A well-resourced and sophisticated threat actor has launched an advanced global phishing campaign, featuring three never-before-seen malware families. The attack is believed to have affected more than 50 firms worldwide, which range in geography and industry type. While the US appears as the main target, EMEA, Asia and Australia have also experienced compromise through this campaign.

The three malware strains involved have been dubbed “Doubledrag,” “Doubledrop,” and “Doubleback,” respectively. Phishing emails containing this malware targeted victims effectively; subjectlines were custom-tailored and included mention of the fictitious organization that the threat actors feigned association with.


Obfuscation techniques masked the campaign’s presence. Initially launched in December of 2020, the phishing-spree struck organizations in two waves. The first series of attacks occurred on December 2nd, 2020, while the second wave occurred between December 11th and December 18th of 2020.

Within the first wave of attacks, 74% of victims were US-based. In the second wave, nearly 70% of targeted firms appeared as American entities.

The three-stage process

The malware relies on either a downloader (Doubledrag) or an Excel sheet that contains an embedded macro, a dropper (Doubledrop) and a backdoor (Doubleback).

Within the phishing emails, a link sends users to a malicious payload within which is a JavaScript downloader. The code is “heavily obfuscated” so that the hackers can prevent detection.

After the code begins to execute, Doubledrag attempts to start the second phase of the attack, involving the dropper, Doubledrop. Due to a PowerShell script, Doubledrop is obfuscated and can easily insert a backdoor. Once everything is in place, the backdoor inserts plugins and can offer reporting to controllers.

Masking the malware families

The attackers leveraged more than 50 domains to help support assorted campaign phases. In addition, they obfuscated the malware components using fileless malware and other anti-detection tactics.


Cyber security researchers assume that these hackers aim to profit from this venture. The calculous around which industries and firms were targeted point in this direction.

What’s next

The campaign appears to be continuing. Researchers have labeled it “an ongoing work in progress”.

Avoiding the campaign

  • Check the subjectline of incoming emails carefully.
  • Individuals should ask themselves about whether or not they recognize the purported vendor.
  • Avoid clicking on suspicious links.
  • In the event that suspicious emails appear to be from co-workers, the receiver can reach back out to the sender to confirm.Unknown malware families, Doubledrag, Doubledrop, Doubleback
  • Strong cyber security training can assist employees in avoiding phishing tactics.
  • On a more technical level, indicators of compromise include hashes and domains used for the emails.

For more on these new malware families, visit ThreatPost.com