain \r\nThe messages contain Google AMP Cache URLs that redirect to a landing page hosted on InfinityFree, or later in the\r\ncampaign, linking directly to the landing page. The landing page includes a \"Click to view document\" link that, when\r\nclicked, checks the User Agent of the browser. \r\nInfinityFree hosted landing page with a background User Agent check, with popup asking the victim to open Windows\r\nExplorer after clicking the “View Document” button.  \r\nIf the User Agent contains \"windows\", the browser is redirected to a search-ms URI, pointing to a  TryCloudflare-tunneled\r\nURI ending with .search-ms, prompting the victim to open Windows Explorer; however, this query is never visible to the\r\nvictim, only the resulting popup is. It will also load an image from a URL ending in /stage1 on an IP address running the\r\nlogging service pingb.in to log a successful redirect. The use of the pingb.in service allows the threat actor to gather\r\nadditional browser and network information about the victim. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 4 of 28\n\nHTML Redirect Logic embedded on landing page.   \r\nIf the User Agent does not contain \"windows,\" the browser will be redirected to a Google Drive URL that is empty, and it\r\nwill load an image similarly from the pingb.in IP, but with the URL ending in /stage0. This allows the threat actor to track\r\nbrowser and network details for those that did click the button but were not served any malicious content. \r\nIf the victim accepts opening Windows Explorer, Windows Explorer will silently perform a Windows Search query as\r\ndirected by the linked .search-ms file. The .search-ms file is never downloaded or displayed to the user but instead  abuses\r\nthe file format which will be discussed in the “Abusing the Saved Search File Format” section of this blog. This will result\r\nin displaying a Windows shortcut file (often referred to as a LNK because of the file extension it uses) or, later in the\r\ncampaign, a ZIP file containing a similar LNK in Windows Explorer using a filename related to the original email lure. This\r\nLNK or ZIP is hosted on the same TryCloudflare host, but in another WebDAV share, \\pub\\. Notably, the file looks like it is\r\nhosted directly in the Downloads folder on the recipients’ host as opposed to the external share. It also uses a PDF icon to\r\nmasquerade as a different file type. These two techniques may lead the recipient to believe it is a local PDF file, which may\r\nincrease the likelihood of clicking on the content.  \r\nShortcut masquerading as a PDF hosted on an external WebDAV in a way that makes it appear as if it were in the user’s\r\nlocal Downloads folder. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 5 of 28\n\nIf the LNK is executed, it will invoke PowerShell to run Python.exe from a third WebDAV share on the same tunnel\r\n(\\library\\), passing a Python script on a fourth share (\\resource\\) on the same host as an argument. This causes Python to run\r\nthe script without downloading any files to the computer, with dependencies being loaded directly from the WebDAV share. \r\nSecurity notification displayed to the user when the LNK is opened. \r\nThe executed Python script is specific to the original lure, depending on language and geographic targeting. Interestingly, it\r\nbegins by checking the operating system, even though this check was already done on the landing page. If the script detects\r\na Windows environment, it proceeds with specific actions. No functions are executed on other operating systems, however.\r\nThese actions on Windows include: \r\nCollecting information about the computer using the Python function platform.uname(), including the computer\r\nname, Windows version information, and CPU information.  \r\nSending data as base64 in a URL via a GET request to the same pingb.in IP as on the landing page, but with /stage2-\r\n2/ in the URL, for example: \r\n   hxxp://83[.]147[.]243[.]18/p/7c31e3ebfb77ead34ea71900b1b0/stage2-2/[base64 string] \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 6 of 28\n\nThreat actor’s pingb.in web interface. \r\nPCAP of pingb.in traffic.  \r\nThe GET request does not contain any other data except the standard headers automatically generated by the Python HTTP\r\nlibrary. It then downloads a decoy PDF, relevant to the targeted country, from OpenDrive (a file hosting service like\r\nOneDrive) and opens it. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 7 of 28\n\nDecoy PDF impersonating DGFIP. \r\nThe script collects the computer name, username, domain, and again the result of platform.uname(), storing it as a base64\r\nstring and posting it as described above but this time with /stage1-2/ in the URL (despite being executed after stage2-2). \r\nIt downloads a password-protected ZIP file called test.png or logo.png from OpenDrive saves it as\r\n%localappdata%\\Microsoft\\Windows\\test.zip or logo.zip, and extracts the contents, CiscoCollabHost.exe and\r\nCiscoSparkLauncher.dll, using the password “test@123.” \r\nIt executes the file CiscoCollabHost.exe and deletes the downloaded ZIP as the final action of the Python script.\r\nCiscoCollabHost.exe is a legitimate executable related to WebEx and is used to side-load the DLL named\r\nCiscoSparkLauncher.dll \r\nCiscoSparkLauncher.dll, which has the exported DLL name “Voldemort_gdrive_dll.dll” or, later in the campaign,\r\n“Voldemort_gdrive_c.dll”, is detailed in the Malware Analysis section of this report. Proofpoint tracks this payload as\r\nVoldemort. \r\nWhile the URLs to the respective landing pages have been static, the hostname for the TryCloudflare tunnel used in the\r\ninitial seach-ms query and subsequent WebDAV shares has changed frequently, often daily. Even though the hostname has\r\nchanged, the structure of the WebDAV shares has been the same: \r\n        \\public\\ - contains the .search-ms files. \r\n        \\pub\\ - contains the LNK or later ZIP files \r\n        \\library\\ - contains the Python distribution and dependencies \r\n        \\resource\\ - contains the Python scripts \r\nVoldemort is a backdoor with capabilities for information gathering and can load additional payloads. A full technical\r\nbreakdown of the malware and related payloads is available below.  \r\nAPT activity with cybercrime vibes \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 8 of 28\n\nInterestingly, the actor used multiple techniques that are becoming more popular in the cybercrime landscape, which—in\r\naddition to the volume and targeting that is also more aligned with ecrime campaigns—is unusual. While the lures in the\r\ncampaign are more typical of a criminal threat actor, the features included in the backdoor are more similar to the features\r\ntypically found in the tools used for espionage. \r\nThreat actors abuse file schema URIs to access external file sharing resources for malware staging, specifically WebDAV\r\nand Server Message Block (SMB). This is done by using the schema “file://” and pointing to a remote server hosting the\r\nmalicious content. This technique is observed with increasing frequency from cybercriminal threats including IABs.  \r\nProofpoint researchers recently observed an uptick in the abuse of Cloudflare Tunnels, specifically the TryCloudflare feature\r\nthat allows an attacker to create a one-time tunnel without creating an account. Tunnels are a way to remotely access data\r\nand resources that are not on the local network, like using a virtual private network (VPN) or secure shell (SSH) protocol. \r\nEach use of TryCloudflare Tunnels generates a random subdomain on trycloudflare[.]com, for example ride-fatal-italic-information[.]trycloudflare[.]com. Traffic to the subdomains is proxied through Cloudflare to the operators’ local server.\r\nNotably, with Voldemort activity, the threat actors used just four unique TryCloudflare tunnels over the month of August\r\n2024, as opposed to creating a new tunnel for each wave of messages, as Proofpoint has observed with other malicious\r\nactivity clusters. Unlike previously observed activity, in this campaign the Python dependencies were not downloaded\r\ndirectly on the host and were loaded from the WebDAV share instead.  \r\nAbusing the Saved Search File Format \r\nIn general, threat actors abuse the Windows search protocol (search-ms) in order to locally, in a folder, display files hosted\r\non a remote machine. This technique is often used to deploy various remote access trojans (RATs). Search-ms allows\r\napplications, JavaScript, or HTML to display remote files that look like trusted content directly on a host. Proofpoint has\r\nobserved multiple cybercrime threat actors – from commodity malware users to initial access brokers (IABs) – leverage this\r\ntechnique. The Voldemort malware campaign is using the rarely observed technique of the saved search file format (.search-ms) which lets the actor save a search query as a file on the WebDAV share.   \r\nNormally when a threat actor abuses the Microsoft search protocol, the URI includes the host on which the search is going\r\nto be performed, the query that is going to be executed, and the display name of the search. In this case, the search-ms URI\r\ncontained just the display name and a subquery for a URI on a WebDAV share that also ended in .search-ms. For example: \r\n        Search[:]displayname=Downloads\u0026subquery=%5C%ways-sms-pmc-shareholders[.]trycloudflare.com@SSL%5Cpublic%5CSA150_Notes_2024.search-ms \r\nEven more puzzling, when the query was opened in Windows Explorer, the user was instead directed to a search for an .lnk\r\nor .zip file without any indication that a file was opened or something similar—the query was performed silently. Moreover,\r\nwhen Proofpoint researchers manually inspected the location of the file, it was no longer in the \\public\\ share. Instead, the\r\ndisplayed file resided in the \\pub\\ share on the same host. Upon investigation, researchers discovered virtual folders that, if\r\nopened, resulted in the same experience as opening the search URI. The virtual folders were actually the .search-ms files\r\nused in the search URI. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 9 of 28\n\nManual browsing of WebDAV share via browser. \r\nThese .search-ms files turned out to be XML files of the type \"Saved Search File Format.\" Typically, these files are created\r\nwhen performing a search in Windows and manually saving the search, for example, by right-clicking in the search window\r\nand selecting \"Save search.\" \r\nSearching locally and saving the search to create a .search-ms file. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 10 of 28\n\nResulting .search-ms file after saving the search.\nSaving a search will create a .search-ms file in the saved search folder on a Windows host. However, the extension is hidden,\neven if the option to view extensions for known file types is selected. This is similar to how a user does not typically see the\n.lnk extension for Windows shortcuts. The functionality of a saved search is intended for situations where someone performs\nthe same searches regularly and wants to easily repeat them with the results presented in a consistent manner. Similar to a\nsearch: or search-ms: URI, this will perform the same search again. But with the .search-ms file, a user can also specify how\nthey want Windows Explorer to display the results more specifically. If abused, .search-ms files can more effectively hide\nelements that would otherwise indicate that the victim is not in a folder on their local machine.\nHere are some interesting parts from one of the .search-ms files the actor was using:\nManually editing a file to specify, among other things, that the view should just be shown as “Downloads.” Defining a narrow view in Windows Explorer to more effectively hides artifacts that could show what share the file is\nhosted on. A search condition only showing the malicious file on the share. Specifying the path to the folder or share that should be searched. The GUID represents a network location.\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\nPage 11 of 28\n\nAuthor type containing the display name of the Windows user that created the .search-ms file. test Malware analysis\nThe malware is executed by utilizing CiscoCollabHost.exe, which is vulnerable to DLL hijacking. The executable attempts\nto load a DLL called CiscoSparkLauncher.dll which is kept in the same directory as the executable, but in this case, is\nmalware. The only requirement is the DLL has the correct name and exports a function called SparkEntryPoint.\nThis SparkEntryPoint starts with a sleep mechanism of roughly 5 –10 minutes with a jitter amount to try and evade\nsandboxes that run for short periods of time.\nCalculating sleep time.\nThe malware then has a routine to dynamically invoke APIs that is relatively unique. To resolve functions and call them, the\nmalware passes a DLL handle, a callback to a function, and the arguments to the function it’s trying to call.