{
	"id": "d9b00987-f003-4d29-9f34-104651e3cfec",
	"created_at": "2026-04-06T00:06:33.127197Z",
	"updated_at": "2026-04-10T03:21:47.944377Z",
	"deleted_at": null,
	"sha1_hash": "1659c9877d15b91f171deac90179db90f2f25d9f",
	"title": "Fake PayPal Site Spreads Nemty Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3840916,
	"plain_text": "Fake PayPal Site Spreads Nemty Ransomware\r\nBy Ionut Ilascu\r\nPublished: 2019-09-08 · Archived: 2026-04-05 16:33:48 UTC\r\nA web page pretending to offer an official application from PayPal is currently spreading a new variant of Nemty\r\nransomware to unsuspecting users.\r\nIt appears that the operators of this file-encrypting malware are trying various distribution channels as it was recently\r\nobserved as a payload from the RIG exploit kit (EK).\r\nLuring with cashback rewards\r\nThe latest occurrence of Nemty was observed on a fake PayPal page that promises to return 3-5% from purchases made\r\nthrough the payment system.\r\nhttps://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nSeveral clues point to the fraudulent nature of the page, which is also flagged as dangerous by major browsers, but users\r\nmay still fall for the trick and proceed with downloading and running the malware, which is conveniently named\r\n'cashback.exe'.\r\nSecurity researcher nao_sec found the new Nemty distribution channel and used AnyRun test environment to deploy the\r\nmalware and follow its activity on an infected system.\r\nThe automated analysis showed that it took about seven minutes for the ransomware to encrypt the files on the victim host.\r\nHowever, this may differ from one system to another.\r\nFortunately, the malicious executable is detected by most popular antivirus products on the market. A scan on\r\nVirusTotal shows that it is detected by 36 out of 68 antivirus engine.\r\nHomoglyph attack\r\nAt a first look, the web page seems genuine as cybercriminals used visuals and the structure present on the original page.\r\nTo add to the deception, the cybercriminals also use what is known as homograph domain name spoofing for links to various\r\nsections of the site (Help \u0026 Contact, Fees, Security, Apps, and Shop).\r\nThe crooks achieved this by using in the domain name Unicode characters from different alphabets. To distinguish between\r\nthem, browsers automatically translate them into Punycode. In this case, what in Unicode looks like paypal.com translates to\r\n'xn--ayal-f6dc.com' in Punycode.\r\nSecurity researcher Vitali Kremez analyzing this variant of Nemty ransomware noted that it is now at version 1.4, which\r\ncomes with minor bug fixes.\r\nOne thing the researcher observed is that the \"isRU\" check, which verifies if the infected computer is in Russia, Belarus,\r\nKazakhstan, Tajikistan, or Ukraine, has been modified. In the latest version, if the result of the check is positive, the\r\nmalware does not move with the file-encrypting function, the researcher told BleepingComputer.\r\nhttps://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/\r\nPage 3 of 4\n\nComputers outside these countries, though, are a target and will have their files encrypted and their shadow copies deleted.\r\nNemty ransomware has been present on cybercriminal forums for some time but it emerged on the radar of the infosec\r\ncommunity towards the end of August, when security researcher Vitali Kremez published details of his analysis. The expert\r\nnoticed in the code messages and references that made the malware stand out.\r\nBleepingComputer tests showed that the ransom demand was 0.09981 BTC, which is about $1,000, and that the payment\r\nportal is hosted in the Tor network for anonymity.\r\nAt the end of August, another security researcher, Mol69, saw Nemty being distributed via RIG EK, which is probably an\r\nodd choice considering that exploit kits are on the brink of extinction as they target products that are on their death bed:\r\nInternet Explorer, Flash Player.\r\nAccording to Yelisey Boguslavskiy of Advanced Intelligence, Nemty was received with \"with extreme skepticism and\r\naggression\" on a cybercriminal forum, which is normal in that community. This may also influence its success, which is\r\nnothing compared to what Sodinokibi ransomware currently enjoys.\r\nUpdate [09/08/2019, 18:00 EST]: Article updated with new information from security researcher Vitali Kremez.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/"
	],
	"report_names": [
		"fake-paypal-site-spreads-nemty-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775433993,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1659c9877d15b91f171deac90179db90f2f25d9f.pdf",
		"text": "https://archive.orkl.eu/1659c9877d15b91f171deac90179db90f2f25d9f.txt",
		"img": "https://archive.orkl.eu/1659c9877d15b91f171deac90179db90f2f25d9f.jpg"
	}
}