An avalanche in Skype

There is a new malicious ongoing campaign on Skype. It-s active and kicking yet.

The infection vector is via social engineering abusing infected Skype by sending massive messages to the contacts like these ones:

i don’t think i will ever sleep again after seeing this photo
tell me what you think of this picture i edited short URL service shows that at the moment there are more than 170k clicks on the malicious URL and only 1 hour ago there were around 160k clicks. It means the campaign is quite active with around 10k clicks per hour or with 2.7 clicks per second!

The most of victims come from Russia and Ukraine:


Between other most probably infected countries are: China, Italy, Bulgaria and Taiwan.
The campaign seems to be active since March 1, at least that day the short Google URL was created, however it got strength in the last hours. This graph shows the number of clicks in the last 2 hours:


So far VirusTotal shows 12 of 46 AV detection rate. Kaspersky AV detects the malicious sample by its cloud technology with the verdict UDS:DangerousObject.Multi.Generic

Now few words about malware itself. It-s written in Visual Basic. The subroutines called with human names like Lenka, Pier, Christiane, Ryann, etc. The next expressions are used as part of the social engineering in Skype:

Is this you?
Picture of you?
Tell me what you think of this picture
This is the funniest picture ever!
I cant believe I still have this picture
Someone showed me your picture
Your photo isn’t really that great
I love your picture!
What do you think of my new hair?
You look so beautiful on this picture
You should take a look at this picture
Take a look at my new picture please
What you think of this picture?
Should I upload this picture on facebook?
Someone told me it’s your picture

Malware has capabilities to spread via USB too. Malware uses IRC protocol to interact with the C&C as part of the botnet once it-s infected. The string in the sample leading to the VB project file is C:\Users\s\Desktop\Must Use Different Name\HqwKH\avivah.vbp

Finally something interesting is this:


Follow me on twitter @dimitribest

An avalanche in Skype

Your email address will not be published. Required fields are marked *


  1. C

    Can this also spread via the Skype app on android devices?


Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox