With hundreds of businesses still scrambling to recover from the faulty CrowdStrike software update that caused massive IT outages around the world, cybercriminals have concocted a new way to breach organizations’ security systems: by providing a fake malware-infested recovery manual.

Capitalizing on chaos

According to BleepingComputer, cybercriminals have initiated a phishing email campaign including a word document that “pretends to be instructions on using a new Recovery Tool that fixes Windows devices impacted by the recent CrowdStrike Falcon crashes.” However, the document actually contains “macros” (a “series of commands and instructions”) that inform the recipient’s computer to start downloading a malware known as Daolpu. Once active, Daolpu gets to work collating login information and any cookies saved on Chromium browsers, as well as Firefox, Edge, and strangely the Vietnamese browser Cốc Cốcm, which BleepingComputer suspects may “possibly indicat[e] the malware’s origin.” That information is then transferred to the cybercriminals’ C2 server, presumably where they will organize it and attempt to sell it to interested parties.

Daolpu isn’t the only malware that has surfaced in the wake of CrowdStrike’s folly. The pro-Iranian hacktivist group Handala has also using phishing campaigns to spread a data wiper to affiliates of a Latin American bank to disrupt its operations.

Proceed with caution

Although recovery from the CrowdStrike outage is slow and ongoing for many of the 8.5 million users affected, experts are reminding everyone not rush to restore operations and risk wreaking more havoc on their systems. As CrowdStrike CEO George Kurtz recently stated:

“I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates.”

For those still recovering, be sure to check the CrowdStrike Remediation and Guidance Hub for updates and information, or see if Microsoft’s CrowdStrike recovery tool can help.