The Evolution of Ducktail: Vietnamese Hackers Target Indian Marketers with Delphi-Powered Malware

3 min read
The Evolution of Ducktail: Vietnamese Hackers Target Indian Marketers with Delphi-Powered Malware


In the ever-evolving landscape of cyber threats, Vietnamese hackers associated with the Ducktail stealer malware have recently been identified in a new campaign targeting marketing professionals in India. This sophisticated attack, which occurred between March and early October 2023, is marked by a strategic shift in tactics. Unlike previous campaigns relying on .NET applications, this one stands out for its use of the Delphi programming language, as highlighted in a report by Kaspersky.

The Ducktail Cybercrime Ecosystem:

Ducktail, along with its counterparts Duckport and NodeStealer, forms a cybercrime ecosystem originating from Vietnam. These threat actors leverage sponsored ads on Facebook to disseminate malicious content, deploying malware capable of hijacking victims' login cookies and ultimately gaining control of their Facebook Business accounts.

Modus Operandi:

The attackers primarily focus on users with access to Facebook Business accounts. Once unauthorized access is obtained, the hackers use the compromised accounts to place advertisements for financial gain, perpetuating the infections further. In the documented campaign, potential targets looking for a career change receive archive files containing a malicious executable disguised as a PDF icon. Upon execution, the malicious file saves a PowerShell script and a decoy PDF document locally, initiating a series of actions.

Execution Process:

The PowerShell script, named param.ps1, utilizes the default PDF viewer on the device to open the decoy, pausing for five minutes before terminating the Chrome browser process. Simultaneously, the parent executable downloads and launches a rogue library named libEGL.dll. This library scans specific folders for Chromium-based web browser shortcuts and proceeds to alter the LNK shortcut file by appending a "--load-extension" command line switch. This modification is crucial for launching a rogue extension that masquerades as the legitimate Google Docs Offline add-on.

Rogue Extension and Facebook Business Account Hijacking:

The rogue extension, once activated, sends information about all open tabs to an actor-controlled server registered in Vietnam. Its primary objective is to hijack Facebook Business accounts, enabling the attackers to further their malicious activities.

As these cyber threats escalate, major tech companies are taking legal action to curb their impact. Google recently filed a lawsuit against three unknown individuals in India and Vietnam. These individuals are accused of capitalizing on the public's interest in generative AI tools, such as Bard, to spread malware via Facebook and pilfer social media login credentials.


The evolving tactics of the Ducktail cybercrime ecosystem demonstrate the adaptability and persistence of threat actors in the digital realm. As the use of the Delphi programming language emerges in their arsenal, it is imperative for individuals and organizations to stay vigilant, implement robust cybersecurity measures, and collaborate with security experts to mitigate the risks posed by such sophisticated campaigns. The legal actions taken by major tech companies underscore the industry's commitment to combating cyber threats and protecting users from the consequences of malicious activities in the online space.

Follow us on social media

Cyber Unfolded Light Logo
Copyright © 2024 CYUN. All rights reserved.