{
	"id": "8f2562e6-1efb-467b-a5ec-c35f33245647",
	"created_at": "2026-04-06T00:19:59.816078Z",
	"updated_at": "2026-04-10T03:21:28.341871Z",
	"deleted_at": null,
	"sha1_hash": "66dade937848cde6d8ed4cbf1c8cf8ff67e11311",
	"title": "Global Malicious Spam Campaign Using Black Lives Matter as a Lure | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83988,
	"plain_text": "Global Malicious Spam Campaign Using Black Lives Matter as a\r\nLure | FortiGuard Labs\r\nPublished: 2020-06-15 · Archived: 2026-04-05 17:58:58 UTC\r\nFortiGuard Labs Threat Analysis \r\nAffected platforms:     Windows 10 \u0026 Windows Server 2019\r\nImpacted parties:        Windows 10 version 1809 + and Windows Server version 1903 +\r\nImpact:                        Privilege Escalation \u0026 User-Privacy Settings Violation\r\nSeverity level:              Important\r\nOn June 10, 2020, FortiGuard Labs came across a global malicious spam campaign that is targeting users who\r\nmay be sympathetic to the Black Lives Matter movement that began in the United States. With all of the calamity\r\nof 2020, such as the ongoing COVID-19 pandemic and the numerous protests in the United States and elsewhere,\r\nattackers are leveraging the global news cycle to lure unsuspecting victims to download and open malicious\r\nattachments. \r\nThe campaign uses a variety of subject lines for emails with an attached malicious Microsoft Word document to\r\ncompel the user into opening the attachment. The content of the body is written in haste and uses poor grammar,\r\nbut the Black Lives Matter subject is used to compel victims into opening the attachment:\r\nLeave a review confidentially about [various Black Lives Matter subjects] \r\nClaim in attached file\r\nThese emails utilize variations in subjects and sender names to either circumvent spam filters or to simply create\r\nconfusion. An example of the variety of subjects and senders being used is shown below:\r\nTechnical Details of the Malicious Spam Campaign Using Black Lives Matter to\r\nLure Victims\r\nThe attachment is a standard Microsoft Word document with a generic image enticing the user to enable macros.\r\nWhen we try to examine the macro, we find that it is protected by a password, as is the case with many malicious\r\ndocuments. This adds an additional layer of protection to prevent casual analysis. And after extracting the macro,\r\nwe also see that an obfuscated string is used to hide the payload. \r\nOnce it goes through the deobfuscation process, we can see that it is using injection to deliver its malicious\r\npayload. In this case, it is loading the stage 1 downloader. \r\nOnce a memory region is created by the call to VirtualProtectEx, a thread is created and executed. This new thread\r\ncontains the actual payload to execute assembly instructions in memory. It then unpacks itself and proceeds to\r\ncontact C2 servers in order to download and execute Trickbot. \r\nhttps://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure\r\nPage 1 of 8\n\nThe campaign utilizes that same strategy as previous Trickbot attacks. The individuals behind Trickbot have used\r\ntrending topics before to lure victims and extend their installed base. The campaign just prior to the current one\r\nleveraging the Black Lives Matter movement in the United States, was focused on COVID-19, which we\r\npreviously analyzed. Performing OSINT research, it appears that the command and control servers used by the\r\nactors behind this latest campaign have also compromised two specific sites, a city government website based in\r\nSouth East Asia using the Joomla CMS, and a manufacturer in the United States that is using WordPress as its\r\nCMS.