New Ducktail Infostealer Malware Targeting Facebook Business and Ad Accounts


Protect Your Access to the Internet

Hacking Facebook Business Accounts

Facebook business and advertising accounts are at the receiving end of an ongoing campaign dubbed Ducktail designed to seize control as part of a financially driven cybercriminal operation.

“The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware,” Finnish cybersecurity company WithSecure (formerly F-Secure Business) said in a new report.

“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to.”

The attacks, attributed to a Vietnamese threat actor, are said to have begun in the latter half of 2021, with primary targets being individuals with managerial, digital marketing, digital media, and human resources roles in companies.


The idea is to target employees with high-level access to Facebook Business accounts associated with their organizations, tricking them into downloading supposed Facebook advertising information hosted on Dropbox, Apple iCloud, and MediaFire.

In some cases, the archive file containing the malicious payload is also delivered to victims through LinkedIn, ultimately allowing the attacker to take over any Facebook Business account.

An information-stealing malware written in .NET Core, the binary is engineered to use Telegram for command-and-control and data exfiltration. WithSecure said it identified eight Telegram channels that were used for this purpose.

Hacking Facebook Business Accounts

It works by scanning for installed browsers such as Google Chrome, Microsoft Edge, Brave Browser, and Mozilla Firefox to extract all the stored cookies and access tokens, alongside stealing information from the victim’s personal Facebook account such as name, email address, date of birth, and user ID.

Also plundered are data from businesses and ad accounts connected to the victim’s personal account, allowing the adversary to hijack the accounts by adding an actor-controlled email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.

While users with Admin roles have full control over the…