Fake DHL email delivers an unknown keylogger coupled with a phishing scam

I was extremely surprised to wake up this Sunday Morning to a whole slew of fake DHL delivery notice emails with a macro enabled  word doc attachment that eventually downloads some sort of Keylogger.

There is some dispute as to what the actual Keylogger is. Some AV on VirusTotal describe it as an AgentTesla generic, whereas Anyrun app calls it Sentinel. I don’t think either are 100% correct.

DHL_FORM.doc       Current Virus total detections: Anyrun |

This malware doc  downloads from https://heritagebank.ga/Quotation.exe  ( Virustotal) which is behind cloudflare and also is  a phishing site for the genuine heritage bank

Heritage Bank Phishing site

Heritage Bank Phishing site

This keylogger file first pings to http://icanhazip.com/ where I assume it checks the sending IP against a list of acceptable IPs to continue with its nefarious actions. It then drops 3 other .exe files    [1]  [2]  [3]  All of which are fairly well detected generically or heuristically.  It then alters the firewall settings to allow exfiltration and tries to send the stolen info to somewhere that Anyrun doesn’t show me. What I can see is a failed connection to educationaltools.info which has no DNS records, so is very possibly the drop site that isn’t yet live.

Update 9 September 2017:  Another run of exactly the same email but today they have a .z ( zip ) file attachment extracting to a .exe.

DHL FORM.7z  extracts to DHL FORM.exe  VirusTotal | Anyrun |

They seem to have fixed some of yesterday’s problems and are exfiltrating the stolen info via encrypted email on port 443 to microffice365.ga   They are also sending screenshots today as well as txt files.

I can guarantee that the receiving domain will not stay online very long.

None of these files from yesterday or today will run properly in a sandbox / VM and crash on some actions. Whether the files are buggy or whether there is anti-vm / sandbox protections is unknown at this time. My gut feeling is that a combination of both is happening.

You can now submit suspicious sites, emails and files via our Submissions system

DHL has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails. What has happened is that the criminal bad actors are sending from a  look-a-like domain dhlcourier.us  which doesn’t actually exist.  See email headers

The email looks like:

From:  DHL EXPRESS <This email address is being protected from spambots. You need JavaScript enabled to view it.>

Date:  Sun 08/09/2019 02:37


Attachment: DHL_FORM.doc

Body content:

Dear Customer,

We tried to deliver your item to your address this morning 7th September, 2019. (See the attached file) .

The delivery attempt was unsuccessful because no one was present at the delivery address given to us, so the notification is automatically sent.

If the parcel is not scheduled for re-projection or receipt within 72 hours on weekdays, it will be returned to the sender.

Tag number: DB0011622801 / 17BA

Expected delivery date: September 7th, 2019

Packet Services

Agency (s): Delivery Confirmation

Status: Mission sent

Sender: Macy’s Department Store Company

Your package has not been delivered.

Delivery Time: 08:57 AM

Number of Packages: 1

Weight: 5.0 LBS

Dear Customer

See attached form and correct your address.

We apologize and thank you for your confidence.

Thank you,

Customer Service DHL.

2019 © DHL International GmbH. All rights reserved.


Fake DHL delivery email

Fake DHL delivery email


Email Headers:

IP Hostname City Region Country Organisation  London England GB AS14061 DigitalOcean, LLC  ec2-3-84-97-76.compute-1.amazonaws.com Virginia Beach Virginia US AS14618 Amazon.com, Inc.

Note: Only the final IP address outside of your network in the Received: fields can be trusted as others can be spoofed

Received: from [] (port=45488 helo=vmin.integratedconsult.ga)
	by knight.knighthosting.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.92)
	(envelope-from <This email address is being protected from spambots. You need JavaScript enabled to view it.>)
	id 1i6mrZ-0008RH-Ri
	for This email address is being protected from spambots. You need JavaScript enabled to view it.; Sun, 08 Sep 2019 03:23:37 +0100
Received: from EC2AMAZ-V5IM2BC.ec2.internal (ec2-3-84-97-76.compute-1.amazonaws.com [])
	by vmin.integratedconsult.ga (Postfix) with ESMTPA id 2F793C3D26;
	Sun,  8 Sep 2019 01:52:30 +0000 (UTC)
Content-Type: multipart/mixed; boundary="===============1894098760=="
MIME-Version: 1.0
To: Recipients <This email address is being protected from spambots. You need JavaScript enabled to view it.>
From: "DHL EXPRESS" <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Sun, 08 Sep 2019 01:52:28 +0000

All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t.  Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found .  The bad guys choose companies, Government departments and other organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or  an embedded OLE object that when run will infect you.

Modern versions of Microsoft office, that is Office 2010, 2013, 2016 and Office 365 should be automatically set to higher security to protect you.

By default protected view is enabled and  macros are disabled, UNLESS you or your company have enabled them.  If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in  windows explorer or your email client might well be enough to infect you. Definitely DO NOT follow the advice they give to enable macros or enable editing to see the content.

Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016  and 365.  Some versions pretend to have a digital RSA key and say you need to enable editing and Macros to see the content.  Do NOT enable Macros or editing under any circumstances

Office_macro Fake DHL email delivers an unknown keylogger coupled with a phishing scam Fake DHL email delivers an unknown keylogger coupled with a phishing scam Fake DHL email delivers an unknown keylogger coupled with a phishing scam Fake DHL email delivers an unknown keylogger coupled with a phishing scam Fake DHL email delivers an unknown keylogger coupled with a phishing scam


What can be infected by this

At this time, these malicious macros only infect windows computers. They do not affect a Mac, IPhone, IPad, Blackberry, Windows phone or Android phone. The malicious word or excel file can open on any device with an office program installed, and potentially the macro will run on Windows or Mac or any other device with Microsoft Office installed. BUT the downloaded malware that the macro tries to download is windows specific, so will not harm, install or infect any other computer except a windows computer. You will not be infected if you do not have macros enabled in Excel or Word. These Macros do not run in “Office Online”  Open Office, Libre Office, Word Perfect or any other office program that can read Word or Excel files. 

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. It might be a simple message saying “look at this picture of me I took last night” that appears to come from a friend. It might be a scare ware message that will make you open the attachment to see what you are accused of doing. Frequently it is more targeted at somebody ( small companies etc.) who regularly receive PDF attachments or Word .doc attachments or any other common file that you use every day, for example an invoice addressed to This email address is being protected from spambots. You need JavaScript enabled to view it..

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family  love to send us pictures of them doing silly things, or even cute pictures of the children or pets. Many of us routinely get Word, Excel or PowerPoint attachments in the course of work or from companies that we already have a relationship with.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. A lot of malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file  that is supposed to contain the pictures of “Sally’s dog catching a ball”, an invoice or receipt from some company for a product or service  or receive a Word doc or Excel file report that work has supposedly sent you to finish working on at the weekend,  you can easily see if it is a picture or document & not a malicious program. If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse  .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

With these malformed infected word, excel and other office documents that normally contain a vba macro virus, the vital thing is do not open any office document direct from your email client or the web. Always save the document to a safe location on your computer, normally your downloads folder or your documents folder and scan it with your antivirus. Many Antiviruses do not natively detect vba  macro-viruses in real time protection and you need to enable document or office protection in the settings. Do not rely on your Anti-Virus to immediately detect the malware or malicious content.    DO NOT enable editing mode or enable macros  

All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is word docs, excel files and PowerPoint etc  that are downloaded from the web or received in an email  automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document until you are 100% sure that it is a safe document. If the protected mode bar appears when opening the document DO NOT enable editing mode or enable macros the document will look blank or have a warning message, but will be safe.

Be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still  using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007.  Many of us have continued to use older versions of word and other office programs, because  they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.  The risks in using older version are now seriously starting to outweigh the convenience, benefits and cost of keeping an old version going.

I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.



Main object- “DHL_FORM.doc”sha256 8a5abbe5e40ce78b2bcaf1da65b837fe0cfb648a50a905f67a01d2ecb1255ae7sha1 9147b61f4b6174f062c5f892581cc9fb755f9bd6md5 1b75aa357885b3bfb8ec42af13c71b5bDropped executable filesha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\Quotation[1].exe bf2b4e832e651b767e079202597df8740e15bfea06230066af631734afbb0229sha256 C:\Users\admin\AppData\Roaming\log\AutoUpdate.exe 321ebb553f8008e4ccdf42881c8b854fcf49d12f7af7c3c19a87b6db93fe4935sha256 C:\Users\admin\AppData\Roaming\log\Emai.exe a87d9354ee672f751e321c2bb701328cc79c0e8743312981dd6a7b183261c53csha256 C:\Users\admin\AppData\Roaming\log\scre.exe 06da72109905be4cb1eef62c4f70c0adabe2e6401187a2c63b1a178f12ae3145DNS requestsdomain heritagebank.gadomain educationaltools.infodomain icanhazip.comConnectionsip requestsurl https://heritagebank.ga/Quotation.exeurl http://icanhazip.com/

Read more https://myonlinesecurity.co.uk/fake-dhl-email-delivers-an-unknown-keylogger-coupled-with-a-phishing-scam/

  • The Adur and Worthing Poverty Truth Commission

    Briefing meetings October 3rd 2018: Open to all. The Adur and Worthing Poverty Truth Commission (AWPTC) are pleased to announce that we will be holding two open briefing meetings for the community of Adur & Worthing to meet with us and our national Coordinator Andrew Grinnell from Leeds. The Adur and Worthing Poverty Truth Commission aims to generate solutions for the local area by bringing together decision makers with those with first-hand experience of poverty. Read More
  • More AgentTesla keylogger as fileless malware.