\r\nAt the time of discovery, FortiGuard Labs was one of a handful of vendors who had detected the sample used in\r\nthis analysis: \r\nFile name: e-vote_form_78211.doc\r\n[SHA256 - 35E1F022861474407246F0C66218A83019381E8745E4C6B294CF150F401C16DC\r\nDetected as: VBA/Agent.KJMLBSB!tr\r\nGlobal Spread\r\nAnalyzing the domains and infrastructure used by the threat actors, we find that they are all hosted in the Czech\r\nRepublic (CD-Telematika a.s.). While this does not mean anything in terms of attribution, it is still interesting that\r\nthis is the ISP chosen by the actors behind this latest Trickbot campaign. Scouring our passive DNS records has\r\nrevealed nothing in terms of past campaigns originating from the identified servers, which is increasingly the case\r\ngiven the reality of easy-to-spin-up virtual private servers and on-demand cloud infrastructures. \r\nWe can also see that a spike developed quite noticeably on the day this was discovered (June 10th). This is true for\r\nall domains related to this specific campaign:\r\nWhile the US and Canada are its primary targets, we have detected variations of this campaign affecting other\r\ncountries as well. Here is a brief breakdown of what we have discovered.\r\nName: mnjcszrh.monster\r\nAddress: 82.202.65.177\r\nBased on our telemetry, the top 5 countries targeted by this specific campaign are Canada (48%) and the United\r\nStates (46%), with France, Cyprus, and Italy having seen activity averaging less than one percent.\r\nName: shmbidgp.monster\r\nAddress: 82.202.65.178\r\nThe top 5 countries targeted by this specific campaign are Canada (48%) and the United States (46%). This time,\r\nFrance, Thailand, and Cyprus have seen less than 1% of activity.\r\nName: ygzggxeh.monster\r\nAddress: 82.202.65.125\r\nhttps://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure\r\nPage 2 of 8\n\nWe can now see a pattern developing. The top countries targeted by this specific campaign are again, the United\r\nStates (46%) and Canada (45%), this time with Italy, Cyprus, and Oman averaging less than one percent of\r\nactivity. While the US and Canada are clearly the primary targets, Cyprus is consistently included in the spillover.\r\nName: vmrriktf.monster\r\nAddress: 89.203.251.79\r\nInterestingly, based on our telemetry, there were only 4 countries targeted by this specific campaign. And other\r\nthan the usual targets of the United States (49%) and Canada (48%), the other countries impacted this time are\r\nRwanda and United Kingdom, averaging less than one percent of activity.\r\nName: copsbiau.monster\r\nAddress: 89.203.248.175\r\nFinally, our telemetry shows that the top 5 countries targeted by this specific campaign again include the United\r\nStates (61%) and Canada (36%), and with Italy and Cyprus again showing up, but this time with Germany\r\nincluded. These three countries have also seen activity averaging less than one percent.\r\nMitigation of the Malicious Spam Campaign\r\nFortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that\r\norganizations maintain a proactive patching routine when vendor updates are available. If it is deemed that\r\npatching is not feasible, it is recommended that IPS be used for proximity control, also known as virtual patching,\r\nand that a risk assessment is conducted to determine additional mitigation safeguards within an environment.\r\nIn the meantime, organizations are strongly encouraged to conduct ongoing training sessions to educate and\r\ninform personnel about the latest phishing/spearphishing attacks. They also need to encourage their employees to\r\nnever open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted\r\nsenders with caution.