{
	"id": "d317896b-a49b-4270-a063-f3c3c4d3e6a4",
	"created_at": "2026-04-06T00:19:58.208257Z",
	"updated_at": "2026-04-10T03:36:25.295836Z",
	"deleted_at": null,
	"sha1_hash": "1047f9ad36e6b3d15e3635ff606bb1b2e539800b",
	"title": "Teslacrypt Spam Campaign: \"Unpaid Issue...\" | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 362650,
	"plain_text": "Teslacrypt Spam Campaign: \"Unpaid Issue...\" | Malwarebytes\r\nLabs\r\nBy Malwarebytes Labs\r\nPublished: 2016-03-17 · Archived: 2026-04-05 12:51:35 UTC\r\nWe have all seen the current upsurge in Ransomware attacks. It has been covered on an international scale, with\r\nnew variants appearing at a very fast pace, some target Windows, some target Macs and some have cross platform\r\ncapabilities.\r\nRecently a major healthcare organization fell victim to Ransomware, and surely there are more high profile\r\nvictims to come. Enterprises face an ever growing threat landscape and the majority of businesses do not report or\r\nacknowledge having become a victim of Ransomware. This is due to the possible repercussions, such as loss of\r\ncustomer confidence, degraded reputation and embarrassment, which leads to an inevitable loss of profit and\r\nbusiness.\r\nCyber-criminals are aware of these repercussions and have crafted their attacks to include threats such as releasing\r\nspecific information related to victims, as we saw with Chimera Ransomware, utilizing a type of cyber-extortion\r\nto ensure they achieve their objective of being paid the ransom. Cyber criminals select targets that may give in to\r\ntheir demands, and targeting a major health care organization is more than likely going to generate a paid ransom.\r\nCyber criminals continue to use exploit kits to infect victims with ransomware but they also use MALSPAM\r\nemails to lure possible victims – a key vector into an enterprise environment that lacks the proper security\r\ncontrols, and one with insufficient information security training for end users. Some examples are email messages\r\nclaiming to be in regards to an overdue bill or invoice, utilizing such terminology in the subject line and given file\r\nname, such as invoice.zip or payment_doc_298427.zip\r\nThe email seen below is an example how the orchestrated attack is carried out (thanks to Conrad Longmore for the\r\nemail example):\r\nFrom: Jennie bowles Date: 10 March 2016 at 12:27 Subject: GreenLand Consulting – Unpaid Issue No. 588\r\nDear Client! For the third time we are reminding you about your unpaid debt. You used to ask for our\r\nRespectfully, Jennie bowles Chief Accountant 707 Monroe St FL 58833 928-429-4994\r\nThe emails usually contain a ZIP file which contains a malicious script/downloader. Upon running this specific\r\nmalicious script/downloader I was greeted by Teslacrypt ransomware (69.exe) from hellomississmithqq[.]com /\r\nIP: 54.212.162.6 (both currently blocked by Malwarebytes Anti-Malware Malicious Website protection).\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/\r\nPage 1 of 3\n\nObfuscated malicious script/downloader above Malicious script file: 858dc7fac3580c69d6086ac4d5d148a3\r\nFiddler capture showing download of 69.exe (Teslacrypt Ransomware file)\r\nTeslacrypt file 69.exe: 1E0B12117190A08B89F4200CB79DAE5E\r\nAfter 69.exe is downloaded by the malicious script downloader, it executes, encrypts targeted files and issues an\r\nHTTP POST to its Command and Control.\r\nData sent to Command and Control about newly infected system\r\nNoted below are some of the associated domains / IPs identified from the above sample. This Teslacrypt\r\nransomware campaign has recently morphed into a hybrid Teslacrypt / Locky ransomware campaign. The\r\naforementioned domain hellomississmithqq[.]com was seen serving up both Teslacrypt and Locky Ransomware\r\non 10 March 2016).\r\nIdentified command and control:\r\nmultibrandphone[.]com vtechshop[.]net sappmtraining[.]com shirongfeng[.]cn controlfreaknetworks[.]com tele-channel[.]com\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/\r\nPage 2 of 3\n\nAssociated IP addresses with hellomississmithqq[.]com:\r\n46(dot)108.108.182 54(dot)212.162.6 78(dot)135.108.94 134(dot)19.180.8 202(dot)120.42.190 216(dot)150.77.21\r\n142(dot)25.97.48 202(dot)120.42.190\r\nOther domains that have been identified in this on-going campaign:\r\nJoecockerhereqq[.]com blizzbauta[.]com yesitisqqq[.]com howareyouqq[.]com thisisitsqq[.]com\r\nblablaworldqq[.]com fromjamaicaqq[.]com hellomydearqq[.]com witchbehereqq[.]com arendroukysdqq[.]com\r\nitisverygoodqq[.]com goonwithmazerqq[.]com helloyoungmanqq[.]com invoiceholderqq[.]com\r\nmafianeedsyouqq[.]com mafiawantsyouqq[.]com soclosebutyetqq[.]com isthereanybodyqq[.]com\r\nlenovomaybenotqq[.]com lenovowantsyouqq[.]com hellomississmithqq[.]com thisisyourchangeqq[.]com\r\nwww.thisisyourchangeqq[.]com gutentagmeinliebeqq[.]com hellomisterbiznesqq[.]com\r\nRansomware is not going away, on the contrary it is becoming more and more prevalent with new variants coming\r\nout at a fast pace and targeting multiple platforms. It is recommended that users are using anti-malware protection,\r\nespecially one that has a website protection option. Malwarebytes has an Anti-Ransomware Beta product that\r\nblocks most Ransomware attacks. Furthermore it is recommended that users are ever vigilant and not click on\r\nURL links in suspicious emails, and do not open any files contained in these emails. Ensure to keep proper\r\nbackups as most Ransomware deletes Windows shadow copies.\r\nMalwarebytes Anti-Malware detects this Teslacrypt sample and its malicious website protection blocks the\r\ndownload domain / Command \u0026 Control domains as well.\r\nAndres\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/\r\nPage 3 of 3\n\nThe email seen email example): below is an example how the orchestrated attack is carried out (thanks to Conrad Longmore for the\nFrom: Jennie bowles Date: 10 March 2016 at 12:27 Subject: GreenLand Consulting- Unpaid Issue No. 588\nDear Client! For the third time we are reminding you about your unpaid debt. You used to ask for our\nRespectfully, Jennie bowles Chief Accountant 707 Monroe St FL 58833 928-429-4994 \nThe emails usually contain a ZIP file which contains a malicious script/downloader. Upon running this specific\nmalicious script/downloader  I was greeted by Teslacrypt ransomware (69.exe) from hellomississmithqq[.]com /\nIP: 54.212.162.6 (both currently blocked by Malwarebytes Anti-Malware Malicious Website protection).\n   Page 1 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/"
	],
	"report_names": [
		"teslacrypt-spam-campaign-unpaid-issue"
	],
	"threat_actors": [
		{
			"id": "f88b16bc-df4b-48e7-ae35-f4117240ff24",
			"created_at": "2022-10-25T15:50:23.556699Z",
			"updated_at": "2026-04-10T02:00:05.312313Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Chimera"
			],
			"source_name": "MITRE:Chimera",
			"tools": [
				"PsExec",
				"esentutl",
				"Mimikatz",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3da47784-d268-47eb-9a0d-ce25fdc605c0",
			"created_at": "2025-08-07T02:03:24.692797Z",
			"updated_at": "2026-04-10T02:00:03.72967Z",
			"deleted_at": null,
			"main_name": "BRONZE VAPOR",
			"aliases": [
				"Chimera ",
				"DEV-0039 ",
				"Thorium ",
				"Tumbleweed Typhoon "
			],
			"source_name": "Secureworks:BRONZE VAPOR",
			"tools": [
				"Acehash",
				"CloudDrop",
				"Cobalt Strike",
				"Mimikatz",
				"STOCKPIPE",
				"Sharphound",
				"Watercycle"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef",
			"created_at": "2022-10-25T16:07:23.455744Z",
			"updated_at": "2026-04-10T02:00:04.61281Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Bronze Vapor",
				"G0114",
				"Nuclear Taurus",
				"Operation Skeleton Key",
				"Red Charon",
				"THORIUM",
				"Tumbleweed Typhoon"
			],
			"source_name": "ETDA:Chimera",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"SkeletonKeyInjector",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434798,
	"ts_updated_at": 1775792185,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1047f9ad36e6b3d15e3635ff606bb1b2e539800b.pdf",
		"text": "https://archive.orkl.eu/1047f9ad36e6b3d15e3635ff606bb1b2e539800b.txt",
		"img": "https://archive.orkl.eu/1047f9ad36e6b3d15e3635ff606bb1b2e539800b.jpg"
	}
}