    We are seeing a continuation of the new style AgentTesla malspam campaign again this morning. This is still using a multistage downloader eventually resulting in the AgentTesla keylogger / infostealer being run on the victim’s computer as a fileless malware. The initial stage today is a .exe file though not a word doc / rtf f=doc in the... Read More
  • Finding Additional Support In A Power Cut

    UK Power Networks own and run the electricity cables in most of our region and fix power cuts. They deliver the electricity which you buy through your choice of supplier. They provide a priority service for anyone who might face extra difficulty in the event of a power cut, including households with an elderly person, young children, someone less mobile or someone with a health condition. Read More
  • curry pcworld data loss 2018

    curry pcworld data loss 2018

    On June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware. We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts. Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address. While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated. Read More
  • Fake Fedex Express Shipment For Pickup in iso delivers nanocore using Sendgrid

    The next in the overnight malware campaigns is a fake Fedex Express email delivering Nanore RAT via an img ( Iso) file. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better... Read More
  • learn more about online safety and online fraud.

    In partnership with Get Safe Online we are running a free training event, for our residents to learn more about online safety and online fraud. This free event is so they can gain better awareness and understanding about steps that can be taken to stay safe online and how to be vigilant of scams (and what you can do to avoid becoming a victim). There are 6 sessions in total running on 9th October, 27th Nov and 23 Jan. The Eventbrite link is attached . https://www.eventbrite.co.uk/o/community-safety-amp-wellbeing-west-sussex-county-council-17456763912 Read More
  • Keybase keylogger via fake indofuels invoice

    We don’t see a lot of malware at weekends in UK, so it was a bit of a surprise to get a whole swathe on emails overnight pretending to be an invoice from indofuels. The keylogger and info / credential stealer the criminals are using this weekend is Keybase,. I personally haven’t seen keybase for a couple of years, although reports of... Read More
  • Phishing emails pretending to be sent from myonlinesecurity.co.uk

    First of all I want to apologise to anybody who received a scam phishing email that pretended or appeared to come from our email address This email address is being protected from spambots. You need JavaScript enabled to view it..  These emails were not sent from this server but from a scummy server controlled by a hosting company  in Iceland who are used frequently by criminals for malware,... Read More
  • Fake TNT delivery drops WSHRAT via DiscordApp

    It seems to be the week for harder to analyse & dodgy delivery systems that more carefully target specific countries / regions or even specific  isps. Yesterday we saw a fake e-fax notification in German language that eventually led to a Buran ransomware. I couldn’t analyse that one properly or get the full payload, but with lots of... Read More
  • A Friday the 13th failure for Agenttesla campaign

    It looks like Friday the 13th  is unlucky for this malware bad actor, trying to deliver yet another AgentTesla keylogger / info-stealer  because as far as I can tell this malware chain is broken so the victim should not get the payload. WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days.... Read More
  • Have Your Say On Sussex Police Funding

    Have Your Say On Sussex Police Funding

    This week 70 new police officers completed their training, and a further 38 have started theirs as part of the biggest recruitment drive in Sussex for over ten years, made possible by this year’s increase in the police element of council tax - the precept. Last week the Government announced the provisional funding settlement for policing in a £970 million package that gives Police & Crime Commissioners the ability, should they wish, to raise the precept above the current £12 limit. This unprecedented funding opportunity could help Sussex to recruit substantial numbers of PCSOs and even more police officers, as well as improving the public contact service, especially the 101 non-emergency number. Although no final decisions will be made until early February next year, the Chief Constable and the PCC, Katy Bourne, have indicated their commitment to ensure that residents will see and feel the benefit of any extra funding raised locally. If you have not already done so, you can give the PCC your views on police funding by completing a very short survey available on her website at https://www.sussex-pcc.gov.uk/. I have been asked by the PCC to pass on her thanks to all Neighbourhood Watch volunteers for your support of Sussex Police throughout the year, which I am doing with great pleasure. Season's greetings to all Read More
  • Fake Payment receipt vbs drops njrat bladabindi downloads Agent Tesla via Sendspace.

    A rather interesting malware campaign from overnight. It all starts with an email pretending to be a payment receipt that contains a .tar attachment which contains a vbs file. As per usual the email is just generic enough to entice a recipient to open it, read it & possibly extract & run the malware file. This is another one of the ... Read More
  • More AgentTesla keylogger info-stealer campaigns hitting UK

    We are still seeing continuous AgentTesla keylogger / Info-Stealer campaigns hitting the UK. We sill aren’t seeing a lot of other malware at the moment. I have received about 20 different versions over the last week that have all been nothing special, with no outstanding features worth mentioning, so I have just submitted to AV companies and... Read More
  • Fake invoice tries to deliver Remcos RAT

    This is a strange & slightly more difficult than usual to analyse  malware, mainly because the bad actor appears to have made a total mess of the distribution. I do not know if this will actually run on a proper computer, it obviously doesn’t like a sandbox / VM . The email was received with a .dat extension, which is what... Read More
  • Worthing Sporting Memories

