Researchers at Proofpoint have uncovered a suspected Advanced Persistent Threat (APT) group using a custom backdoor named ‘Voldemort’ in a global cyberespionage campaign. This previously unknown group has targeted organizations across multiple sectors, employing sophisticated phishing tactics.

The campaign, which began on August 5, 2024, has impacted over 70 organizations worldwide, including those in critical sectors such as aerospace, finance, healthcare, government, and telecommunications. The attackers have primarily used phishing emails to infiltrate victim organizations, impersonating tax authorities from Europe, Asia, and the United States. The phishing emails featured local language lures in English (US/UK), French, German, Italian, Indian, and Japanese, enhancing their authenticity.

The attackers leveraged malicious LNK and ZIP files to deliver the Voldemort backdoor, a custom-built malware written in C.

Once installed, Voldemort can collect information from infected systems and drop additional malicious payloads. The malware utilizes a novel command-and-control (C2) mechanism, communicating with the attackers through Google Sheets. This allows the operators to execute commands, exfiltrate data, and manage their operations without relying on a traditional C2 server, making detection and mitigation more challenging.

Proofpoint researchers noted that Voldemort was used in conjunction with other tools commonly associated with cyberespionage, including the popular post-exploitation framework Cobalt Strike. The presence of Cobalt Strike suggests that the attackers were likely preparing to conduct more extensive and persistent operations within the compromised networks.

While the technical aspects of the campaign bear similarities to cybercrime activities, such as the use of phishing and familiar malware tools, Proofpoint believes this is more likely a cyber-espionage operation based on the scale, sophistication, and target selection.