Social engineering campaigns thrive on exploiting people’s emotions—curiosity, fear, excitement, and even sympathy—by capitalizing on current events. Malspam and social media platforms are key distribution channels for these attacks. Cybercriminals can quickly generate click-bait content with links to malicious websites or malware.
PDiddySploit is a classic example: attackers leveraged the Sean “Diddy” Combs scandal to spread malware disguised as deleted social media posts, demonstrating how swiftly social engineering campaigns evolve to exploit trending topics.
The recent scandal involving Sean “Diddy” Combs has provided a fertile ground for cybercriminals to launch a new and sophisticated social engineering campaign, exploiting the public's curiosity.
Dubbed PDiddySploit, the malware sample uploaded to VirusTotal is a .exe executable file designed to compromise victims using Microsoft Windows. The campaign has leveraged Diddy's notoriety by claiming to provide juicy deleted social media posts as a lure.
First discovered on September 13th, 2024, PDiddySploit is a variant of the well-known PySilon RAT (Remote Access Trojan), an advanced piece of malware written in Python. PySilon RAT has evolved significantly over the years, incorporating features that make it exceptionally dangerous including:
Data Exfiltration: The malware can steal sensitive data, such as credentials and personal information, from infected systems.
Keylogging: PDiddySploit records every keystroke, enabling cybercriminals to capture passwords and other sensitive content.
Screen Capture: The malware can take screenshots of the victim’s device, monitoring their activity in real time.
Remote Command Execution: PDiddySploit can execute commands remotely from an attacker controlled Discord server, giving attackers near-complete control over compromised devices.
Here’s a breakdown of the techniques observed in this campaign:
Malicious File Distribution: The attackers have been uploading infected files named “PDIDDYSPLOIT” and other variants to public repositories like VirusTotal. These files, masquerading as legitimate posts or documents related to Diddy’s social media activity, lure victims into downloading them.
Exploitation of Deleted Content: By presenting these files as containing “hidden” or “removed” posts from Diddy’s deleted social media account, the attackers are leveraging human curiosity. Users are drawn in by the allure of exclusive content, not realizing they are downloading malicious files.
Targeting Social Media Users: The attackers are specifically targeting users on X.com, where the scandal initially unfolded. Given that much of the content has since been deleted, cybercriminals are exploiting the intrigue around the missing posts to trick users into clicking on these infected files.
Leveraging Multiple Malware Variants: While PDiddySploit is the primary malware being distributed, Veriti’s research team has observed an increase in PySilon RAT variants being used by multiple threat actors. Over 300 PySilon RAT samples have been reported on VirusTotal since June 2023, showing how attackers are continually refining their approach.
Cybercriminals frequently use trending topics and high-profile events to launch their social engineering campaigns. These inspirations are usually chosen for their ability to provoke strong emotional responses, which can lead to hasty and less-guarded interactions with malicious content. Common themes include:
COVID-19 spurred social engineering attacks, as cybercriminals exploited widespread fear and uncertainty. These campaigns included:
Phishing Emails Posing as Health Authorities: Messages impersonating the World Health Organization (WHO) or Centers for Disease Control and Prevention (CDC) urged recipients to click on malicious links for "critical health updates" or download fake COVID-19 apps and safety guidelines.
Fake COVID-19 Relief Applications: Attackers used fraudulent forms claiming to offer access to government relief funds, which were actually used to harvest personal data and financial information.
Vaccine-Related Scams: Malware was often embedded in files labeled as vaccine registration forms, immunization records, or “essential worker” verification documents, preying on individuals’ hopes of receiving a vaccine.
Government-themed phishing campaigns have been a persistent tactic for social engineering. By leveraging the authority of government agencies, attackers create a sense of urgency or fear, tricking recipients into taking immediate action. Common government-related social engineering campaigns include:
Tax Scams: Attackers send emails masquerading as tax authorities like the Canada Revenue Agency (CRA) or the IRS, demanding payment or offering refunds through malicious links.
Court Summons or Legal Threats: Fake court summons or legal threats scare victims into clicking on malicious attachments or links.
Stimulus Check Fraud: During periods of economic instability, fradulent offers for government stimulus checks or benefits are used to entice victims into providing sensitive information.
Interestingly, this is not the first time cybercriminals have used Sean “Diddy” Combs’ name in malicious campaigns. Back in 2013, a similar attack leveraged Diddy’s hit song “I’m Coming Home” as bait. Malware disguised as an MP3 file was distributed under the guise of a free download of the track. In subsequent years, attackers have used a variety of tactics centered around celebrity scandals to lure victims:
Celebrity Nude Photo Leaks (2016): Cybercriminals exploited infamous nude celebrity photo leaks by distributing malicious PDFs that claimed to offer access to the leaked content.
Oscar Movie Nominations (2020): Malware disguised as free downloads of movies nominated for the 2020 Oscar Best Picture award was used to infect devices, leveraging the heightened interest around the awards.
Natural Disasters: After major events like hurricanes, earthquakes, or wildfires, attackers often disguise malware as donation solicitations or relief information to exploit people’s goodwill and desire to help.
Corporate Data Breaches: Publicly disclosed data breaches are used as lures, with fake alerts or security warnings urging users to download fake security patches.
Popular Software and Game Releases: High-demand software, games, or beta versions are frequently used as bait for malware distribution, leveraging excitement and impatience.
The PDiddySploit campaign is emblematic of how quickly attackers can weaponize celebrity news and scandals to launch new social engineering attacks. With the rise of platforms like X.com as breeding grounds for misinformation and intrigue, these types of campaigns are likely to become more prevalent.
The increasing sophistication of malware like PySilon RAT, coupled with the use of real-world events to lure victims, underscores the need for heightened vigilance and awareness among users.
Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
August 15 - Blog
It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.