Skip to content
July 19, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • Beware of LinkedIn: Ducktail Malware’s Sneaky ZIP Attack Revealed
  • Malware

Beware of LinkedIn: Ducktail Malware’s Sneaky ZIP Attack Revealed

Do Son January 4, 2024 3 minutes read
0
Ducktail LinkedIn

Project information records and working contracts.lnk contents

Add Daily CyberSecurity as a preferred source on Google

In December 2023, the cybersecurity community was alerted to a new form of cyber threat – the Ducktail malware. This incident, detected by the eSentire Threat Response Unit (TRU), targeted a digital marketing professional, revealing the sophisticated mechanisms of this malware and underscoring the vulnerabilities in professional networks.

Ducktail began its infiltration through a seemingly innocuous channel – LinkedIn. The attackers sent a private message to the target containing a ZIP archive. This method of delivery highlights a new frontier in cyber attacks, exploiting professional networks and platforms for malware distribution. The use of LinkedIn, a platform known for its professional credibility, marks a concerning trend in how attackers are evolving their strategies to breach defenses.

Project information records and working contracts.lnk contents | Image: TRU

The archive contained bloated shortcuts, over 800MB in size, with batch scripts executing PowerShell commands. These shortcuts were the initial step in a complex attack chain. Upon decoding, these scripts led to the download of additional PowerShell scripts from suspicious URLs. These scripts had two primary functions: to bypass User Account Control (UAC) settings and to execute administrative privileges based on the system’s UAC status.

The Ducktail malware showcased a meticulous approach to evading detection. It checked the system’s UAC settings from the registry and employed techniques to bypass UAC. If UAC was disabled, it downloaded and executed a file with administrative privileges. If UAC was enabled, it used fodhelper.exe, a known method for bypassing UAC on Windows, to overwrite legitimate system files with malicious ones.

The culmination of this attack involved the downloading and execution of two core payloads – ‘mainbot.exe’ and ‘myRdpService.exe’. These .NET payloads, compiled using native Ahead-Of-Time (AOT) compilation, made the analysis process more complicated. The payloads were responsible for establishing a connection with the command-and-control server, executing remote commands, and potentially exfiltrating data. This functionality highlights the risk of sensitive information theft and the need for robust network monitoring and data loss prevention strategies.

The Ducktail malware incident teaches us several critical lessons:

  • Professional networks are not immune to cyber threats. The creativity of attackers in exploiting these platforms calls for heightened caution when interacting with unsolicited messages and attachments.
  • The creation of scheduled tasks and services along with techniques to bypass UAC indicates a focus on avoiding detection and maintaining persistence on infected systems.
  • The ability to query Windows Management Instrumentation for active antivirus products and add exclusion paths to Windows Defender reveals an intent to circumvent standard security defenses.

Related coverage

  • APT28 Weaponizes Office Flaw to Spy on NATO & Military
  • 35,000 Bots, 180 Countries: Inside the Criminal Network of the NSOCKS Botnet
  • Massive GitHub Malware Campaign Targets Gamers and Software Pirates with Redox Stealer
  • Stealthy Skimmer: New Formjacking Malware Targets WooCommerce Checkouts
  • One Click, Bankrupt: Android Trojan Steals Through WhatsApp
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Ducktail malware LinkedIn mainbot.exe myRdpService.exe powershell User Account Control

Leave a Reply Cancel reply

You must be logged in to post a comment.

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2025-71392CVSS 9.4
    SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.