Voldemort Malware exploits Google Sheets for espionage, blending cybercrime with trusted platforms in a sophisticated hybrid campaign targeting global organizations…

Continue reading
This Threat Research explores the underlying intricacies of the Voldemort malware campaign, a highly sophisticated cyber-espionage operation. Designed for Malware Researchers, Security Analysts, CISOs, and CSOs, this analysis delves into Voldemort’s use of trusted services, multi-vector attacks, and its ability to blend cybercrime and espionage techniques.
Key to the campaign is its abuse of Google Sheets for Command and Control (C2) communications, masking its malicious activities behind trusted services. Furthermore, Voldemort uses DLL side-loading via legitimate Cisco WebEx executables and advanced fileless techniques, emphasizing the threat it poses to modern enterprises.
The Voldemort malware targets a broad range of industries including insurance, aerospace, transportation, and education, combining espionage with cybercrime techniques.
This Threat Research & Analysis addresses:
The Voldemort malware combines cybercrime and espionage, using familiar techniques such as phishing while incorporating sophisticated evasion tactics like cloud-based C2 infrastructure. This hybridization is what makes Voldemort an unprecedented threat.

*sectors Voldemort malware email campaigns have been active (proofpoint)*
Voldemort’s first detection occurred on August 5, 2024, escalating rapidly with 20,000 phishing emails sent by mid-August. The campaign’s phishing emails targeted more than 70 organizations globally in industries like insurance and aerospace, pointing to potential industrial espionage.

*InfinityFree hosted landing page*
The campaign intensified on August 17, 2024, with a peak of 6,000 phishing emails in one day. As the campaign progressed, attackers evolved their delivery techniques, using obfuscated payloads and TryCloudflare tunnels for hosting malicious components.
At its core, Voldemort uses a C-based backdoor to execute espionage activities, such as data exfiltration and command execution. The malware initially deploys via a phishing link that triggers search-ms URI exploitation, launching fileless Python scripts to avoid detection. These scripts gather detailed system information using platform.uname().
Voldemort’s most unique feature is its use of Google Sheets for C2 communications. This allows the malware to stay under the radar by communicating through trusted cloud platforms. Each infected machine is assigned a UUID, which it uses to interact with designated cells in the Google Sheet, executing commands or exfiltrating data.

Voldemort’s DLL side-loading exploits CiscoCollabHost.exe, loading its malicious DLL to execute under the guise of a trusted process. Combined with fileless execution using PowerShell and Python scripts from WebDAV shares, this strategy allows Voldemort to bypass endpoint protection systems.

Voldemort uses scheduled tasks to maintain persistence, ensuring its backdoor remains active after reboots. Additionally, the malware’s backdoor includes a delayed execution mechanism to avoid sandbox analysis.
Voldemort’s campaign exhibits characteristics of Advanced Persistent Threats (APTs), focusing on espionage rather than financial gain. The malware targets high-value sectors like aerospace and insurance, which suggests state-sponsored motivations.
While Voldemort employs cybercriminal tactics, such as phishing, its long-term data collection and intelligence-gathering capabilities point to espionage objectives. The blending of techniques makes it difficult to attribute to a specific threat actor.
Key phishing URLs hosted on InfinityFree and Google AMP Cache are primary indicators of compromise. These URLs often redirect victims to landing pages containing malicious files.
Monitoring file hashes such as CiscoSparkLauncher.dll and test.zip can help identify and block malicious files.
WebDAV shares and TryCloudflare tunnels were used for payload delivery and command execution.
Monitoring for anomalous traffic to Google Sheets is essential. Any unusual volume of data transferred or repeated connections from the same machine should raise alerts.
Restrict access to unnecessary external file-sharing services like WebDAV and TryCloudflare to prevent fileless execution.
Since Voldemort relies on fileless execution, behavioral-based detection is critical. Monitoring PowerShell and API calls for anomalies can reveal malware attempting to execute scripts from remote sources.
The Voldemort malware campaign represents an evolution in cyber-espionage, merging cybercriminal and nation-state tactics. Its abuse of trusted platforms like Google Sheets introduces new challenges for defenders. As malware continues to leverage cloud-based infrastructure and fileless execution, security teams must evolve their defenses to monitor trusted services and detect anomalous behaviors early.