Ducktail Infostealer Targets Meta

Ducktail Infostealer Returns

Zettasecure monitors all security related threat actors that could target their customers in any way and cause harm to them. Back in September of 2022 we got aware of a new phishing campaign that specifically targets some of our users with access to Meta (Facebook) Business accounts by deploying Infostealer malware on their pcs and stealing all cookies from logged in users. The targets are handpicked by locating companies operating on Meta (Facebook) Business Ads. The operators for that firms are then located possibly with LinkedIn which is also used as a phishing channel. More about that can be found on our first blog entry back in September here.

Ducktail evolves

After the first report from WithSecure was published here, the threat actors changed their operation and switched from directly targeting individuals and businesses to targeting the public at large. This is done by deploying different malicious files in .zip format posing as cracked or free software versions from Microsoft Office, different games, programs, subtitle files, and more. The attackers then lure a victim into downloading and executing these files. To gain trust from their victims, those .zip files are mostly hosted on trusted file sharing platforms. In one case reported here, victims recieved a malicious archive inside a WhatsApp chat as well, which extens the phishing operation of this threat actor to a never seen channel. A report from ZScaler has also seen that there is a focus on more data then before. According to their analysis following capabilities are now inside this malware:

  • Fetches browser information installed in the system.
  • Pulls out stored information of browser cookies from the system. 
  • Targets Meta Business Accounts. 
  • Looks for crypto account information in the wallet.dat file. 
  • Collects and sends the data to the command and control (C&C) server (Currently Telegram Servers).

As we can see, there is a shift from just the Meta (Facebook) Accounts to a broader approach. After the infection and the exfiltration of the data occured, hands-on work starts by the threat actors and more information theft will be conducted on the infected system.

How to protect myself from these attacks?

This type of attack mostly focuses on Social Engineering tactics onto all employees with access to accounts and sensitive information. Therefore we suggest you the following steps to reduce the impact on your company and the users:

  • Use an updated Endpoint Detection and Response solution (Like SentinelOne Complete).
  • Conduct an awareness training on how to detect phishing properly.
  • Assess your attack surface to know which employees might be affected. Start by focusing on LinkedIn and WhatsApp data dumps.
  • Review your Facebook Business users -> Business Manager > Settings > People.
  • Revoke access from unknown users and check all your devices.
  • Review your YouTube Brand Account users-> Settings > Account > Add or remove manager(s). Revoke access from unknown users and check all your devices.
  • Logout after every session and login at the next one. A password manager would help you with that.
  • Use MFA on all manager accounts.
  • Never download any files not relevant for your work.

Last but not least, check if you are already infected with Ducktail by checking all public available IoCs from here. If so, reach out to Zettasecure and we will help you mitigating this attack.


  1. Armando

    Very good write-up. I absolutely appreciate this website.

  2. Jaclyn

    Great post! I totally support your perspective. Insert specific point of agreement
    or appreciation.

    I also thought it was important to mention insert additional point or personal experience related to
    the topic.

    Thanks for sharing your ideas on this topic. We need more of this kind of discussion in today’s world, and
    I’m glad to see that insert author’s name or blog’s name is covering

    Looking forward to more posts.

    1. zettasec_admin

      Thank you for your Feedback. Keeping you posted!

  3. Margery

    Your mode of describing all in this piece of writing is actually good, every one be able to without
    difficulty know it, Thanks a lot

  4. Ines

    Its like you read my mind! Yօu sеem to know
    a lⲟt ɑbout this, like you wrote tһe post.
    I thіnk thɑt yoս can do with a few pics to drive tһe
    message home a Ьit, but оther tһan that, this іs magnificent blog.

    Ꭺn excellent read. I wіll certainly be back.

  5. coinbar

    Hi Dear, are you in fact visiting this website regularly, if so
    afterward you will without doubt obtain good knowledge.

  6. Linette

    Your way of telling everything in this paragraph is really pleasant,
    all can simply understand it, Thanks a lot!

  7. claritas

    I enjoy what you guys are up too. Such clever work and coverage!
    Keep up the wonderful works guys I’ve you guys to
    my personal blogroll.

  8. juanadowse

    Awesome post.

Leave a Reply

Your email address will not be published. Required fields are marked *