\r\nInitial Access Mitigation: FortiMail or other secure mail gateway solutions can be used to block specific file\r\ntypes such as the ones outlined in this blog. FortiMail can also be configured to send attachments to\r\nour FortiSandbox solution (ATP), either on-premises or in the cloud, to determine if a file displays malicious\r\nbehavior. FortiGate firewalls with anti-virus enabled, combined with a valid subscription, are able detect and\r\nblock this threat if properly configured.\r\nExecution: Since it has been reported that this threat has been delivered via social engineering distribution\r\nmechanisms, it is crucial that end users within an organization are made aware of the various types of attacks\r\nbeing delivered using this method. This can be accomplished through regular training sessions and impromptu\r\ntests using predetermined templates by internal security departments within an organization. Simple user\r\nawareness training on how to spot emails with malicious attachments or links could stop initial access into the\r\nnetwork.\r\nhttps://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure\r\nPage 3 of 8\n\nFortinet Solutions: If user awareness training fails and a user opens a malicious attachment or link, FortiEDR is\r\nable to prevent TrickBot from executing. FortiClient running the latest up-to-date virus signatures will also detect\r\nand block this file and associated files. The file(s) highlighted in our report are currently being detected with the\r\ncurrent definition: \r\n78.072 (Added Jun 10, 2020)\r\nExfiltration and C\u0026C: A FortiGate located at each of your ingress and egress points with its Web Filtering\r\nservice enabled, and with up-to-date definitions and/or Botnet Security enabled will detect and block any\r\nobservable outbound connections if configured correctly.\r\nWeb Filtering: All network IOCs in this report have been placed on the block list by the FortiGuard Web\r\nFiltering service.\r\nMalicious Word Document Protection: FortiGuard CDR (Content Disarm \u0026 Reconstruction) supported by\r\nFortiMail and FortiGate, processes all incoming files, deconstructs them, and then strips all active content from\r\nthose files in real-time to create a flat, sanitized file. CDR fortifies zero-day file protection strategies by\r\nproactively removing any possibility of malicious content in your files.\r\nOther Fortinet Safeguards: It is important to note that as attacks continue to become more sophisticated they can\r\nsometimes circumvent your security defenses. This is why it is important to ensure that, in addition to a layered\r\nsecurity strategy, you also have the ability to detect anomalous activity that could be malicious.\r\nIn addition, our Enterprise Bundle addresses this and similar attacks. The Enterprise Bundle consolidates all the\r\ncybersecurity services you need to protect and defend against all cyberattack channels, from the endpoint to the\r\ncloud, including IoT devices, providing you with the integrated defense needed to tackle today’s advanced threats\r\nsuch as the one outlined here, as well as address today's challenging risk, compliance, management, visibility, and\r\nOperational Security (OT) concerns.\r\nMITRE ATT\u0026CK\r\nSpearphishing Attachment\r\nID: T1193\r\nTactic: Initial Access\r\nPlatform: Windows\r\nScripting\r\nID: T1064\r\nTactic: Defense Evasion, Execution\r\nPlatform: Windows\r\nDefense Evasion\r\nhttps://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure\r\nPage 4 of 8\n\nID: T1064\r\nTactic: Defense Evasion, Execution\r\nPlatform: Windows\r\nStandard Application Layer Protocol\r\nID: T1071\r\nTactic: Command And Control\r\nPlatform: Windows\r\nStandard Cryptographic Protocol\r\nID: T1032\r\nTactic: Command And Control\r\nPlatform: Windows\r\nIndicators of