Select Page

A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler.

“Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.,” Zscaler ThreatLabz researchers Tarun Dewan and Stuti Chaturvedi said.

Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts.

The financially motivated cybercriminal operation was first documented by Finnish cybersecurity company WithSecure (formerly F-Secure) in late July 2022.

images from Hacker News