Cyber Espionage Campaign Leverages Novel Tactics and “Voldemort” Malware to Target Global Organizations
Proofpoint researchers have unearthed a suspected espionage campaign distributing custom malware dubbed “Voldemort.” This operation, impacting over 70 organizations worldwide, combines common and uncommon techniques to deliver a backdoor capable of information gathering and deploying additional payloads like Cobalt Strike.
Over 20,000 phishing emails were sent to more than 70 organizations worldwide, with a significant spike of nearly 6,000 messages on August 17 alone. The emails impersonated tax authorities from various countries, including the U.S., UK, France, Germany, Italy, India, and Japan, and were written in the respective languages of the impersonated agencies. These emails lead to landing pages that, upon user interaction, deploy the malware through a series of steps involving Cloudflare tunnels, WebDAV shares, and Python scripts.
The attack chain employed by Voldemort is as innovative as it is complex. The initial phishing emails contained Google AMP Cache URLs that redirected victims to landing pages hosted on platforms like InfinityFree. These pages then prompted victims to open Windows Explorer via a search-ms URI, which silently executed a search query that led to the download of a malicious LNK or ZIP file.
The malware’s sophistication becomes apparent in its use of Google’s infrastructure for command and control (C2) operations. Specifically, Voldemort uses Google Sheets to receive commands and exfiltrate data. This unusual method allows the threat actor to bypass traditional security measures and avoid detection, leveraging legitimate cloud services in a way that is difficult to block without impacting normal business operations.
Once executed, the malware, which is a custom backdoor written in C, performs information gathering and can load additional payloads. One such payload is Cobalt Strike, a widely used post-exploitation tool that was hosted on the actor’s infrastructure.
The Voldemort campaign primarily targeted 18 different verticals, with a particular focus on insurance companies, aerospace, transportation, and universities. Interestingly, the threat actor’s targeting was highly specific, often using publicly available information to link victims to their country of residence rather than their organization’s operational country. This precision targeting suggests a deeper motive beyond financial gain, pointing towards espionage.
Proofpoint’s researchers found that the malware’s C2 communications were managed through Google Sheets, where each infected machine was assigned a unique identifier. Commands issued to the malware included basic operations such as file directory listings, downloading and uploading files, and executing commands—all activities typical of espionage-driven data collection.
One of the most notable techniques used in this campaign is the abuse of the Windows saved search file format (.search-ms). This rarely seen method allows the malware to display remote files as if they were local, further obscuring its activities from the victim. The .search-ms files used in this campaign were manually edited to display as “Downloads” in Windows Explorer, making them appear innocuous to unsuspecting users.
By exploiting this feature, the threat actor was able to hide the true nature of the files and increase the likelihood of successful infection. This tactic, combined with the use of DLL hijacking through the CiscoCollabHost.exe process, demonstrates the sophistication of the Voldemort malware.
Despite the advanced techniques used in this campaign, some aspects of Voldemort’s operation are curiously rudimentary. For instance, the campaign used basic file-naming conventions like “test” for passwords and filenames. This mix of sophisticated and simplistic methods has led Proofpoint to describe the campaign as a “Frankensteinian amalgamation” of capabilities, making it difficult to assess the threat actor’s true level of expertise.
The campaign’s blend of espionage and cybercrime elements suggests that it could be the work of multiple threat actors with varying levels of skill, or a single actor experimenting with different techniques. The ultimate goal of the campaign remains unclear, but the focus on information gathering indicates a strong interest in espionage.