The Devil, Eight Million Emails, and a Whole Lot of Milk | Phishing Stager Exposed
ID: 9a40f049-9021-5796-97b9-14e7ebe59de6
STIX ID: report--9a40f049-9021-5796-97b9-14e7ebe59de6
Feed Name: Huntress Blog
A newly-onboarded customer’s internet-exposed RDWeb/RD Gateway server was accessed with stolen domain credentials by a hands-on operator who staged Gammadyne mailer software and six recipient lists totaling ~8.9M addresses; the operator used the victim host to perform direct-to-MX phishing sends while hosting the phishing kit on a compromised Bolivian government website (ipelc.gob.bo/boots_store/). Huntress detected reconnection activity, isolated all endpoints, blocked outbound SMTP connections (catching ~29,954 blocked attempts in a 104-second burst), severed the RDP session, notified the Bolivian CSIRT, and provided IoCs including source IPs and file hashes for remediation.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
