What is DUCKTAIL malware

DUCKTAIL malware is a sophisticated malware operation that has been active since 2021, primarily targeting individuals and employees who have access to Facebook Business accounts. The malware is thought to be developed by Vietnamese threat actors. It is designed to steal browser cookies and exploit authenticated Facebook sessions to gain control of victims’ Facebook Business accounts. Once hijacked, the threat actors leverage these accounts to run ads for financial gain. DuckTail operates using six key components once it infects a system. It first does Mutex creation and check to ensure that only a single instance of the malware is running. A data storage component stores and loads stolen data in a text file in a temporary folder, while a browser-scanning feature scans installed browsers to identify cookie paths for later theft. DuckTail also has two components dedicated to stealing info from victims, one that’s more general, stealing non-Facebook related information, and another that specifically targets Facebook-related information.

DUCKTAIL malware

How DUCKTAIL malware infected your system

DuckTail malware is typically delivered to victims via tailored spearphishing attacks. The threat actors use various platforms across the internet to socially engineer people into downloading the malware. These platforms include LinkedIn, browsers like Google Chrome, Microsoft Edge, Brave, and Firefox, and file-hosting services such as Dropbox and Mega. The malware is often disguised as job descriptions, salary policies, or marketing products, and is delivered in a folder with a seemingly legitimate name. In some cases, the malware is distributed through archives containing images of authentic products from well-known companies, targeting marketing professionals in specific industries. Once the victim opens the malicious file, it saves a PowerShell script and a fake PDF file to the device’s public directory. The script, triggered by the default PDF viewer, opens the fake PDF, pauses, and then shuts down the Chrome browser. Simultaneously, the attack saves deceptive browser extension files to a Google Chrome directory, disguising itself as a Google Docs Offline extension.

  1. Download DUCKTAIL malware Removal Tool
  2. Use Windows Malicious Software Removal Tool to remove DUCKTAIL malware
  3. Use Autoruns to remove DUCKTAIL malware
  4. Files, folders and registry keys of DUCKTAIL malware
  5. Other aliases of DUCKTAIL malware
  6. How to protect from threats, like DUCKTAIL malware

Download Removal Tool

Download Removal Tool

To remove DUCKTAIL malware completely, we recommend you to use SpyHunter. It can help you remove files, folders, and registry keys of DUCKTAIL malware and provides active protection from viruses, trojans, backdoors. The trial version of SpyHunter offers virus scan and 1-time removal for FREE.

Download Alternative Removal Tool

Download Malwarebytes

To remove DUCKTAIL malware completely, we recommend you to use Malwarebytes Anti-Malware. It detects and removes all files, folders, and registry keys of DUCKTAIL malware and several millions of other malware, like viruses, trojans, backdoors.

Remove DUCKTAIL malware manually

Manual removal of DUCKTAIL malware by inexperienced users may become a difficult task because it does not create entries in Add/Remove Programs under Control Panel, does not install browser extensions, and uses random file names. However, there are pre-installed instruments in the Windows system, that allow you to detect and remove malware without using third-party applications. One of them is Windows Malicious Software Removal Tool. It comes with Windows Update in Windows 11, 10, 8. 8.1. For older operating system you can download it here: 64-bit version | 32-bit version.

Remove DUCKTAIL malware using Windows Malicious Software Removal Tool

  1. Type mrt in the search box near Start Menu.
  2. Run mrt clicking on found item.
  3. Click Next button.
  4. Choose one of the scan modes Quick scan, Full scan, Customize scan (Full scan recommended).
  5. Click Next button.
  6. Click on View detailed results of the scan link to view the scan details.
  7. Click Finish button.

Remove DUCKTAIL malware using Autoruns

DUCKTAIL malware often sets up to run at Windows startup as an Autorun entry or Scheduled task.

  1. Download Autoruns using this link.
  2. Extract the archive and run Autoruns.exe file.
  3. In Options menu make sure there are checkboxes near Hide Empty Locations, Hide Microsoft Entries, and Hide Windows Entries.
  4. Search for suspicious entries with weird names or running from locations like: C:\{username}\AppData\Roaming.
  5. Right-click on suspicious entry and choose Delete. This will prevent the threat to run at startup.
  6. Switch to Scheduled Tasks tab and do the same.
  7. To remove files themselves, click on suspicious entries and choose Jump to Entry…. Remove files or registry keys found.

Remove files, folder, and registry keys of DUCKTAIL malware

DUCKTAIL malware files and folders


{randomname}.exe

DUCKTAIL malware registry keys


no information

Aliases of DUCKTAIL malware

Trojan:W32/DuckTail.D, W32.Trojan.Ducktail

How to protect from threats, like DUCKTAIL malware, in future

bitdefender internet security

Standard Windows protection or any decent third-party antivirus (Norton, Avast, Kaspersky) should be able to detect and remove DUCKTAIL malware. However, if you got infected with DUCKTAIL malware with existing and updated security software, you may consider changing it. To feel safe and protect your PC from DUCKTAIL malware on all levels (browser, e-mail attachments, Word or Excel scripts, file system) we recommend a leading provider of internet security solutions – BitDefender. Its solutions both for home and business users proved to be one of the most advanced and effective. Choose and get your BitDefender protection via the button below:

Download BitDefender
Previous articleHow to remove Rose Grabber Trojan
Next articleHow to remove Cdpo Ransomware and decrypt .cdpo files