{ "id": "2cb40f40-701c-4f76-bb25-bdca75dcefd1", "created_at": "2026-04-06T00:09:01.660624Z", "updated_at": "2026-04-10T13:12:55.189372Z", "deleted_at": null, "sha1_hash": "750159de13a185667294dd78f88f3b814fd563b9", "title": "Info-stealer Campaign targets German Car Dealerships and Manufacturers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 79440, "plain_text": "Info-stealer Campaign targets German Car Dealerships and\r\nManufacturers\r\nBy etal\r\nPublished: 2022-05-10 · Archived: 2026-04-05 13:40:33 UTC\r\nIntroduction:\r\nIt started with a seemingly benign email, dealing with the purchase of a vehicle, and ended in a reveal of a\r\nmonths’ long campaign targeting German organizations. Most of the targets are related to the German auto-industry sector and the attacks were designed to deploy various types of info-stealing malware. The threat actors\r\nbehind the operation registered multiple lookalike domains, all imitating existing German auto businesses that\r\nthey later used to send phishing emails and to host the malware infrastructure.\r\nIn the following publication, we review the details of this operation, from the initial infrastructure preparations,\r\nthrough the different infection-chain stages, to the details of the final payloads.\r\nKey findings:\r\nDedicated campaign targeting German companies with a focus on German car dealerships and\r\nmanufacturers.\r\nExtensive infrastructure designed to look like existing German car dealerships and manufacturers.\r\nEmails with receipts and contracts in German, designed to instill confidence and lure recipients were sent\r\nto carefully selected targets.\r\nThe main malware hosting site is an Iranian hosted non-governmental website with a double connection to\r\nthe campaign.\r\nDetailed description:\r\nGermans love their cars, goes the cliché, which might have been the inspiration for a malicious email received by\r\na German business.\r\nThe email was designed to look as if it had been sent from a car dealership, autohous[.]lips, with the subject line\r\n“re: order.” Written in German, the email includes an ISO file attachment labeled as “vehicle invoice.”  When the\r\nrecipient double clicked the ISO attachment, a short warning message appeared, after which the user was required\r\nto open an .HTA (HTML Applications) file.\r\nhttps://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nPage 1 of 10\n\nThe use of ISO disk image archives is a known technique used to bypass NTFS Mark-of-the-Web trust control\r\n(MOTW). (See MITRE ref. here)\r\nFiles extracted from ISO archives are not tagged as MOTW, and therefore, even if they are downloaded from the\r\ninternet, no warning is displayed to the user.\r\nFigure 3 – Alert pop-up for opening an email attachment\r\nArchived in the ISO file is an .HTA file, which is opened by the Mshta.exe utility in Windows OS. It is often used\r\nby threat-actors to execute HTML files with embedded JavaScript or VBScript. Even advanced threat groups such\r\nas APT29 were recently reported to use this combination of ISO and HTA files against European diplomats.\r\nhttps://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nPage 2 of 10\n\nFigure 4 – Infection chain\r\nThe HTA file includes HTML code to display a purchase contract in German\r\nFigure 5 – Car purchase contract displayed to victim\r\nWhile Mshta.exe displays a decoy car purchase contract, in the background it executes a VBScript code. We found\r\nseveral versions of these scripts, some triggering PowerShell code, some obfuscated and others in plain text. All of\r\nthem download and execute various MaaS (Malware as a Service) info-stealers.\r\nhttps://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nPage 3 of 10\n\nFigure 6 – .HTA file content\r\nWith later versions of the HTA file, PowerShell code is used to change registry values to enable Office macros and\r\nrun Outlook attachments and files downloaded from the internet in non-protected mode.\r\nFigure 7 – Deobfuscated PowerShell code for registry setup\r\nInfrastructure\r\nThe first email we examined was sent from autohous-lips[.]de. It is a lookalike domain which was registered and\r\nresolved shortly before it was used to send the email. Another email which carried a similar .ISO archive was sent\r\nfrom  fiat-amenn[.]de.\r\nhttps://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nPage 4 of 10\n\nBoth email address impersonate existing car-related businesses in Germany.\r\nMapping the domains to their hosting server IP addresses, we encountered more than 30 other domains, all\r\nregistered in recent months, all of whom imitate existing German auto-industry related businesses with a single\r\ncharacter variation.\r\nFigure 9 – Mapping of domains to hosting servers’ IPs\r\nUsing these domains as our starting point, we tracked more emails on VirusTotal that were part of this campaign.\r\nThese additional emails were sent from 6 of the previously discovered\r\nFigure 10 – Impersonated domains and websites and their lookalike domains\r\ndomains.  