    Sporting Memories is an opportunity for older sports fans to get together to talk sport over a cuppa. It aims to promote physical and mental well-being through reminiscence and tapping into passion, knowledge and love of sport. It is open to any one over the age of 50 who likes sport, and enjoys reminiscing about their experiences of watching or playing sport! It is free and takes place every Thursday 10.00 - 11.30am, at the Clubhouse, Worthing Football Club.   Read More
  • Very strange Barclays bank Phishing Scam

    We see lots of phishing attempts for email credentials.  This one is quite strange and weird, It pretends to be a message from Barclays Bank  to update card details. I don’t know what is happening but several  times I tried, I get redirected to the genuine Barclays Bank website. But from anyrun using MITM and sometimes from my... Read More
  • Community Works Reps’ Nominations are open! Deadline Friday 12 October

    We are looking for representatives who would like to become champions for community groups and voluntary organisations, across Brighton & Hove, Adur and Worthing on behalf of Community Works. Do you want to ensure the voices of these groups are heard and understood? Are you keen to share your knowledge and expertise across a broad range of partnerships and agendas? Would you like to represent community and voluntary organisations at a strategic level? Read More
  • Our actions have an impact. - Tearfund

    Our actions have an impact. - Tearfund

    As part of Tearfund’s Matched Giving Appeal, we are asking supporters to donate and pledge to reduce their plastic. When we speak out about plastic pollution and how it affects people in poverty, we are keeping the issue on the agenda. When we show by our actions that we want to live in a less wasteful world, we are valuing what God has given us and caring for our global neighbours, as well as sending a powerful signal that we want decision-makers to act. Join us by taking the Plastic Pledge to give up using one single-use plastic item for 40 days (or more!). Every single-use plastic item we save is one less thing in a landfill site, ocean or incinerator – or one less thing shipped overseas for another country to dispose of.Single-use plastics are plastic items that are only intended to be used once, such as soft drinks bottles. The most common items include disposable cups, drinks bottles, non-recyclable packaging, wipes and female hygiene products. Finding alternatives to these plastics is easier than you might think! It can be very satisfying to know that you are walking that little bit lighter on the earth – and often, it saves you money too. Read More
  • AgentTesla keylogger as fileless malware.

    I am seeing a somewhat different to usual AgentTesla malspam campaign this morning. This is using a multistage downloader eventually resulting in the AgentTesla keylogger / infostealer being run on the victim’s computer as a fileless malware. It all starts with the Word doc attachment, which is actually a RTF file that is using the... Read More
  • AgentTesla keylogger campaigns continue

    WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. I don’t often post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies & most times tweet the details to other security... Read More
  • Trustee & Leadership Networks meets on the 16th October.

    ‘How to become a Charitable Incorporated Organisation’Date: 16 October 2018Time: 6.00-8.00pmVenue: Gordon Room, Worthing Town HallCost: FreeBook: via Eventbrite Read More
  • West Durrington Community Facilities - opportunity for an organisation

    "Adur & Worthing Councils own a number of community buildings and lease these to strong, community-focused groups and organisations to manage. The buildings are valuable assets for our local residents and the wider community - and meeting their needs, wants and expectations are essential. The Councils need organisations with sound experience, leadership and passion to take on a new lease and be the driver of good things in, and with, the local communities." Read More
  • ISRStealer via fake Prudential Assurance Company Purchase Order

    Every now & again we see a resurgence of ISRStealer  info-stealer / Keylogger Trojan Malware. This malware has been around since 2011 and gets intermittent distribution campaigns. You can now submit suspicious sites, emails and files via our Submissions system Prudential Assurance Company Singapore has not been hacked or had their email... Read More
  • Some changes to Remcos Rat persistence method

    It looks like we are seeing a few changes to the Remcos RAT install & persistence method. Over the last couple of weeks I have noticed a few tweaks to the persistence & auto start of several Remcos Rat versions. Today it has changed again to try to bypass protections. This all starts with the usual spam email, today’s ( or rather... Read More
  • Get Safe Online will help you keep your online payments safe.

    Trust Get Safe Online to help protect your finances with safer payments advice from the GSO experts These days, you can pay for almost anything online: products, services, tickets, holidays … even your next car, van or motorcycle. You can donate to charity, buy a driving licence or passport or pay to download, stream, play or gamble. It’s fast and convenient, but there are also risks attached, with cybercriminals doing all they can to divert your money into their pockets. Read More
  • Lokibot via abusing the ngrok proxy service

    It looks like one of the criminal gangs behind some of the Lokibot campaigns have found a way to serve their malware almost undetected or at least without any known host that can take down easily or be blocked. What they have done with this series of campaigns is abuse a new(ish) service NGROK which basically acts as a proxy, direct tunnel or VPN... Read More
  • good quality grant applications from registered community groups

    good quality grant applications from registered community groups

    Homity is a small, independent, Brighton based Charitable Trust. Since 2014 we have awarded many small grants to local causes in real need of funds that will make a BIG difference. Our Trustees and Grants committee meet 3 times a year to consider the best quality applications and can award smaller (<£1000) funds quickly to those groups showing real need Read More
  •  WSCC Care and Help at Home Service - Survey

