Research from Proofpoint shows the growth of a new malware campaign called “Voldemort.” The research asserts that the campaign began on August 5, 2024, and has since impacted more than 70 organizations worldwide with more than 20,000 emails.

More than half of the intended targets are a part of the insurance, transportation, aerospace and education sectors. While the threat actor behind Voldemort is currently unknown, the research claims cyber espionage is the goal of this campaign. 

Security leaders weigh in 

Jason Soroko, Senior Fellow at Sectigo:

“The threat is unusual due to its use of uncommon command and control (C2) methods like Google Sheets, and its combination of various tactics, techniques and procedures (TTPs). Voldemort’s use of Google Sheets for C2 poses risks because it blends malicious activity within legitimate services, making detection more challenging. Organizations can mitigate this by monitoring outbound traffic for unusual patterns, implementing strict application access controls, and using threat intelligence to detect abnormal use of legitimate platforms for C2 purposes.

“Companies can protect against personalized phishing attacks by enhancing email filtering systems, training employees to recognize and report suspicious emails, employing strong multi-factor authentication (MFA), and regularly updating and auditing the visibility of their publicly available information to reduce exposure.

“Organizations can verify the authenticity of communications from government agencies by using direct communication channels, such as official government websites or contacts, to confirm legitimacy. Implementing email authentication protocols like DMARC, SPF and DKIM can also help prevent impersonation-based attacks, as well as S/MIME certificates for ensuring the legitimacy of email sender identities within an organization.”

Mr. Mayuresh Dani, Manager, Security Research, at Qualys Threat Research Unit:

“This attack utilizes Google Sheets for command and control (C2) communications and the use of files laced with malicious Windows search protocol to lure the victim to download the malware. The malware then uses a legitimate version of WebEx software to load a DLL that communicates with the C2 server.

“Organizations should take reactive and proactive means of protecting employee data. They should use spam filters — with strict settings for certain users at risk. AI and LLMs’ spam and language filters should be employed for first time email senders from unknown/untrusted domain names. They should also enforce user education that will help weed out any spurious emails that are eventually delivered. As a reactive means, they should monitor leaks sources for key resources in the company and have them scrubbed.”

Omri Weinberg, Co-founder and CRO at DoControl: 

“The Voldemort campaign stands out due to its unique combination of sophisticated and unconventional techniques. Using Google Sheets for command and control is quite innovative. The attack chain also abuses the Windows saved search file format in an unusual way we haven't seen before. At the same time, the high volume of messages and tax authority lures are more typical of cybercrime campaigns. This blend of APT and cybercrime characteristics makes it an intriguing threat.

“Using Google Sheets for C2 poses serious detection challenges. It’s a legitimate service that many organizations use, so it’s difficult to block outright. The encrypted HTTPS traffic also makes inspection tricky. To detect this, companies need robust network monitoring that can identify suspicious access patterns to Google services. 

“Defending against APTs like Voldemort requires a multi-layered approach, with Exposed Data Intelligence as a foundational element. First, organizations need comprehensive visibility across their environment — you can’t protect what you can’t see or don’t know is exposed. This includes monitoring SaaS applications and understanding what sensitive data might already be out in the wild.

“Exposed data intelligence is crucial here. It supplies you with information about what data from your organization is already exposed, allowing you to better anticipate potential attack vectors and strengthen your defenses accordingly. This might involve additional monitoring of known exposed accounts or extra protection for systems handling sensitive data that attackers might target based on the exposed intelligence.

“Beyond that, companies should implement robust endpoint detection and response (EDR) tools, network segmentation, and data loss prevention (DLP) solutions. Regular threat hunting exercises, informed by your Exposed Data Intelligence, can help identify any attackers that slip through initial defenses.

“Ensuring all systems are patched and properly configured is fundamental. But don’t forget — your security posture should be continuously adjusted based on the insights from your Exposed Data Intelligence. This dynamic approach, powered by up-to-date knowledge of your exposed data, is key to staying ahead of sophisticated APTs that leverage this information for their attacks.”