Your team gets a routine Webex invite. It looks legit—standard meeting link, trusted platform, nothing out of the ordinary. But the moment someone clicks it, they unknowingly hand over the keys to their system.
Welcome to “Voldemort”—a stealthy, shape-shifting malware campaign that’s cloaking itself as Cisco Webex to quietly sneak into enterprise environments.
This operation, active as of mid-April2025, surfaced just days after Cisco announced a critical vulnerability in the Webex App. As if summoned from the shadows, Voldemort uses clever tricks like DLL hijacking, cloud-based command control, and sleep cycles to avoid being caught.
How the Attack Works
The Bait
It starts with a simple click—one on a fake Webex link that exploits a flaw in Webex's custom URL handler. Once clicked, the malware downloads silently, dodging red flags in most detection systems.
The Switcheroo
Voldemort doesn’t walk in the front door—it sneaks in dressed as someone you trust.
- A real Cisco file (CiscoCollabHost.exe) is used to execute.
- A malicious DLL (CiscoSparkLauncher.dll) carrying the Voldemort payload.
This technique is called DLL side-loading, and it allows malware to ride on the reputation of legitimate, signed files.
The Cloak of Invisibility
- Huge File Size: At over 600MB, the malware is bulky on purpose—just enough to avoid automated sandbox environments.
- Delay Tactics: It takes a nap (5-10 minutes with some jitter) before doing anything malicious. Automated systems usually stop watching after a few minutes, which makes this delay a genius move.
The Anchor
Voldemort sets up user-level scheduled tasks, meaning it can survive system reboots and remain operational without raising alarms.
Command and Control:
The malware doesn't phone home the old-fashioned way. Instead, it abuses legit cloud platforms like Google Sheets and Cloudflare-protected URLs to communicate. This is sneaky blending in with normal web traffic, making it harder for analysts to spot.
Why It Matters
Cisco confirmed that this exploit (CVSS score: 8.8) affects Webex versions 44.6.0.29928 through 44.7.0.30285. The Voldemort campaign might be evidence that attackers are beginning to weaponize this flaw in the wild.
What You Should Do Right Now
Patch Immediately:
Update to Webex 44.6.2.30589 or move to 44.8+ to close the vulnerability.
Limit Privileges:
Restrict local admin rights and implement application whitelisting to block unauthorized software execution.
Train Your Team:
Remind staff to avoid clicking unexpected meeting invites—especially from unknown or urgent-looking sources.
Audit Your Systems and Look for:
- Strange files in %App Data%\Local\Cisco Spark Launcher
- Unexpected DLLs loading from user directories
- Scheduled tasks you didn’t set up
It’s a reminder that not all attacks crash through the front gates—some knock politely and walk right in.
Patch fast, monitor closely, and stay suspicious of even the most harmless-looking links.
.png)
.png)