New Spam Campaign

New malicious spam campaign detected, providing malware - including ransomware, banking Trojans and backdoors - to victims in different geographic regions.

These campaigns are interesting because they all use similar domains and brands stolen from various government agencies, each linked specifically to countries that are targeted to give a sense of local legitimacy and urgency to their messages.

They target IT service, manufacturing and healthcare organizations that use these counterfeit government agencies to convince users to read these emails and open their attachments.

Spam campaign launched by organizations

new spam campaign


In parallel, while the source of the campaigns is still being analyzed, some researchers from threats stated: “campaigns for spam are being launched and coordinated by a single criminal organization ”.

US U.S, cybercriminals are sending e-mails pretending to be from the United States Postal Service (USPS), with a malicious Word document called 'USPS_Deliver.doc' attached. 

In addition to describing the attachment as urgent, the text also induces the user to think that the document is encrypted and must be opened to be read.

As you would expect, opening the document allows for a malicious macro that installs the Trojan IceID banking system on the victim's computer and tries to steal your online banking credentials.

In the Spam campaign aimed at Germany , the perpetrators of the threats disguise themselves as the Bundeszentralamt fur Steuern, the German Ministry of Finance. In this case, the actors are using a commercially licensed software tool, Cobalt Strike. 

This tool emulates the type of backdoor structure used by the penetration tool, Metasploit

Once again, the threat agent tries to convince the recipient that the attached malicious document is legitimate and important, and that the only way to view it is to enable the content.

In the Spam campaign aimed at Italy , the authors represent the Italian Revenue Agency, Agenzia Delle Entrate. In this campaign, they pretend that the email and the attached letter are about new tax and revenue guidelines that companies and consumers need to follow and recommend that they open the attachment - which, of course, is malicious.

Unsuspecting Users

Masquerading as a government agency is especially effective in inducing unsuspecting users to open malicious attachments. In this unusual campaign, the bad actors developed elaborate messages, similar websites and other content for different agencies in different countries. 

Note that they then use targeted strategies to ensure that the individuals included in a Spam campaign are from the respective countries, although some crossings should not report victims, as the agencies in each campaign are unique.

Stay alert - Suspect

Users should be suspicious when they see emails from government agencies, as they generally use only traditional postal systems to interact with citizens. 

Take precaution in your environment with cybersecurity well positioned in institutions like, NSS Labs

Pay special attention to information purportedly about tax refunds, as governments almost never send this kind of sensitive communication by email, certainly not in Brazil. 

Know that cybercriminals are smart, however, they know that these social engineering tactics work because many of their victims are unaware of these communication policies.

As always, be careful and never open an unexpected attachment. In case of doubt, the best way is to call the agency directly to confirm that the email is legitimate.


O FortiGuard Labs has the following detections to deal with these Spam campaigns.

Web filtering

The laboratories FortiGuard classified all domains related to e-mails from phishing identified in this report as spam URLs / malicious sites in our category.


FortiMail identifies and blocks these social engineering Spam campaigns with the following AV signatures:

  • VBA / Agent.5751! Tr.dldr
  • VBA / Agent.68D6! Tr.dldr
  • VBA / Agent.QHD! Tr
  • VBA / Agent.UB! Tr

Original article in English on here.

Scroll to Top