BlueDuck: an(other) Infostealer Coveting Digital Marketing Agencies’ Facebook Business Accounts

Back to Posts

BlueDuck: an(other) Infostealer Coveting Digital Marketing Agencies’ Facebook Business Accounts

Reading Time: 10 minutes


In November 2023, the Yarix Cyber Threat Intelligence team (YCTI) intercepted a set of suspicious phishing emails addressed to digital marketing agencies that were impersonating different famous fashion brands. Through the analysis of these emails, we uncovered the activities of a Vietnamese cybercriminal group distributing a malicious python-based infostealer, tracked as BlueDuck, aimed to collect sensitive information from infected hosts (e.g., browser-saved password, cookies, credit cards) and specifically designed to steal Meta business accounts.

In this blog post we will present and discuss BlueDuck as well as the modus operandi of the Vietnamese cybercriminal group linked to the tracked campaigns, providing insights on their operations and Tactics, Techniques and Procedures (TTPs).

Another Vietnamese scam group?

During the investigation, after collecting enough evidence to attribute the malicious activities to a Vietnamese threat group, we researched publicly available reports to correlate the campaign under analysis to other known activity clusters. The research identified some references about the stealer under analysis [1][2] as well as numerous instances of Vietnamese actors distributing information stealers, such as NodeStealer 2.0[3] and Ducktail[4], specifically targeting Facebook Business accounts, suggesting an interest in compromising social media platform’s business data by Vietnamese cybercrime. This trend is attributable to the Advertising-as-a-Service (AdaaS) cybercriminal model, which was well described in WithSecure’s DuckTail report and can be summarized in the following key steps:

  • The threat actor running the AdaaS business targets and steals Social Media Business Accounts of high-value organizations (e.g., digital marketing agencies);
  • A threat actor buys the AdaaS service to host malicious advertisements on social media platforms and distributes malware, phishing websites or perform other fraudulent activities (e.g., Win$ton[5], a Russian-speaking scam group tracked by Yarix Cyber Threat Intelligence team);
Figure 1: Advertising As A Service business model

While BlueDuck team shares a common objective with the other Vietnamese threat actors and demonstrates some overlap in TTPs, they exhibits distinct methodologies that, to the best of our knowledge, have not been previously observed or reported in similar groups.

Kill Chain Stages

The primary goal of the threat actor is to acquire valuable Meta Business accounts for subsequent resale and distribution through their AdaaS. The analysis of the malicious campaigns suggests that the group prioritizes targeting Digital Marketing Agencies, as it is highly likely that such companies have access to Meta Business accounts.

Through monitoring of the BlueDuck group and analysis of their digital traces, we gained a comprehensive understanding of their operational methods exposing well-known emerging cybercriminal tactics. Notably, they harness the power of Artificial Intelligence, specifically Large Language Models (LLMs) solutions, to identify potential victims and generate believable phishing content.


We have evidence that the Vietnamese scam group leverages ChatGPT to identify victims and impersonate legitimate fashion brands. This activity is complemented by open-source intelligence (OSINT) gathering, where they harvest email addresses, marketing agency contact forms, LinkedIn and other freelance platforms (e.g., Fiverr, Upwork) profiles to further their schemes.


Having identified the target brands and victims, the attackers craft a malicious .scr document disguised as a collaboration offer presentation; this file embeds both BlueDuck infostealer and a full Python environment. The malicious file is then compressed alongside generic brand-related images into a password protected ZIP archive. Finally, the archive is uploaded to file sharing platforms such as Google Drive, Dropbox, and OneDrive.

In preparation for the attack, the actors establish a network of fraudulent domains resembling the impersonated brands. These domains will be used in the delivery phase to launch phishing campaigns and further legitimize their deceptive emails.

In addition, leveraging LLMs, the attackers craft convincing phishing content that mimics legitimate collaboration offers from well-known fashion brands. We are also aware that, in a limited set of intercepted campaigns, the attackers are impersonating legitimate companies to accuse targeted digital marketing firms of copyright infringement.


The threat actors engage the victims by exploiting various channels: targeting “contact us” forms on digital agency websites, via email, or via direct interaction on LinkedIn, Fiverr or Upwork.

Figure 2: example of phishing email delivered to a marketing agency


Figure 3: another example of phishing email delivered to a marketing agency

Installation and Execution

Once the compressed archive is extracted and the victim opens the apparently harmless .scr file, at first glance it will appear as a benign document, but in the background it will drop a complete Python environment along with the BlueDuck stealer disguised as an image with a jpeg extension, finally executing it.

To further establish a foothold on the compromised system, the malware adds a persistence mechanism by modifying the “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run“ Windows registry key; allowing the BlueDuck’s automatic execution at system startup.

Figure 4: malicious processes spawned by the malware

Actions on Objectives

The objective of the compromise is the exfiltration of sensitive data from the infected host, this includes session cookies, browser-saved password, and credit cards. The stolen information is then sent to a private Telegram group controlled by the BlueDuck group, where they specifically search for valid Meta Business accounts credentials.

