Suspected Vietnamese-speaking threat actors have been expanding operations involving the Ducktail information stealer with added capabilities, SecurityWeek reports. While LinkedIn has been leveraged to deliver the Ducktail infostealer earlier this year, attackers halted malware distribution in August after revocation of the digital certificate used in the campaign before restarting operations the following month using a novel variant compiled through the .NET 7 NativeAOT functionality, a report from WithSecure revealed. Such a malware variant enabled email address retrieval from attackers' command-and-control server but threat actors were observed in October to revert to .NET Core 3 Windows binarires for the malware, which concealed malicious activity through dummy files. Numerous multi-stage Ducktail variants have also been deployed by attackers. The findings also showed that Ducktail targeted its victims through WhatsApp archive files. "One of these hands-on incidents involved a victim operating entirely within the Apple ecosystem that had not logged on to their Facebook account from any Windows machine. The initial vector for this incident has been left undetermined due to insufficient evidence. The investigation found no sign of malware usage or host compromise across user devices," said WithSecure.