Skip to content

Hackers use LinkedIn to deliver Ducktail malware to target businesses

  • by
  • 2 min read

Threat actors have attempted to distribute Ducktail malware via LinkedIn to a victim employed in the business services industry. The plan was to target the employee’s system and gain access to important data.

Researchers from eSentire’s Threat Response Unit (TRU) exposed this highly sophisticated infiltration attempt. The orchestrated attack began with the delivery of a seemingly innocuous attachment via a private LinkedIn message to a digital marketing employee.

The attachment, housed within an oversized ZIP archive, contained concealed batch scripts exceeding 800MB. Researchers found that these scripts executed the PowerShell command upon decoding, initiating a multi-stage infection process.

Multi-stage infection process

As the cybersecurity team delved deeper into the threat, they unravelled a meticulous plan by threat actors to compromise the target’s system. The PowerShell script downloaded additional components, including a decoy PDF from malicious URLs, showcasing a sophisticated use of obfuscation techniques.

Notably, the attackers focused on bypassing User Account Control (UAC), attempting to download files with administrative privileges or employing well-known UAC bypass methods.

Advanced payload

The decoy PDF is downloaded when the victim unzips the file. | Source: eSentire

The primary payload, identified as mainbot.exe, demonstrated advanced capabilities. This malicious executable established connections with a command-and-control server, allowing threat actors to execute remote commands.

The potential consequences included data exfiltration and the compromise of sensitive information within the infected system.

Evasion techniques and persistence

The attackers exhibited high sophistication by creating scheduled tasks and services. Concurrently, they actively evaded detection by manipulating antivirus settings.

This showcased a keen intent to maintain a persistent presence within the compromised system, emphasising the need for organisations to fortify their security posture.

The researchers isolated the affected host and contained the threat. Researchers also urged business owners and employees not to click on links and open emails or zip files from unsolicited persons on the platform. The attackers’ tactics, including UAC bypass and evasion techniques, emphasise the necessity for robust security measures and continuous monitoring by companies.

In the News: OpenAI’s custom GPT Store to launch next week after delays

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: