A new malware campaign, named “Voldemort,” is causing havoc across thousands of Windows systems globally, targeting organizations in the U.S., Europe, and Asia by disguising itself as a fake PDF file. According to Proofpoint’s report, the campaign began last month, delivering over 20,000 phishing emails to more than 70 organizations, particularly in sectors like aerospace, insurance, education, and transportation. At its peak, the attackers sent more than 6,000 emails in a single day.
The malware primarily seeks to conduct cyber espionage, although the identity of the threat actor remains unknown.
How Does ‘Voldemort’ Work?
The campaign starts with phishing emails that impersonate tax authorities, using publicly available information about the targeted organizations. The email contains a link supposedly directing users to updated tax information. When clicked, the link redirects victims through a “Google AMP” cache URL to a fake document page hosted on “InfinityFree,” prompting users to click a “view document” button.
For Windows users, this action triggers a download of a hidden LNK file disguised as a PDF. LNK files are typically shortcuts to open files, folders, or websites, but in this case, the LNK file executes a Python script. This script, while showing a decoy PDF, runs in the background and downloads a malicious DLL file that loads the Voldemort malware into the system’s memory.
Once active, Voldemort uses Google Sheets as a command-and-control server, communicating through encrypted channels via Google API to receive commands and exfiltrate stolen data. This method makes detection by traditional security tools difficult.
How to Protect Yourself from ‘Voldemort
Since Voldemort operates as fileless malware, standard antivirus software may struggle to detect it. If accidentally activated, the best option is to reinstall Windows. Proofpoint advises organizations to limit access to external file-sharing services, block connections to TryCloudflare unless necessary, and monitor PowerShell for suspicious activity.
Though the malware is mainly targeting organizations, those with workplace emails should be cautious. Avoid downloading attachments or files from unknown senders or sources outside your organization.
