Cybersecurity researchers have uncovered an active malware campaign dubbed “Voldemort” that masquerades as legitimate Cisco Webex components to deploy backdoors on targeted systems.
The discovery comes just days after Cisco released a security advisory for a critical vulnerability in the Webex App that could allow attackers to achieve remote code execution.
The malware operation, identified in mid-April 2025, employs sophisticated DLL hijacking techniques to compromise systems while evading detection.
.png
)
According to researchers, the attack begins when victims are persuaded to click on malicious meeting links that exploit a vulnerability in Cisco Webex App’s custom URL parser.
“This is a particularly dangerous attack because it leverages legitimate, signed Cisco executables to load malicious code,” noted security analysts.
“When users click the crafted meeting link, the malware downloads and executes without triggering typical security alerts.”
The malware deploys two primary components: a legitimate Cisco executable (CiscoCollabHost.exe) and a malicious DLL (CiscoSparkLauncher.dll) that contains the Voldemort implant.
This technique, known as DLL side-loading, allows attackers to execute arbitrary commands with the privileges of the targeted user.
Sophisticated Evasion and Persistence Mechanisms
The Voldemort malware employs multiple evasion tactics, including a large file size of approximately 600MB likely designed to bypass sandbox analysis.
Upon execution, the malware implements a sleep function of 5-10 minutes with jitter to further evade automated security tools.
For persistence, the malware creates scheduled tasks at the user level, ensuring it remains active even after system reboots.
What makes this campaign particularly concerning is its command-and-control infrastructure, which abuses legitimate cloud services, including Google Sheets and Cloudflare-protected endpoints.
This campaign emerges as Cisco confirms a high-severity vulnerability in the Webex App with a CVSSv3.1 score of 8.8.
The vulnerability affects versions 44.6.0.29928 through 44.7.0.30285 and allows unauthenticated attackers to execute arbitrary code by tricking users into clicking malicious meeting links.
Protection Recommendations
Security experts recommend that organizations take immediate action:
- Apply Cisco’s security updates: Upgrade to Webex version 44.6.2.30589 or migrate to 44.8+ immediately.
- Implement application whitelisting and restrict administrative privileges.
- Educate employees about the risks of clicking unsolicited meeting links.
- Monitor systems for suspicious scheduled tasks and unexpected DLL loading.
- Check for unauthorized files in the AppData\Local\CiscoSparkLauncher directory.
While Cisco confirmed no evidence of active exploitation as of April 16, the emergence of the Voldemort campaign suggests attackers may have begun weaponizing this or similar vulnerabilities. Stay vigilant and update your systems promptly to reduce risk.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