Compromise\r\nFile name: e-vote_form_78211.doc\r\n[SHA256 - 35E1F022861474407246F0C66218A83019381E8745E4C6B294CF150F401C16DC\r\nDetected as: VBA/Agent.KJMLBSB!tr\r\nNetwork IOCs:\r\ncopsbiau.monster\r\nvmrriktf.monster\r\nygzggxeh.monster\r\nmnjcszrh.monster\r\nshmbidgp.monster\r\nOther Samples Related to this Campaign:\r\nDetected as VBA/Agent.KJMLBSB!tr:\r\n3C1639044254CF6359062245277F56404D344A21BE60F61D0EBD94476140F45F\r\nhttps://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure\r\nPage 5 of 8\n\n2CABAA75A44532D4FD4064AD9C6F6E1C5E5FDDFE012310591908D79EC71FB7E6\r\n7295626EBB7105FAE83C12C0FAC28DF28F86B534E91F6FB37EA27E75BECC8868\r\nB8DB4896C48BAF52BCD63CB77B5823F572BF3873A2BF80C8FD138559119CA231\r\n153179D234D351C03908FDF7A8D5AE208D7F3CD033931C633F2F376B1C6C1CBB\r\n8724262B8712118BDFA5FFA33AE86D3598AD988031F085D9EF5738335DFB9B57\r\nBC0EEF72D7B1BF11866E36A9782C353AF9FA554278B8A356A7AAC825AE752D5D\r\nD33E69B4AA5E339BAB3DCE17A8239D5EB5C28C029FA8E1C0CECEA69CB1A4BC1B\r\nC9D7BDCEDDC35B22087FBE25B31226941A85D45FF942CC057DE4077131BA2FAD\r\n1FDAA84F98E629A987EF1ECFD6776AA2EA1D9864A422F26B046F37B2C3464C8C\r\n024A8F2A3970DF1C34F96770122707A6A60C489318355878517C5A0BAAFC2453\r\nEEDAB538265E5AB516970BA552C3FBD00E932B1A0317A490C60F619283D601E8\r\n84E3CFCE2B0F54C908EB2E7E0B2732C86D9CDDC4A2B1BC59D13D8FFD51F54A53\r\nAD0C6D76CEE136E36C6D7A3D8BBA806B5A81DB35999E1183BC2DF58C8E8DB000\r\nC269CBFFEC913FE22458EBAF05A0B70FDD339F39123C9809C4997BB40107A73F\r\n1404CEC62F967DAE0F5BC3E59254210F254430ACA6A4FF47907DB9E03863575F\r\nhttps://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure\r\nPage 6 of 8\n\n67588AE687109031D7D6B428AAA14708110DAB5C9F117E3D30D5B0D234CF5DAE\r\n7289D1B123109CB001A8C9F03C1EC087FEC85E958C63DC0315DDEBBAE82E0E10\r\n50B3D47D816B27F2E57C6BFC9CEC866E0A1DFA64226679B3D434443016D1DE0A\r\nDB16691F55FCF190C8F7CB3B64D9E4E003739E07F153DA18F58C4525E6CCDB95\r\n17FFF7062C525CC1F0293FC9693982D793F44E483BAB57FD2330CA5769CF4BF1\r\nED6E0DD584A9901710538217F410C73DE2C9EFF8DBDEB5DF57E7D42936135A65\r\n35E1F022861474407246F0C66218A83019381E8745E4C6B294CF150F401C16DC\r\n2781A00A240926AF3EA55E84F1700908200F5C7DBF889CD3F006DE6B2BC73F43\r\nE449FC1EF3C8AA7BB6C3B6C323A9E465F26C05381912F128FDE901234C8E5596\r\n55BFD2C3B70CB561EC87721B871C1B87DFAA6FCF22778E67063E86A1E6CFBA7E\r\nAF1FD845B7488CE9582409FD9A7A8A8E9FCA0C4D366966CD3B8DFDFFADA99F98\r\nCF16FB4DBE65217577DDAEA92FC4A9EE614689DCAFD2FD781A469277CE2E35F8\r\nEmpowering CTA \r\nFortiGuard Labs has shared the findings in this report with fellow Cyber Threat Alliance members, including file\r\nsamples and indicators of compromise. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit cyberthreatalliance.org.\r\nhttps://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure\r\nPage 7 of 8\n\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and\r\nServices portfolio. Sign up for the weekly Threat Brief from FortiGuard Labs. \r\nLearn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert\r\nprogram, Network Security Academy program, and FortiVet program.\r\nKnow your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can\r\nhelp you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and\r\nPerformance.\r\nSource: https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure\r\nhttps://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure"
	],
	"report_names": [
		"global-malicious-spam-campaign-using-black-lives-matter-as-a-lure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434799,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/66dade937848cde6d8ed4cbf1c8cf8ff67e11311.pdf",
		"text": "https://archive.orkl.eu/66dade937848cde6d8ed4cbf1c8cf8ff67e11311.txt",
		"img": "https://archive.orkl.eu/66dade937848cde6d8ed4cbf1c8cf8ff67e11311.jpg"
	}
}