{
	"id": "72f55794-1ac1-4903-bf9f-647acec4193e",
	"created_at": "2026-04-06T01:30:14.464457Z",
	"updated_at": "2026-04-10T03:20:05.446502Z",
	"deleted_at": null,
	"sha1_hash": "43e021aad291687cae45d20435830469bd3f60ae",
	"title": "Week 7: Supposed order confirmation delivers malware and new variants in fake extortion emails",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74317,
	"plain_text": "Week 7: Supposed order confirmation delivers malware and new\r\nvariants in fake extortion emails\r\nBy Federal Department of Defence, Civil Protection and Sport DDPS\r\nArchived: 2026-04-06 00:30:23 UTC\r\nWeek 7: Supposed order confirmation delivers malware and new variants in fake\r\nextortion emails\r\n22.02.2022 - Last week, the NCSC received a persistently high number of reports. Hackers are attempting\r\nto distribute remote access malware by means of bogus order notifications. In addition, there has been an\r\nincrease in the spread of fake extortion emails being sent in the name of prosecution authorities, and they\r\nare now written in German as well.\r\nBogus order confirmations contain remote access malware\r\nThe way people shop has changed since 2019, with a shift towards online shopping. Fraudsters are taking\r\nadvantage of this trend by sending bogus parcel notifications. In most cases, the emails sent involve credit card\r\nphishing or ask the recipient to purchase paysafecards and provide the codes.\r\nA suspicious email was forwarded to the NCSC last week, and an analysis of it revealed a new modus operandi:\r\nThe email contained a notification that an order had been received and that it was now being processed.\r\nIntentionally, the fraudsters did not include any references to any seller or items purchased; only a meaningless\r\norder number was listed.\r\nThe attachment is an HTML file with a cryptic name. When this file is executed, the download of an additional\r\nISO file must be permitted. This is when all alarm bells should be ringing, at the very latest.\r\nISO files are treated by computers like executable CDs and DVDs, and often contain installation media for games\r\nor office programmes, for example.\r\nhttps://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html\r\nPage 1 of 2\n\nIn this case, the program contained malware called AsyncRAT. RAT stands for \"remote access tool\", which allows\r\nan attacker to access the infected computer remotely.\r\nRemote access to the computer gives an attacker the opportunity to steal data stored on it and also to upload and\r\ninstall other malware in order to be able to intercept passwords when they are entered, for example.\r\nBe wary all unsolicited email notifications you receive.\r\nBe especially suspicious if you are asked to open or download a file.\r\nNever allow your computer to execute files obtained in this way.\r\nReport such cyberincidents to the NCSC and, if possible, send us the email in question.\r\nNCSC-Reporting form\r\nFake extortion emails in the name of various police authorities are now also being\r\nsent in German\r\nIn recent weeks, thousands of fake extortion emails written in French in the name of almost a dozen different law\r\nenforcement agencies were found in the email inboxes and spam folders of Swiss citizens. In France, this form of\r\nfraud has been known for years. At the end of last year, the fraudsters began to focus on the French-speaking part\r\nof Switzerland and now more and more emails of this type are appearing in Ticino (with Italian authority logos)\r\nand in German-speaking Switzerland (with German authority logos).\r\nThe emails make drastic accusations against the recipients in the name of randomly composed prosecution\r\nauthorities. The aim is to get the recipients to reply to the email address mentioned in the letter. If someone\r\ncontacts the fraudsters, they promise to drop the alleged \"accusations\" against payment of a high four-digit sum of\r\nmoney. However, this is not the end of the story for people who do pay the amount requested. In these cases, the\r\nfraudsters keep coming back with new demands for money until the victim finally realises the fraud and stops\r\npaying. The resulting loss can be very considerable.\r\nSince the email addresses used by the fraudsters are crucial for communicating with the victims and sending such\r\nmessages en masse, the NCSC reports the email addresses used by the attackers to the corresponding email\r\nproviders. Currently, these are mostly student email accounts at various universities. In some cases, the NCSC's\r\nrapid intervention stopped further emails from being sent, thus averting potential loss.\r\nDo not allow yourself to be put under pressure and do not react to such threats.\r\nIgnore such messages and mark them as spam.\r\nCurrent statistics\r\nLast week's reports by category:\r\nCurrent figures\r\nSource: https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html\r\nhttps://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html"
	],
	"report_names": [
		"wochenrueckblick_7.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439014,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/43e021aad291687cae45d20435830469bd3f60ae.pdf",
		"text": "https://archive.orkl.eu/43e021aad291687cae45d20435830469bd3f60ae.txt",
		"img": "https://archive.orkl.eu/43e021aad291687cae45d20435830469bd3f60ae.jpg"
	}
}