\nCall to resolve and invoke a function.\nThe callback is a function that decrypts a string that is called in the function invoking the Windows APIs.\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\nPage 12 of 28\n\nStub to call the resolved function and preserve the arguments on the stack. \r\nCobalt Strike shellcode commonly uses this technique, wherein the resolver resolves the function it’s looking for as well as\r\ncalling it. \r\nTo decrypt strings, the malware relies on an algorithm that looks very similar to XTEA but is unrolled to remove the loops\r\nwith the block decryption.\r\nDecryption algorithm. \r\nThe unrolled algorithm can be seen below: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 13 of 28\n\nUnrolled algorithm.  \r\nDuring the analysis, Proofpoint found the algorithm was nonstandard and therefore we  used emulation methods to decrypt\r\nthe embedded strings, which we will detail below. \r\nUtilizing the fantastic tool Dumpulator by MrExodia, we can create a dump of the malware in x64dbg and use that as\r\ncustom tooling within a Python environment.  \r\nPython code showcasing Dumpulator usage to decrypt strings. \r\nThis allows us to call functions within the malware given they are relatively simple and do not rely on Windows internals.\r\nGreat candidates for this are functions that do not make any other calls and just translate data.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 14 of 28\n\nThe Python script implements string decryption using emulation, and at the end we can read the decrypted string from the\r\nallocated memory to which we wrote the encrypted contents. Running this code over the entire data section of the DLL gives\r\nus all the decrypted strings within the sample:  \r\nDecrypted strings. \r\nWith API calls resolved, the malware continues by decrypting its own configuration. Unlike other malware that stores a\r\ndirect reference to the encrypted configuration, this malware contains a string that it searches for in its own file, more\r\ncommonly referred to as “egg hunting” -- the egg being “g00” in this case.  \r\nStart of encrypted configuration denoted by “g00”. \r\nAfter the egg, the next four bytes indicate how long the config is, and the rest of the data is decrypted via an XOR cipher\r\nusing the executable name “CiscoCollabHost.exe”. Decrypting this data gives the keys required for the malware to\r\ncommunicate with the command and control (C2) server. The following table shows the relevant decrypted strings from the\r\nconfiguration.  \r\ntest \r\n962194083343-nevo9pjnlr7cgirjs1eonpebakrlq3qc.apps.googleusercontent.com \r\n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 \r\n1//0eg8RBquaRQvhCgYIARAAGA4SNwF-L9IrSsPADLEx_CMsoJYspPSfaoeUbxii4xLVK10CafejzYAEBi2IptPt9KpwO7vphUTPFtest \r\n962194083343-nevo9pjnlr7cgirjs1eonpebakrlq3qc.apps.googleusercontent.com \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 15 of 28\n\n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 \r\n1//0eg8RBquaRQvhCgYIARAAGA4SNwF-L9IrSsPADLEx_CMsoJYspPSfaoeUbxii4xLVK10CafejzYAEBi2IptPt9KpwO7vphUTPF28 \r\nRather than using dedicated infrastructure or even compromised infrastructure, the malware utilizes Google Sheets\r\ninfrastructure for C2, data exfiltration and executing commands from the operators.  \r\nAt this point, the malware has all the information it needs to start communicating with the C2. Since the malware is using\r\nGoogle Sheets with a client token, it needs to authenticate before it can write data to Google Sheets.  \r\nPOST request getting an access token from Google. \r\nThe client ID, client secret, and refresh token value are taken from the decrypted configuration and sent to receive an access\r\ntoken.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 16 of 28\n\nRaw request of getting the access token from Google.  \r\nWith the access token acquired, the malware can read the given Google Sheet that contains commands for the bot. \r\nCode to read data from the Sheet acting as the C2.  \r\nThe first request made to read the Sheet is to check where to write its own data. The malware starts by reading value A1:A1\r\nof the Sheet; if a UUID is returned, it knows there is already victim data within that set. It then proceeds to read 2:2 and so\r\non until a UUID is not returned. Following is a request showing a UUID returned:  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 17 of 28\n\nRaw response showing a UUID being returned from the Sheet.  \r\nAfter six iterations, if the malware does not get a UUID back, that indicates that it can freely write to those cells without\r\noverwriting existing bot data.  \r\nRaw response showing a UUID not being returned. \r\nAs an unintended consequence, this loop of iterating over cells shows how many victims there are within the given Google\r\nSheet.  \r\nAfter the malware has found a set of cells it can write data to, it sends an array of host information in the sixth row:  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 18 of 28\n\nRaw request of the bot uploading its host info to the Google Sheet.  \r\nThe following table shows some of the notable fields included in this request. Most values within this request are base64\r\nencoded, and RC4 encrypted using the executable's filename as the RC4 key, e.g., \"CiscoCollabHost.exe\": \r\nBot UUID  \r\nLocal IP \r\nHostname \r\nUsername \r\nProgram Files list \r\nProgram Files (x86) list  \r\nEnvironment Variables \r\nFilename of executable \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 19 of 28\n\nInfection Timestamp \r\nDescription of fields. \r\nAt this point in the malware, the actors can issue commands to the bot via the Google Sheet. The commands the malware\r\nsupports are as follows: \r\nPing \r\nDir \r\nDownload \r\nUpload \r\nExec \r\nCopy \r\nMove \r\nSleep \r\nExit \r\nAll of these come with their own status messages indicating whether the operation was successful or not, as well as a leaked\r\nname for the malware, “Voldemort”.  \r\nDecrypted status messages related to executing commands.  \r\nGoogle exploring \r\nAfter observing the malware uses a standard service as its communication protocol and that service exposes a client ID and\r\nclient secret to be able to read data from the Google Sheet, we felt it was worth exploring the given Google Sheet to see\r\nwhat information was available. With the following Python code,  we identified all the active infections that had made it to\r\nthe point of sending host information to the Google Sheet. In total, we observed six total victims in the Sheet, with all but\r\none of them being a sandbox or a known researcher. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 20 of 28\n\nPython code showcasing how to read data from a Google Sheet. \r\nExploring the other pages within the Google Sheet also allowed us to see commands executed via the actors for the few bots\r\nthat were registered in the spreadsheet. For each victim machine the actor interacts with, a new page is created that uses the\r\nhostname + username as the name. As of this writing, the actors had only executed commands to show directory listings of\r\ntwo directories.  \r\nAfter seeing the success of being able to read the given Google Sheet, we felt the need to see what else these client secrets\r\nallowed us to read. Taking similar Python code as the Sheet reader but using it to read Google Drive showed some\r\ninteresting artifacts. To do this, we needed a folder ID. Luckily just as with the Sheet ID, this Drive ID was embedded with\r\nthe configuration for infected machines to upload files of interest to Drive.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 21 of 28\n\nPython code showing how to list files within a Google Drive.  \r\nThis scraping let us query the entire folder contents and download specific uploaded files. From this work we identified the\r\nfollowing files: \r\nAPI (Google Sheet used for C2) \r\n7za.exe (7z executable) \r\nTest.7z (Password protected 7z) \r\nIn addition to the following folders: \r\nV1 [2023] \r\nV2 [2023] \r\nV1 [2023] \r\nThese directories contained training materials related to OpenWRT firmware code.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 22 of 28\n\nDirectory output of the threat actor’s Google Drive.  \r\nIn addition to these firmware images was a single picture shown below: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 23 of 28\n\nImage showing OpenWRT’s GUI.  \r\nProofpoint researchers are unsure what the purpose of these files are as they are not being used to interact with any of the\r\nvictims. It is possible they might be leftover from other activities performed by the actor.  \r\nThe file named test.7z in the Google Drive is a password-protected 7-zip archive. Although no password was evident, the\r\narchive was easily decrypted with the commonly observed password “test123”. This archive contained a DLL and\r\nexecutable.  \r\nDirectory listing showing the test files uploaded by the threat actor.  \r\nThe executable “Shuaruta.exe” is another executable vulnerable to DLL side loading. The Shuaruta.exe program could be\r\nused to side-load \"nvdaHelperRemote.dll\" which was written in Go language and simply loads a Cobalt Strike Beacon.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 24 of 28\n\nFortunately, the developers of the Go binary compiled it with symbols and debug information. \r\nDebug output contained within the Go binary to inject Cobalt Strike.  \r\nThis gives us information on a potential username (yOIR) as well as when the DLL was compiled. Finally, extracting the\r\nconfiguration from the Cobalt Strike beacon itself gives us the following relevant fields:  \r\n        DOMAINS: ['autodiscover[.]iitt[.]eu[.]org'] \r\n        URIS: ['/ows/v1/OutlookCloudSettings/settings/global'] \r\n        WATERMARK: 987654321 \r\n        USERAGENT: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64;Trident/6.0) \r\nThe watermark in this Cobalt Strike configuration is associated with a cracked version of the software. The watermark has\r\nbeen observed in multiple unrelated threats in open-source reporting. The eu[.]org domain is a publicly available domain\r\nthat offers free subdomains to non-profit organizations.  \r\nAttribution  \r\nProofpoint does not attribute this activity to a tracked threat actor. Based on the functionality of the malware and collected\r\ndata observed when examining the Sheet, information gathering was one objective of this campaign. While many of the\r\ncampaign characteristics align with cybercriminal threat activity, we assess this is likely espionage activity conducted to\r\nsupport as yet unknown final objectives.  \r\nThe Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and\r\nfunctionality, makes it difficult to assess the level of the threat actor’s capability and determine with high confidence the\r\nultimate goals of the campaign. It is possible that large numbers of emails could be used to obscure a smaller set of actual\r\ntargets, but it’s equally possible the actors wanted to genuinely infect dozens of organizations. It is also possible that\r\nmultiple threat actors with varying levels of experience in developing tooling and initial access worked on this activity.\r\nOverall, it stands out as an unusual campaign.   \r\nWhy it matters  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 25 of 28\n\nThe behavior combines a variety of recently popular techniques observed in several disparate campaigns from multiple\r\ncybercriminal threat actors that have used similar techniques as part of ongoing experimentation across the initial access\r\necosystem. Many of the techniques used in the campaign are observed more frequently in the cybercriminal landscape,\r\ndemonstrating that actors engaging in suspected espionage activity often use the same TTPs as financially motivated threat\r\nactors. \r\nWhile the activity appears to align with espionage activity, it is possible that future activities associated with this threat\r\ncluster may change this assessment. In that case, it would indicate cybercriminal actors, while demonstrating some typical\r\necrime delivery characteristics, used customized malware with unusual features currently only available to the operators and\r\nnot abused in widespread campaigns, as well as very specific targeting not normally seen in financially motivated\r\ncampaigns. \r\nDefense against observed behaviors includes restricting access to external file sharing services to only known, safelisted\r\nservers; blocking network connections to TryCloudflare if it is not required for business purposes; and monitoring and\r\nalerting on use of search-ms in scripts and suspicious follow-on activity such as LNK and PowerShell execution. \r\nProofpoint reached out to our industry colleagues about the activities in this report abusing their services, and their\r\ncollaboration is appreciated. \r\nEmerging Threats signatures \r\n2857963 - ETPRO HUNTING GoogleSheets API V4 