logo

The Devil, Eight Million Emails, and a Whole Lot of Milk | Phishing Stager Exposed

ID: 9a40f049-9021-5796-97b9-14e7ebe59de6

STIX ID: report--9a40f049-9021-5796-97b9-14e7ebe59de6

Feed Name: Huntress Blog

Threat Score
70/100

Date Published: 2026-06-15

Date Updated: 2026-06-25

...
...

A newly-onboarded customer’s internet-exposed RDWeb/RD Gateway server was accessed with stolen domain credentials by a hands-on operator who staged Gammadyne mailer software and six recipient lists totaling ~8.9M addresses; the operator used the victim host to perform direct-to-MX phishing sends while hosting the phishing kit on a compromised Bolivian government website (ipelc.gob.bo/boots_store/). Huntress detected reconnection activity, isolated all endpoints, blocked outbound SMTP connections (catching ~29,954 blocked attempts in a 104-second burst), severed the RDP session, notified the Bolivian CSIRT, and provided IoCs including source IPs and file hashes for remediation.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.