In one case, auto-falkanhahn[.]de, the threat actors used this domain as a malware-hosting site for their\r\nfinal payload. Although the first malicious email we tracked dated back to the end of July 2021, most of the emails\r\nwe found were sent in three waves:, at the end of October 2021, the end of November 2021 and mid-March 2022.\r\nThe attackers began registering domains before the attacks and we noticed this trend continued as we tracked the\r\noperation.\r\nhttps://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nPage 5 of 10\n\nFigure 11 – Gradual resolution periods of lookalike domains\r\nDropped payloads\r\nWe encountered three methods of hosting the payloads. In the first wave of emails, the malware-hosting sites used\r\nDuckDNS URLs. In one case we found a direct URL to one of the lookalike domains. The majority of cases used\r\na single website hosted in Iran – bornagroup[.]ir.\r\nWe encountered several executables hosted on this site, which frequently changed its location and type. (See\r\nAppendix). The payloads were MaaS (Malware as a Service) info-stealers: AZORult, BitRAT and Raccoon. All\r\nare available for purchase in various markets and groups.\r\nVictimology and attribution\r\nWe traced 14 targeted entities. All of the targets are German or related to German businesses, and most of them\r\nconnected to the auto-industry, ranging from car dealerships to manufacturers. and the targets we located complies\r\nwith these characteristics.\r\nThe identity of who is behind this operation is not clear. We found certain connections to Iranian non-state entities\r\nbut it is unclear whether they were legitimate sites that were compromised or have a more substantial connection\r\nto this operation.\r\nBornagroup[.]ir is the main site used in this campaign to host various info-stealers.  It was registered using the\r\nemail address amir_h_22@yahoo[.]com by an “Amir Heidari Forooshani.” This persona is connected to the\r\ncampaign from two distinct sources. On one side,\r\nhttps://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nPage 6 of 10\n\nFigure 12 – Hosting site double relation to German operation\r\nbornagroup[.]ir is used to host various info-stealers, and it is used in multiple emails sent from a net of dedicated\r\nlookalike domains.\r\nFrom another side, the sub-domain santandbnkplc[.]turbocell[.]ir, registered by the same registrant (Heidari), was\r\nused in a phishing operation targeting customers of a subsidiary of a Spanish bank in South America (Santander\r\nBank). Another part of this “Santander” campaign is hosted on the same Iranian ISP. Its domain is registered under\r\na name impersonating another German vehicle entity “Kfz – Sauter GmbH \u0026 Co. KG”. This same entity “Kfz –\r\nSauter GmbH \u0026 Co. KG” was used to register a lookalike domain, groupschumecher[.]com, which is part of the\r\nmain German-Auto campaign. This double connection may imply a more substantial Iranian link to the campaign.\r\nTop 5 Anti-Phishing Principles\r\nInform Employees About Corporate Email Policies :\r\nEvery organization should have an email  security policy, including anti-phishing principles defining\r\nacceptable use of email (and other communications solutions). This policy should describe acceptable and\r\nunacceptable use and how to respond to potential attacks (i.e. reporting suspicious emails to IT and\r\ndeleting any known phishing content)\r\nReview Password Security Best Practices:\r\nUser credentials are one of the primary targets of cybercriminals. If an attacker has an employee’s\r\npassword, it can be much more difficult to detect ongoing attacks since they can masquerade as a\r\nlegitimate user. Additionally, employees commonly use the same password for multiple online accounts,\r\nmeaning that a single breached password can grant an attacker access to a number of the employee’s online\r\naccounts. For this reason, credential theft is a common target of phishing emails. It is important to educate\r\nemployees about the threat posed by phishing emails and about password security best practices.\r\nhttps://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nPage 7 of 10\n\nDeploy an Automated Anti-Phishing Solution:\r\nDespite an organization’s best efforts, employee cybersecurity education will not provide perfect protection\r\nagainst phishing attacks. These attacks are growing increasingly sophisticated and can even trick\r\ncybersecurity experts in some cases. While phishing education can help to reduce the number of successful\r\nphishing attacks against the organization, some emails are likely to sneak through. Minimizing the risk of\r\nphishing attacks to the organization requires AI-based anti-phishing software capable of identifying and\r\nblocking phishing content across all of the organization’s communication services (email, productivity\r\napplications, etc.) and platforms (employee workstations, mobile devices, etc.). This comprehensive\r\ncoverage is necessary since phishing content can come over any medium, and employees may be more\r\nvulnerable to attacks when using mobile devices.\r\nEducate Employees About Current Phishing Threats:\r\nPhishing attacks use human nature to trick people into doing something that the attacker wants. Common\r\ntechniques include creating a sense of urgency and offering the recipient of the email something that they\r\ndesire, which increases the probability that the target will take action without properly validating the email.