▶️ Next Document
On October 30, 2025, a targeted phishing campaign successfully compromised the contractor workstation mts-contractorpc2. The attacker delivered a malicious email from colla@duolingo-team.com to inquiry@mydfir.com, spoofing a partnership offer and embedding a payload named Duolingo - YouTube Partnership.exe. The user executed the file manually, initiating the attack chain.
Shortly after, the attacker established an interactive RDP session from external IP 170.10.4.118, gaining full access to the host. Within minutes, they launched PowerShell commands, manipulated processes, and executed browser-related binaries disguised as .tmp Chromium clones. These clones opened local web server URLs on 127.0.0.1:8000, likely simulating credential capture or browser session manipulation.
At 15:19:03 UTC, suspicious process reparenting was detected, indicating stealthy execution or injection. The attacker accessed browser credential files (Web Data, Login Data), though no confirmed exfiltration occurred. Later, an unknown internal IP 10.0.0.8 was observed executing remote commands on the compromised host, suggesting lateral movement or internal pivoting.
Multiple detections were triggered, including alerts for process anomalies, execution of unsigned binaries, and activity from an unrecognized internal asset. The attacker’s session ended at 15:35:22 UTC, with no further activity from either IP.
While no data was confirmed exfiltrated, the attacker demonstrated capabilities in phishing, remote access, process manipulation, and internal reconnaissance. The incident highlights the importance of behavioral detections, asset inventory hygiene, and credential protection.
Analysts: Toukee Vang
On October 30, 2025, at 3:08:15 PM UTC, the attacker gained access to mts-contractorpc2 via RDP from IP address 170.10.4.118. This access was enabled by a phishing email sent earlier that day to inquiry@mydfir.com, impersonating a Duolingo representative. The email originated from colla@duolingo-team.com, relayed through mx.zohomail.eu with IP 136.143.171.19, which geolocates to the Netherlands — outside the expected country for the recipient’s network. The message offered $5,000 in compensation for a video collaboration, enticing the recipient to download and execute a malicious payload disguised as a partnership file
Phishing Email Delivered
inquiry@mydfir.comcolla@duolingo-team.commx.zohomail.eu136.143.171.19 (Netherlands)Malicious Payload Execution
Duolingo - YouTube Partnership.exeC:\\Users\\contractor\\Downloads\\3e3ee8ca0ae75aa9bc642c4ee2f924ec422bd714aa8e3361a2e6d61233644988Remote Access Gained
mts-contractorpc2contractor170.10.4.118The earliest recorded execution of Duolingo - YouTube Partnership.exe occurred on October 30, 2025 at 1:40:53 PM UTC on mts-contractorpc2, initiated via command line by the contractor user. Upon execution, the payload spawned four processes and accessed five files, including browser credential stores. During remote access from IP 170.10.4.118, the attacker launched OOBE-Maintenance.exe, rdpclip.exe, openwith.exe, and re-executed the payload — with the first three being legitimate binaries native to the environment.
The attacker accessed Chrome’s credential store, opening three Web Data files and two Login Data files, likely to extract saved passwords and cookies. Shortly after, temporary Chromium instances were launched with flags that opened local web server URLs on port 8000, a technique commonly used to simulate login interfaces or exfiltrate browser data.
Additionally, an unknown internal IP 10.0.0.8 was observed executing remote commands on mts-contractorpc2. This IP was not part of the organization’s asset inventory and was only active between 3:23:25 PM and 3:35:22 PM UTC, suggesting a pivot or internal compromise that disappeared post-attack.