    WSCC Care and Help at Home Service - Survey

    Voluntary and community organisations have the opportunity to give us their views on the future [Care and Help at Home service] and help us to understand how we might work better together to support independence at home. The survey should take around 10-15 minutes to complete.” https://haveyoursay.westsussex.gov.uk/children-adults-families-health-and-education/care-and-support-at-home-vco Read More
  • More AgentTesla keylogger campaigns

    WE still see loads of AgentTesla keylogger/ Info-stealer malware campaigns hitting the UK most days. Today is no exception with quite a few so far. I don’t always post them here, unless there is something slightly different or unusual about either the delivery method or the malware itself changes. I just submit to Antivirus companies &... Read More
  • Big Energy Saving Network

      Consumer energy awareness for front line workers with the Big Energy Saving Network.   Transition Town Worthing (TTW) has been chosen as Worthing’s champion for the Big Energy Saving Network 18/19 (BESN). The project is funded and administered by Citizen’s Advice, and the aim is to engage consumers, particularly those who might be vulnerable through reasons such as age, disability or financial situation, with their energy bills, assisting them to learn more about what they’re paying and how they’re paying for it, enabling them to acquire a fairer deal, and access any further assistance that may be available to them. People who are not actively engaged with the energy mark Read More
  • Fake Bose site selling goods at stupid prices.

    I have got a slightly unusual potential scam / phishing / ID and money theft or fake goods scam to report on today. Yesterday I received a message via our submission form about a look-a-like site selling Bose products. The reporter was a bit concerned, saying “This site looks impressive but the price reductions are massive. Not at all what... Read More
  • eBook, "When I was young". guide to a summer outdoors,

    We're excited to announce the launch of our brand new eBook, "When I was young". A fantastic new guide to a summer outdoors, perfect for all the family. Think back to when you were young, do you ever remember being glued to a TV screen, games console or phone? No, neither do we, so let's show the next generation the excitement that can be had from the doorstep.    We want your children to enjoy being in the outdoors, just as you did when you were little. So we've created this brand new downloadable guide packed with fun activities, games and ideas to keep your family busy all summer long.   Get the kids to re-connect with the outdoors this summer and  re-create your childhood memories! Read More
  • It looks like another DNS compromise hack happening

    I saw a fairly short-lived, reasonably low volume, malspam campaign earlier this morning that looks like it comes via Necurs Botnet and is somehow using a “new” compromise or security hole in the DNS system. These appear to be targeted at UK only and as far as I can tell ONLY a UK IP number will get a redirect to the scumware site.... Read More
  • Lokibot via fake purchase order but won’t run in W7 or W8.1

    I have got a very unusual and somewhat difficult to analyse set of malware files here. I received 2 different versions of this email. The first with just an XLSX attachment, the second with both an XLSX and a .rar attachment. Running the xlsx file through Anyrun  using W7 64 bit resulted in a system freeze where it took so much memory &... Read More
  • Multiple Hawkeye malspam campaigns via GreenCloudVPS

    Another Hawkeye keylogger campaign again today. We see these most days and the emails are always such a generic invoice, order or Request for quotation so I don’t bother to post all versions we receive. I normally just tweet to the other researchers and submit to antivirus companies. These are all using CVE-2017-11882 RTF Today we are seeing... Read More
  • AWC Community Transport Grants are open!

    Good morning  Just to share that these new grants opened today, all the details on our website: https://www.adur-worthing.gov.uk/community-transport-grants/ Deadline is 19th October. Best wishes, Jo Joanne Clarke Communities and Third Sector Lead, Adur & Worthing Councils Read More
  • Wechat phishing via another compromised web developer

      Every now and again we see a phishing scam that stops you in your tracks and you think ” I really don’t believe it”. this is another one of them. I am absolutely gobsmacked by the amount of so called web developers, SEO experts or Designers who are totally incapable of securing their own website, let alone build &... Read More
  • Fake DHL email delivers an unknown keylogger coupled with a phishing scam

    I was extremely surprised to wake up this Sunday Morning to a whole slew of fake DHL delivery notice emails with a macro enabled  word doc attachment that eventually downloads some sort of Keylogger. There is some dispute as to what the actual Keylogger is. Some AV on VirusTotal describe it as an AgentTesla generic, whereas Anyrun app calls... Read More
  • Bitcoin verify your Identity phishing scam hosted on Microsoft Azure hosting

    I  am seeing a bitcoin phishing scam campaign this morning hosted on Microsoft Azure/windows.net. The emails pretend to come from your own email address and are addressed to the same email address. All hosting companies get abused and used for malware, scams and phishing. Recently Microsoft Azure Hosting seems to be the flavour of the month.... Read More
  • Phishing on a compromised Brazilian ISP via fake Fax email

    Just a very quick post about a phishing scam this morning. This is only noteworthy because the phishing takes place on a compromised website belonging to a small Brazilian ISP. https://www.agilinker.com.br/  The email pretends to be a fax message from your own domain, so the ones I received pretended to come from... Read More
  • Hot Mobile Israeli Hebrew Phishing scam

    We see lots of phishing attempts for various credentials. This scam in Hebrew is a totally new one to me. As far as I can tell the Mobile phone company being spoofed Hot Mobile is an Israeli Mobile Phone company that has links to the Israeli defence Forces. All the info I am getting about this comes from Google translate or Wikipedia, so might not... Read More
  • Remcos Rat via fake invoice using multiple delivery methods.