Figure 5: example of exfiltrated data sent to threat actors’ Telegram group

Technical analysis

Based on our telemetry data, we have evidence that BlueDuck’s infostealer malware has been updated at least 3 times. Originally developed in .NET, the group switched to Python around August 2023. In later versions of the malware, BlueDuck used AES encryption to obfuscate the payload, using static decryption keys to dynamically generate and execute the code. This process was likely designed to hinder static analysis and reduce the visibility of sensitive information in the source code.

Most versions of the malware weaponize .scr files to drop and execute the infostealer payload. These files exploit an artificially inflated file size to avoid detection by security tools.

Although the .NET version of the malware wasn’t too similar to other Vietnamese infostealers analyzed by other researchers, we cannot exclude that BlueDuck could be a spinoff or an evolution of a previously tracked Vietnamese group.

During dynamic analysis, it was found that the malware created a temporary directory named “BlueSoft” in the Appdata/Local directory. This naming convention aligns with the group’s tactics, likely chosen to blend in with legitimate software directories while conducting malicious operations. The name “BlueDuck” comes from the name of this folder (and one of the colors of the python logo) and the word “duck”, a common suffix for the names of other Vietnamese groups with similar TTPs.

Figure 6: function that setups BlueDuck folders and injects the persistence

The malware targets user data stored within the following web browsers:  Firefox, Chrome, Brave, Edge, Chromium, Opera, and CocCoc. It is worth noting that CocCoc is a Vietnamese browser not commonly used in the West (we definitely did not know of its existence), which suggests that the threat group may be from Vietnam. This hypothesis is supported by the comments in the python source code, mainly written in Vietnamese, and by a feature that specifically disables persistence and infection of hosts geolocated in Vietnam.

Figure 7: List defining targeted browsers
Figure 8: Python main() function that alerts BlueDuck team if the victim is geolocated in Vietnam with the message: “Tool bị chặn tại Việt Nam!” (trad: “Tool is blocked in Vietnam!”)

After successfully retrieving the browser data, the malware compresses the stolen credentials and cookie data into a zip file and then sends it to a Telegram channel using a Telegram bot. Our analysis allowed us to identify two Telegram bots named “cham_bat_6” and “cham_bat_4”. The naming convention suggests the presence of at least 4 other bots, likely used in other campaigns of by different teams of the same group.

After extracting the browser data, the malware focuses on Meta Ads Manager credentials. These credentials receive an additional enrichment, by querying Facebook Graph APIs to obtain the available business manager accounts (BM), balance and budget for advertisement campaigns. This information is then categorized as “TKQC” (i.e., Tài Khoản Quảng Cáo, trad: Advertising Account) within the code and is saved separately in a .txt file before transmission to the Telegram channels.

Figure 9: Portion of the functions that analyze Facebook Business data by exploiting collected session cookies

The information stored in the TKQC.txt file is structured as follow:

  • Information regarding the Business Manager accounts:
ID: {account_id} | NAME: {account_name} | ROLE: {list_of_permitted_roles[]} STATUS: {account_verification_status]} IS_PROTECTED: {is_protected}
  • Information regarding the managed Ads:
ID: {ad_id} | Tên: {ad_name} | Ngưỡng: {ad_billing_threshold_cycle} | LIMIT: {ad_daily_limit} | Chi Tiêu: {amount_spent} | Status: {ad_status} | Tiền tệ: {ad_currency} | PTTT: {payment_methods}
Figure 10: An excerpt from an intercepted TKQC.txt file transmitted to the BlueDuck scam team


During our investigation, we managed to reconstruct a timeline that shows the duration of the various campaigns carried on by the group. Notably, the brands impersonated by the group predominantly operate within the fashion industry, with the majority being situated in Europe.

The following graph shows the evolution of the campaigns, spanning from June 2023 to March 2024:

We have evidence that the group is subdivided in more than one team, and we have evidence of other brands being impersonated, but we cannot definitively provide a timeline for these other brands. Below is a list of the additional brands that have likely been targeted, with an approximate timeline:

  • Cole Haan – 24/10/2023 to 09/11/2023
  • Sergio Rossi – 09/11/2023 to 25/11/2023
  • Coccinelle – 04/12/2023 to 11/01/2024
  • Stuart Weitzman – 20/02/2024 to 08/03/2024

Our telemetry indicates that the BlueDuck team has successfully compromised at least 700 hosts. Visibility on ongoing campaigns revealed that approximately half contained valid Facebook Business cookie sessions, this translates to the compromise of over 1500 Business Manager accounts managing a total of more than 2800 active advertising campaigns. Notably, a majority of these compromised accounts possess pre-saved payment methods.

Figure 11: Geolocation of compromised hosts

The following graphs shows the victim distribution between the campaigns that we have data for, and the timeline of the infections:

Figure 12: Compromised hosts per campaign
Figure 13: Timeline of infections per campaign


Nowadays, the advertisement ecosystem that revolves around social media platforms is a key value for all companies that want to increase public people engagement and grow their market; platforms such as Facebook and Instagram are perfect places to sponsor products thus reaching a target audience.