Activity (Fetch Single Cell with A1 Notation)  \r\n2857964 - ETPRO HUNTING GoogleSheets API V4 Response (Single Cell with UUID)  \r\n2857976 - ETPRO HUNTING GoogleSheets API V4 Activity (Possible Exfil)  \r\n2858210 - ETPRO MALWARE Voldemort System Info Exfil  \r\nIndicators of compromise \r\nIndicator  Description \r\nFirst\r\nObserved\r\nhxxps://pubs[.]infinityfreeapp[.]com/SA150_Notes_2024[.]html \r\nRedirect Target /\r\nLanding Page \r\n2024-08-\r\n12 \r\nhxxps://pubs[.]infinityfreeapp[.]com/IRS_P966[.]html \r\nRedirect Target /\r\nLanding Page \r\n2024-08-\r\n06 \r\nhxxps://pubs[.]infinityfreeapp[.]com/Notice_pour_remplir_la_N%C2%B0_2044[.]html \r\nRedirect Target /\r\nLanding Page \r\n2024-08-\r\n13 \r\nhxxps://pubs[.]infinityfreeapp[.]com/La_dichiarazione_precompilata_2024[.]html \r\nRedirect Target /\r\nLanding Page \r\n2024-08-\r\n05 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 26 of 28\n\nhxxps://pubs[.]infinityfreeapp[.]com/Steuerratgeber[.]html \r\nRedirect Target /\r\nLanding Page \r\n2024-08-\r\n13 \r\nhxxps://od[.]lk/s/OTRfNzQ5NjQwOTJf/test[.]png \r\nPython Payload\r\n(Renamed ZIP\r\ncontaining Voldemort) \r\n2024-08-\r\n05 \r\nhxxps://od[.]lk/s/OTRfODQ1Njk2ODVf/2044_4765[.]pdf \r\nPython Payload (Decoy\r\nPDFs) \r\n2024-08-\r\n05 \r\nhxxps://od[.]lk/s/OTRfODM5Mzc3NjFf/irs-p966[.]pdf \r\nPython Payload (Decoy\r\nPDFs) \r\n2024-08-\r\n06 \r\nhxxps://od[.]lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024[.]pdf \r\nPython Payload (Decoy\r\nPDFs) \r\n2024-08-\r\n05 \r\nhxxps://od[.]lk/s/OTRfODQ1NDc2MjZf/SA150_Notes_2024[.]pdf \r\nPython Payload (Decoy\r\nPDFs) \r\n2024-08-\r\n12 \r\nhxxps://od[.]lk/s/OTRfODQ1NzA0Mjlf/einzelfragen_steuerbescheinigungen_de[.]pdf \r\nPython Payload (Decoy\r\nPDFs) \r\n2024-08-\r\n13 \r\nhxxp://83[.]147[.]243[.]18/p/  pingb.in base URL \r\n2024-08-\r\n05 \r\n3fce52d29d40daf60e582b8054e5a6227a55370bed83c662a8ff2857b55f4cea  test.png/zip SHA256  \r\n2024-08-\r\n05 \r\n561e15a46f474255fda693afd644c8674912df495bada726dbe7565eae2284fb \r\nCiscoSparkLauncher.dll\r\nSHA256 (Voldemort\r\nMalware) \r\n2024-08-\r\n05 \r\n6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728 \r\nCiscoCollabHost.exe\r\nSHA256 (Benign file\r\nused for side-loading) \r\n2024-08-\r\n05 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 27 of 28\n\npants-graphs-optics-worse[.]trycloudflare[.]com \r\nTryCloudflare Tunnel\r\nHostname \r\n2024-08-\r\n05 \r\nways-sms-pmc-shareholders[.]trycloudflare[.]com \r\nTryCloudflare Tunnel\r\nHostname \r\n2024-08-\r\n05 \r\nrecall-addressed-who-collector[.]trycloudflare[.]com \r\nTryCloudflare Tunnel\r\nHostname \r\n2024-08-\r\n05 \r\nhxxps://sheets[.]googleapis[.]com:443/v4/spreadsheets/16JvcER-0TVQDimWV56syk91IMCYXOvZbW4GTnb947eE/ \r\nVoldemort C2 \r\n2024-08-\r\n05 \r\nhxxps://resource[.]infinityfreeapp[.]com/ABC_of_Tax[.]html \r\nRedirect Target /\r\nLanding Page \r\n2024-08-\r\n19 \r\nhxxps://resource[.]infinityfreeapp[.]com/0023012-317[.]html \r\nRedirect Target /\r\nLanding Page \r\n2024-08-\r\n19 \r\nhxxps://od[.]lk/s/OTRfODQ4ODE4OThf/logo[.]png \r\nPython Payload\r\n(Renamed ZIP\r\ncontaining Voldemort) \r\n2024-08-\r\n19 \r\nhxxps://od[.]lk/s/OTRfODQ5MzQ5Mzlf/ABC_of_Tax[.]pdf \r\nPython Payload (Decoy\r\nPDFs) \r\n2024-08-\r\n19 \r\n0b3235db7e8154dd1b23c3bed96b6126d73d24769af634825d400d3d4fe8ddb9  logo.png/zip SHA256 \r\n2024-08-\r\n19 \r\nfa383eac2bf9ad3ef889e6118a28aa57a8a8e6b5224ecdf78dcffc5225ee4e1f \r\nCiscoSparkLauncher.dll\r\nHash (Voldemort\r\nMalware) \r\n2024-08-\r\n19 \r\ninvasion-prisoners-inns-aging[.]trycloudflare[.]com \r\nTryCloudflare Tunnel\r\nHostname \r\n2024-08-\r\n19 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nhttps://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort\r\nPage 28 of 28\n\n https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort \nDirectory output of the threat actor’s Google Drive. \nIn addition to these firmware images was a single picture shown below:\n Page 23 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "report_names": [ "malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434560, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cfa3501cd90852369b33fa561ff25a8dbe68dc33.pdf", "text": "https://archive.orkl.eu/cfa3501cd90852369b33fa561ff25a8dbe68dc33.txt", "img": "https://archive.orkl.eu/cfa3501cd90852369b33fa561ff25a8dbe68dc33.jpg" } }