    I have heard of the “Belt and Braces ” approach to delivering malware before, but this malware campaign delivering Remcos Rat is using  the belt and 2 pairs of braces to try make sure the malware gets delivered. The email is a fairly typical Invoice Request that appears to a part of an ongoing conversation and contains 3 different... Read More
  • Launch of Worthing Refill

    Refill Worthing launch - 15th August, 5:30-8pm @ St. Paul's cafe, chapel Road, Worthing BN11 1EE   A scheme to break our plastic habit, which started in Bristol and has taken off nationally, is launching in Worthing. The Refill scheme signs up local businesses, cafes and venues to become Refill stations, where members of the public can refill their own water bottles for free. The nifty little Refill app, available at the normal places, shows people their nearest stations on a map. Folks can also upload their own favourite cafes if they too want to become Refill stations.  Read More
  • Free Conference Brighton Pier 13th June - Protecting young people against radicalisation and grooming on the internet

    Free Conference Brighton Pier 13th June - Protecting young people against radicalisation and grooming on the internet

    Creative Exchange is working with the EU and Erasmus who have funded projects across EU partner countries and for the past 18 months we have been working on Radicalisation and Protecting Young People from Internet Grooming. It is called the Heads-Up Project. Read More
  • Fake Council Tax refund phishing scam

    I was sent the details of a very interesting and extremely well done phishing scam, that pretends to be  a Council Tax refund. The scammers have chosen an extremely good domain name to perform the scam & copied almost exactly the genuine  Gov.uk site complete with all branding & Postcode lookup. I don’t have the original... Read More
  • Fake PrivatBank email delivers AgentTesla and Phishing

      I received a rather interesting email earlier today. It pretends to be an email from Privatbank.com and written mainly in Ukranian.  There is not a known bank using PrivatBank.com anywhere I can find listed although a website for this domain was registered many years ago (2001). The closest  legitimate bank that I can find is... Read More
  • Supporting Voluntary & Community Sector Groups in Keeping Children & Young People Safe

    Does your organisation work with a significant number of children and young people? If so, did you know that there is a VCS Safeguarding Forum that supports Safeguarding Leads as part of a network across the county?   Key Aims: • To bring together key VCS Safeguarding Leads from across West Sussex, to create networking opportunities and share best practice and training. Read More
  • Nanocore RAT via fake DHL failed delivery in Chinese

    A quick post about the latest in a long, long, long, very, very long line of fake DHL delivery failure emails delivering all sorts of malware. Today’s version is slightly different to the ones we frequently see in UK. Today it is delivering Nanocore RAT in a zip file attachment. Firstly it is written entirely in Chinese, so most recipients... Read More
  • various phishing scams via compromised Mexican Gov email address

    This set of phishing scams is noteworthy because the emails all originate from a compromised email account belonging to the Mexican Government or at least using the Mexico Gov domain. It seems to track back to the Ministry of Justice of Guanajuato state. They all pass authentication checks so are more likely to be delivered to prospective victims.... Read More
  • Get Safe Online With Switched On Parents In July 2019

    Get Safe Online With Switched On Parents In July 2019

      Do you really know what your child does when they’re online? For our children and young people, the internet is a wonderful place where they can explore, learn new things, communicate, be entertained and much more, with their curiosity and appetite for new content evolving and growing as they do. At Get Safe Online, we embrace these benefits, but equally, we know that it can be a challenging and potentially hazardous experience. Do you know how long they’re spending online, what content they’re viewing or who they’re chatting with? Are you concerned that they could be bullied, befriended by the wrong kind of people or even being persuaded to commit criminal offences? Or even that it could be your child who’s the abuser or budding cybercriminal? (After all, everyone is somebody’s child). Ironically, the fact that Read More
  • banload and stealer

    Some weird malware possibly banload and a stealer. Details were uploaded to our submissions system Starts with email link that downloads tax.zip from This zip contains genuine google updater & a bat file which downloads a powershell script from Then... Read More
  • More compromised windstream email sending malspam with Orion keylogger

    Following on from Last Friday, it is looking like Windstream, Zimbra & Synacor still have a problem with accounts being compromised and mass malspam being sent.  Generally speaking the majority of ISPs are pretty good with blocking outgoing spam & malware emails. They generally restrict the numbers of emails sent per hour / day for... Read More
  • Lokibot via fake Reconfirm Bank Account Details with extremely large rtf attachment

    We are still not seeing a lot of interesting malware in UK at the moment, but this one has a few interesting parts to the delivery system. The Lokibot binary that is eventually delivered is nothing special and we see this sort of commodity malware on an almost daily basis. What is slightly unusual is the size of the word doc ( RTF ) attachment... Read More
  • Hawkeye keylogger via fake receipt. Stolen data sent to another keylogger site.