The same tactic of promoting content on social media is leveraged by cybercriminals that want to gain profit inducing people to submit credit cards details or sensitive information on phishing websites, as well as distributing malware. However, the threat actors need legit business accounts to reach the largest possible amount of people and to further legitimize the malicious ads; this need has led to the Advertisement-as-a-Service business (AdaaS).

BlueDuck is just one of the many malwares distributed by threat actors who manage AdaaS businesses, which are apparently of great interest to Vietnamese scammers, with their goal of compromising and reselling Meta Business accounts.

Digital marketing agencies, and all industries involved, must understand the risk posed by this threat and secure their social accounts, as well as implement reliable security solution and increase general cybersecurity awareness to minimize the risk of infection by interrupting the kill chain at the early stages (e.g., by not executing files distributed via password protected archives).


Reconnaissance T1589.002 Gather Victim Identity Information: Email Addresses
T1589.003 Gather Victim Identity Information: Employee Names
T1593.001 Search Open Websites/Domains: Social Media
T1594 Search Victim-Owned Websites
Resource Development T1583.001 Acquire Infrastructure: Domains
T1587.001 Develop Capabilities: Malware
T1608.001 Stage Capabilities: Upload Malware
Initial Access T1566.001 Phishing: Spearphishing Attachment
T1566.002 Phishing: Spearphishing Link
T1566.003 Phishing: Spearphishing via Service
Execution T1059.006 Command and Scripting Interpreter: Python
T1204.002 User Execution: Malicious File
T1204.001 User Execution: Malicious Link
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion T1036.008 Masquerading: Masquerade File Type
T1027.009 Obfuscated Files or Information: Embedded Payloads
T1027.002 Obfuscated Files or Information: Software Packing
Credential Access T1555.003 Credentials from Password Stores: Credentials from Web Browsers
T1539 Steal Web Session Cookie
Discovery T1033 System Owner/User Discovery
Collection T1113 Screen Capture
Exfiltration T1020 Automated Exfiltration
T1567 Exfiltration Over Web Service



9881cb799e75c511f140f45881e83c3e3b420e35d93a18aff5b4f179a4d9c283 Malicious .scr document acting as dropper
844bf98e02d36e9f2555cffc365a800a4410e3e63b72546602b4b32835fce1e3 Malicious .scr document acting as dropper
3b992218941877fed2cc11b7c588f4f9a39b3b17eaeeae3320a70b995e24be3f Malicious .scr document acting as dropper
d512fd3f987d174c89f644479cf618bf232083bcdf93ae930cbbecb92fa0ff6e Malicious .scr document acting as dropper, .NET version
9e23c082fde2e3e01c57f2c22427aa72c2dcd7721870122aa410eb0ef20df4e1 BlueDuck stealer
c0f6900e6c23cd97133fa7840bf550e37fb6d33af149f8570acf871b57009c3c BlueDuck stealer
7cf3dd075139c698a76db041df607332f547d47c17c2459b610890015c173ca5 BlueDuck stealer
a39906f0eb186cc34884cb77301fc9af16e16ac31fad6b707c10ac1a39c718b5 BlueDuck encoded stealer
b7f087fdbde690db1e346bd6f37707396ca25ca3572030fe2bbe7cf215ca7c11 BlueDuck encoded stealer


  • aloyogafashion[.]com
  • aloyogaclothings[.]com
  • aloyogaglobal[.]com
  • ikksfrance[.]com
  • ikksglobal[.]com
  • ikksllc[.]com
  • ikksfr[.]com
  • ikksinc[.]com
  • ballyllc[.]com
  • ballych[.]com
  • pinkoitaly[.]com
  • pinko-bag[.]com
  • pinkohandbags[.]com
  • pinkobag[.]net
  • it-pinko[.]com
  • pinkoglobal[.]com
  • it-pinkobag[.]com
  • carreraworlds[.]com
  • us-carreraworld[.]com
  • carreraglasses[.]com
  • furla-it[.]com
  • it-furla[.]com
  • tamarisshoe[.]com
  • mansugavriel[.]com
  • mansurgavrielglobal[.]com
  • mansurgavriels[.]com

Phone numbers:

  • +1 8679 880692
  • +44 7701 412889
  • +44 7401 169246
  • +1 236 3011347
  • +44 7380 319122
  • +44 7588 681331
  • +1 4242 436660
  • +1 2135 369121









Giovanni Barbieri is a member of the Yarix Cyber Threat Intelligence Team. He has a master degree in computer engineering and, in addition to research and threat intelligence activities, he enjoys making some noise with his electric guitar and travelling.

Marco Dello Iacovo is a member of the Yarix Cyber Threat Intelligence Team. He has a bachelors degree in computer science, a cool cat and a buch of climbing equipment that rarely gets used. He sometimes enjoys being really bad at CTFs. Also known as Chef.

Share this post

Back to Posts