Researchers from WithSecure have identified a cluster of cybercriminals based in Vietnam who have been targeting the digital marketing sector in the UK, US [2] [3] [5] [7] [8], and India [2] [3] [5] [6] [7] [8] [9]. These cybercriminals have been using a combination of malware strains [10], including DarkGate and Ducktail [3] [5] [8] [10], to carry out their attacks.


DarkGate is a Remote Access Trojan (RAT) that has been available as Malware-as-a-Service (MaaS) since 2018 [2]. It has been used in various types of attacks [2] [4], such as information stealing, cryptojacking [2] [4] [6], and ransomware campaigns [2] [4] [6]. DarkGate is a Windows malware that can perform various malicious activities [10], such as cryptocurrency mining and credential stealing [10]. Ducktail [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], on the other hand, is an infostealer that has been used to steal Facebook business accounts. The DarkGate campaigns share similarities with the Ducktail infostealer campaigns in terms of lure files, themes [3] [8], targeting [1] [2] [3] [5] [6] [7] [8], and delivery methods [3] [9].

The cybercriminals have been using social engineering tactics to trick marketing professionals into downloading malicious files. They often send LinkedIn messages redirecting victims to a malicious file on Google Drive [3] [8], a technique commonly used by the Ducktail actors [9]. The attackers have also targeted individuals with access to Facebook Business accounts using the Ducktail infostealer [5]. By obtaining credentials associated with business advertising accounts [10], the threat actors can take control of these accounts and run unauthorized ad campaigns [10]. The attackers have targeted companies like Corsair and Groww to lure victims [10].

The DarkGate malware has gained popularity in recent months due to its availability as a MaaS offering [9]. It has been used by various groups for different purposes [9], not just by this Vietnamese cluster [9]. Other malware associated with these threat actors includes Lobshot and Redline Stealer [2] [4] [7]. The cybercrime-as-a-service industry has made it challenging to attribute specific campaigns to particular groups [8]. The attackers have shown limited sophistication and have made no attempt to conceal their activities [10].


This Vietnamese cybercrime group primarily focuses on hijacking English-language Facebook business accounts. They are part of a larger mix of Vietnamese hackers and are known for using DarkGate, Ducktail [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], Lobshot [1] [2] [4] [5] [6] [7] [8], and Redline malware [2] [4] [7] [8]. DarkGate [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], which has seen increased distribution this year [1], is available for lease on the dark web. Vietnam has a vibrant cybercriminal ecosystem [1], with financially motivated and espionage-focused actors [1].

The impacts of these cybercriminal activities are significant, as they target the digital marketing sector in multiple countries. The use of social engineering tactics and the hijacking of Facebook business accounts can lead to financial losses and reputational damage for the affected companies. It is crucial for organizations to implement strong security measures and educate their employees about the risks of downloading malicious files.

Mitigations against these cybercriminals include raising awareness about their tactics and providing training on how to identify and avoid phishing attempts. Additionally, companies should regularly update their security systems and software to protect against known malware strains like DarkGate and Ducktail.

Looking ahead, it is likely that cybercriminals will continue to evolve their tactics and target new sectors and countries. It is essential for cybersecurity professionals and law enforcement agencies to collaborate and share information to stay ahead of these threats.