    Over the last month or 6 weeks we, along with many other researchers, have noticed quite a drop in Malspam, in fact in spam generally. Nobody quite knows why but generally this means one or other of the major spam sending botnets has been taken down or is retooling & getting ready for a  new set of campaigns. One of the few constant... Read More
  • nanocore RAT via fake order in password protected word doc with wrong password

    I was sent a message via the submissions system last night with the email the victim received attached. At first glance it looked like the typical password protected word docs we see regularly pretending to be either an order, invoice or resume, that frequently drop or download some sort of ransomware. At first I could not open this word doc using... Read More
  • More AgentTesla keylogger and Nanocore RAT in one bundle

    We are seeing a continuation of even more AgentTesla malspam campaigns again this morning. However today’s is somewhat different to usual and also delivers a Nanocore RAT. Actually the Nanocore RAT  is downloading the AgentTesla keylogger. And after a bit of digging around and seeing an Open Directory listing on the AgentTesla download... Read More
  • Training for groups or organisations that work with vulnerable adults, Tuesday 23 October

    Does your group or organisation work with vulnerable adults? If so, you have an important role to play in helping keep them safe. ‘Keeping Adults Safe’ is an introductory course for community groups and voluntary organisations who work with, engage and deliver activities or services for adults. The next course is on Tuesday 23 October 2018, 9.30am - 4.30pm, in Brighton. Concentrating specifically on the over 18s age group, the course will provide you with an understanding of your role in establishing a safe environment, and what you can do to create this environment. For more information and to book a place, visit: http://bhcommunityworks.org.uk/keep-adults-safe-training/ A small number of free bursary places are available to member organisations with annual income of less than £35,000. Read More
  • Watch out for these fake TV Licensing emails.

    Watch out for these fake TV Licensing emails. We’ve seen a sharp increase in reports about fake TV Licensing emails claiming to offer refunds. The emails state that the refund cannot be processed due to “invalid account details”. The links provided in the emails lead to phishing websites designed to steal personal and financial details. Read More
  • multiple malware delivered from compromised website run on a domestic BT IP address

    As I mentioned earlier in the week, we aren’t seeing massive amounts of malware, especially in the UK at the moment BUT we do see a steady lowish volume stream of commodity malware. These are the standard easy to purchase and use malware tools like Nanocore, Hawkeye, Agent Tesla and other keyloggers or remote access trojans that are so easy... Read More
  • Hawkeye keylogger using fileless delivery system via Amazon AWS

    We have been seeing a massive increase in Malspam emails delivering Hawkeye keylogger / infostealer trojan. The vast majority have either a zip file containing the trojan itself or a malformed word doc either containing macros or using one of the Microsoft Equation Editor Exploits like CVE-2017-0199, CV-2017-11882 or CVE 2017-8570 that download... Read More
  • voicemail phishing scam involving compromised OneDrive for business site

    We see lots of phishing attempts for email credentials. This one is slightly different than many others and somewhat more  complicated. It pretends to be a message to download a voicemail. You can now submit suspicious sites, emails and files via our Submissions system Remember many email clients, especially on a mobile phone or tablet, only... Read More
  • compromised windstream email sending malspam

    Got a bit of a dodgy one here today, where it looks like the email service for windstream.net has been compromised to allow a miscreant to send malicious emails that are passing all authentication. It is highly likely that it is an individual customer of Windstream that has been compromised, rather than the entire system, but the whole idea of a... Read More
  • Carer Innovations Fund

    The Carer Innovations Fund aims to support accessible, carer-friendly communities and public services and also seeks to provide evidence on effective interventions to support carers.  The fund seeks to identify and promote creative and innovative models that look beyond statutory services to ensure that carers are: Read More
  • Fake order eventually drops Lokibot but something else happens

    I am not entirely sure what the in initial binary download with this one is, but there are indications it might be Dark Comet RAT. What we do know is that it drops a Lokibot binary The word doc is actually a RTF file containing embedded ole objects. This appears to contain 5 identical ole objects that in turn drop an Excel macro enabled worksheet... Read More
  • Free EU Citizens' rights and Brexit: info session and Q&A , Brighton, Thursday 6 December

     Are you an EU citizen living in the UK? Do you have questions about how Brexit will affect your rights to stay here? The embassies of EU countries and the Representation of the European Commission invite EU citizens to an information session in Brighton on EU citizens' rights and Brexit. Read More
  • Fake west-telecom.com Update Notice delivers Qbot backdoor

    It has been very quiet with regards to malware in the UK for the last month or so. All I have been seeing has been the commodity malware like AgentTesla, Hawkeye & Lokibot that is frequently used by Skiddies and low grade bad actors who buy an off the shelf exploit kit and just fill in a few variables. These are so common that I haven’t... Read More
  • claiming to offer a home insulation scheme which is supported by East Sussex County Council.

