Bad actors are using immensely popular Netflix TV series Squid Game to lure people into downloading malware, cyber security researchers have warned.

Last week, the team at Proofpoint spotted a phishing campaign from a group known as TA575 which was trying to spread its Dridex banking trojan using email subjects like “Squid Game is back, watch new season before anyone else”.

Proofpoint said this attacker typically sends emails about invoices and payments to deliver its malware, but that a cultural phenomenon like Squid Game can also be a useful lure.

“Cybercriminal threat actors in general have pounced on Squid Game as a popular lure and malware theme,” the cyber security company said in a blog post.

“This makes sense – as Squid Game is Netflix’s ‘biggest ever’ series, the pool of potential victims who would inadvertently interact with malicious content associated with it is higher than a general lure theme.

“TA575 is betting the invitation to be part of the upcoming season will entice more users to interact with the malicious Microsoft Excel file.”


Phishing emails are designed to look as legitimate. Image: Proofpoint

In the body of an email headed “Get early access Squid Game season 2”, shared by Proofpoint, the attackers spoofed an official Netflix email, directing the victim to “fill out a short document to gain access” to the show’s next season.

Attached to that email is an Excel Spreadsheet which has a macro that, when opened, will download the Dridex banking trojan from a Discord URL which can steal personal data or lead to further intrusions and malware installations.

In another set of emails, the attackers claimed to be from a casting agency that was registering new cast members for the next Squid Game series – all you had to do was fill out your details in the malicious Excel file.

Attachments for this campaign were delivered through the Discord content delivery network (CDN) – an increasingly popular method for sending malware.

RiskIQ noted recently 27 unique malware strains were being delivered through the Discord CDN, saying it pointed to “a significant amount of abuse of [Discord’s] self-hosted CDN by actors by creating channels with the sole purpose of delivering these malicious files”.


Be wary of opening unsolicited Excel spreadsheets. Image: Proofpoint

TA575 isn’t the only bad actor leaning on Squid Game’s success.

Unofficial Squid Game apps have been spotted on the Google Play store, including at least one malicious app that contained the Joker trojan and was downloaded 5,000 times before Google removed it.

The Australian Cyber Security Centre recommends three security behaviours you can do to beat cybercrime in your down:

  1. Update your devices and enable automatic updates.
  2. Use multi-factor authentication to protect your accounts.
  3. Back up your data regularly to a cloud service or physical drive.

While bad actors are using TV shows to spread malware, the government is hoping a new cyber awareness campaign will see more Australians take their security seriously while sitting on the couch.

“Beat cybercrime in your downtime” is the tagline of the campaign that will be running on free-to-air TV.

Speaking on 2GB radio on Sunday, Home Affairs Minister Karen Andrews said she hopes the awareness campaign will encourage Australians to brush up on their cyber security.

“What we’re saying to people is whilst you’re sitting there watching TV, now is an ideal time to do really basic things such as change your password to a passphrase,” she said.