\r\nBy offering information, goods, or opportunities related to a current event or creating a situation where the\r\nrecipient believes that something has gone wrong (like a fake package delivery notification), these emails\r\nincrease their probability of getting clicks. Phishing techniques and the pretexts used by cybercriminals to\r\nmake their attacks seem realistic change regularly. Employees should be trained on current phishing trends\r\nto increase the probability that they can identify and properly respond to phishing attacks. The\r\norganization’s email policy should be regularly reviewed as part of the organization’s cybersecurity\r\nawareness training.\r\nConclusion\r\nWe discovered a targeted attack being aimed at German businesses, mainly car dealers. The threat actors are using\r\na vast infrastructure designed to mimic existing German companies. The attackers used phishing emails, with a\r\ncombination of ISO\\HTA payloads that, if opened, would infect victims with various info stealing malware.\r\nWe do not have conclusive evidence of the attackers’ motivation, but we believe it was more than simply\r\nharvesting credit card details or personal information. We have evidence that this is an ongoing campaign that has\r\nbeen conducted since at least July 2021 (or possibly even earlier, since March). It may be related to industrial\r\nespionage or business fraud, but more information is required to establish the attackers’ exact motivation.\r\nThe targets are carefully selected and the way the phishing emails were sent would allow correspondence between\r\nthe victims and attackers. One possibility is that the attackers were trying to compromise car dealerships and use\r\ntheir infrastructure and data to gain access to secondary targets like larger suppliers and manufacturers. That\r\nwould be useful for BEC (Business, Email Compromise) frauds or industrial espionage.\r\nThe social engineering attracted our attention, like how the threat actors selected the businesses to impersonate,\r\nalso the phrasing of the emails and the attached documents. This type of attack is all about convincing the\r\nrecipient of the authenticity of the lure. Gaining access to several victims at the same time gives a significant\r\nadvantage to the attacker.\r\nCheck Point customers are protected against this attack.\r\nAppendix – IoC\r\nhttps://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nPage 8 of 10\n\nDomains:\r\n1. autohous-lips[.]de\r\n2. fiat-amenn[.]de\r\n3. autohuas-hesse[.]de\r\n4. fa-automobilie[.]de\r\n5. yereto[.]de\r\n6. bundauto[.]com\r\n7. car-place-rhienland[.]de\r\n8. autozantrum-cloppenburg[.]de\r\n9. cramer-schmits[.]de\r\n10. kfzrieter[.]de\r\n11. weissner-tuning[.]de\r\n12. autohaus-buschgbr[.]de\r\n13. auto-viotel[.]de\r\n14. lm-classiccars[.]de\r\n15. auto-centers[.]eu\r\n16. autohuas-e-c[.]de\r\n17. groupschumecher[.]com\r\n18. caravan-spezialistan[.]de\r\n19. ostgotahusbilsuthynring[.]de\r\n20. eh-loc[.]de\r\n21. autohaus-landharr[.]de\r\n22. atlasautomobiles[.]de\r\n23. skode-auto[.]de\r\n24. autohause-meissner[.]de\r\n25. auto-kerl-gmbh[.]de\r\nhttps://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nPage 9 of 10\n\n26. autohausnords[.]com\r\n27. sueverkreup[.]de\r\n28. asa-automobilie[.]com\r\n29. autohaus-schreoter[.]info\r\n30. autoland-ls[.]de\r\n31. carnextauction[.]com\r\n32. timachinary[.]nl\r\n33. rommacaravanservice[.]nl\r\n34. carnextauction[.]com\r\n35. stopke-essen[.]de\r\n36. globel-auto[.]de\r\n37. auto-falkanhahn[.]de\r\n38. bornagroup[.]ir\r\n39. Turbocell[.]ir\r\nHashes\r\nFile name Hash\r\na-p.exe 328a984d512e3083df9d93b427b6967c\r\naz.exe 10aa6a55a4f15064eb4a88278c41adbf\r\na.exe 3702037393f33c2dfe37ffdb2d91f8e1\r\nd.exe f52e56a246eed27f5aadb3260af1c340\r\ns.exe 9e342a138b0c75165b98fb21f2f8db3d\r\nd-clouded.exe 27429d579a6cbe009e08c2c61ede96ef\r\nt.exe a3ae5849d97598b908935a7d02757b4b\r\na.exe 43d590ddfe558c1c103b2f2c6cc18d87\r\nSource: https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nhttps://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/\r\nPage 10 of 10\n\ndomains. In one final payload. case, auto-falkanhahn[.]de, Although the first the malicious email threat actors we tracked dated used this domain back to the as a malware-hosting end of July 2021, site most of the for their emails\nwe found were sent in three waves:, at the end of October 2021, the end of November 2021 and mid-March 2022.\nThe attackers began registering domains before the attacks and we noticed this trend continued as we tracked the\noperation. \n Page 5 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/" ], "report_names": [ "a-german-car-attack-on-german-vehicle-businesses" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434141, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/750159de13a185667294dd78f88f3b814fd563b9.pdf", "text": "https://archive.orkl.eu/750159de13a185667294dd78f88f3b814fd563b9.txt", "img": "https://archive.orkl.eu/750159de13a185667294dd78f88f3b814fd563b9.jpg" } }