      East Sussex Trading Standards are warning residents to be vigilant about companies who are cold calling and claiming to offer a home insulation scheme which is supported by East Sussex County Council. However, it is possible that similar improper approaches may be made anywhere across the county. It is not in the remit for East Sussex County Council to support schemes that involve cold calling, and companies claiming that they do are misleading residents and may be breaking the law. This warning follows a spate of recent complaints from residents in Hastings about cold callers falsely offering an ESCC supported insulation scheme, but incidents may also be occurring elsewhere. Read More
  • budget-developers and budgetcoders

    budget-developers and budgetcoders

    Recently i recieved an email (shown below). I do think about wordpress a lot, it along with drupal, and concrete and others are a major part of my daily life. When I get an email like this ( and thanks to for sending it to me) I have to wonder how far the expectation and experience of the sender goes. At least this one is not promising to put me at the top of "yagoing" or searchhound.com or big4.com with at NS9 compatible site.  Lets look at the email, them Me Read More
  • new AgentTesla Keylogger install method – Choice.exe

    We continue to see AgentTesla keylogger / Infostealer on a daily basis. The UK generally has been fairly quiet for malware over the last few months ( since Easter 2019) and we are only seeing the “commodity” malware like AgentTesla, Hawkeye, Nanocore, Lokibot etc on a very frequent basis. Over the last week or 10 days we have noticed a... Read More
  • Urgent to all residents: email delivers Ursnif payloaf

    Urgent to all residents: email delivers Ursnif payloaf

    These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or other log in credentials.Be very careful with email attachments. Most of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Read More
  • Watch out for these fake account emails.

    We’ve seen an increase in reports about fake account emails claiming that there’s an issue with your account, or that your account has been suspended. The email states that you need to “update” your account details in order to resolve the problem. The link in the emails leads to genuine-looking company phishing websites designed to steal your username and password, as well as payment details. Always question unsolicited requests for your personal or financial information in case it’s a scam. Never automatically click on a link in an unexpected email or text. For more information on how to stay secure online, visit www.cyberaware.gov.uk Message Sent ByAction Fraud (Action Fraud, Administrator, National) Read More

    • Find out more about future plans to enrich and protect this special part of the South Downs National Park. • Discover more about the planned improvements at the Truleigh Hill Youth Hostel (YHA) • Talk to YHA staff about holidays, school trips, local and national YHA services. • Sample delicious refreshments from the YHA café. • FREE nature based and wilderness skills activities for all the family throughout the afternoon, coordinated by ‘So Sussex’ • Meet RSPB volunteers and learn about the local wildlife species you might spot – from barn owls to chalk hill blue butterflies • Take a virtual animated tour of the RAF underground bunker at Truleigh Hill, giving you a glimpse into the site’s history and hidden heritage. • Complete our online survey and tell us YOUR views southdowns.gov. uk/truleigh-hill-surveyPhil Paulo (Community Landscape Project Officer Truleigh Hill) Email: Phillip.Paulo@ southdowns.gov.uk Tel: 01730 819283 FREE Parking available at the YHA. A FREE Shuttle bus will run throughout the afternoon from the junction of Mill Hill and Erringham Road, Shoreham by Sea up to Truleigh Hill YHA and back. Read More
  • AgentTesla Keylogger and Binary Options scam

    We are still not seeing massive amounts of malware currently hitting the UK. We are still seeing the commodity malware like AgentTesla keylogger / info stealer, Nanocore RAT and Hawkeye Keylogger on a very regular basis. Today’s example of an AgentTesla campaign is somewhat more interesting than usual. The email is nothing special and... Read More
  • Docusign phishing scam using a compromised law firm webspace

      Every now and again we see a phishing scam that stops you in your tracks and you think WTF. this is one of them. It starts with a fake Docusign email that contains a link to a bit.ly short url. What makes this one so bad is that the bit.ly short url has been live since 20 August 2019 and as of the time of writing has had 1801 clicks. Now to... Read More
  • Formbook back hitting UK in fake order emails

    We haven’t seen any Formbook malware / Trojan / Info-Stealer hitting the UK for ages, so it was quite surprising to see this one arrive overnight. Unlike previous versions who generally used exploits or macros / embedded ole objects in Microsoft Office to deliver the payload, this is a simple .exe file inside a zip that pretends to be an... Read More
  • Gootkit banking Trojan via Fake UKPC parking penalty appeals

    I am hearing about a return of the fake UKPC parking charge appeals scam which has been quiet for about 1 year. At this time I don’t have a copy of the email that was received by the victim, only the link that was in it. I assume the email will be very similar to the ones described in these 2 posts  [1] [2]. UKPC are a nationwide... Read More
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76