{
	"id": "1b140152-82b7-4509-9866-560f073421e5",
	"created_at": "2026-04-06T00:14:29.314737Z",
	"updated_at": "2026-04-10T03:20:07.623693Z",
	"deleted_at": null,
	"sha1_hash": "efc97d955fbda40e5dda790fdb7654c50fef50a6",
	"title": "New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1739986,
	"plain_text": "New .DOC GlobeImposter Ransomware Variant Malspam Campaign\r\nUnderway\r\nBy Lawrence Abrams\r\nPublished: 2017-12-22 · Archived: 2026-04-05 16:14:34 UTC\r\nA new malspam campaign is underway that is distributing a GlobeImposter variant that appends the ..doc extension to\r\nencrypted files. This malspam is pretending to photos being sent to the recipient and will have a subject line that starts in a\r\nsimilar way to \"Emailing: IMG_20171221_\".\r\nGlobeImposter MalSpam\r\nThese malspam emails contain7zip (.7z) archive attachments that are named after a camera photo's filename such as\r\nIMG_[date]_[number].  These 7z files contain a obfuscated .js file that when double-clicked  on will cause the\r\nGlobeImposter ransomware to be downloaded from a remote site and executed.\r\nAn example of this JS installer can be seen below. \r\nhttps://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/\r\nPage 1 of 7\n\nObfuscated JS Installer\r\nAfter the executable is downloaded, it will be executed and the GlobeImposter ransomware will begin to encrypt the\r\ncomputer. When encrypting files on the computer it will append the ..doc extension to encrypted file's name. For example, a\r\nfile called 1.doc would be renamed to 1.doc..doc.\r\nhttps://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/\r\nPage 2 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/\r\nPage 3 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nEncrypted Folder\r\nWhen GlobeImposter encrypts files it will also create a ransom note named Read___ME.html in each folder a file is\r\nencrypted.  \r\nRansom Note\r\nThis ransom note contains instructions to use Tor to go to the http://n224ezvhg4sgyamb.onion/sup.php onion site.  This site\r\nthen tells you to contact them to receive payment instructions and to decrypt one file for free. It also lists the email\r\nserver5@mailfence.com as a way to contact them.\r\nhttps://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/\r\nPage 4 of 7\n\nTor Payment Site\r\nIt also contains a link to a support site where you can send them a message.\r\nTor Support Site\r\nUnfortunately, at this time there is no way to decrypt GlobeImposter files for free. For support or help with this ransomware\r\ninfection, you can ask in our dedicated GlobeImposter Ransomware Support topic.\r\nHow to protect yourself from the GlobeImposter Ransomware\r\nIn order to protect yourself from the GlobeImposter Ransomware you should use standard security practices. This includes\r\nusing good computing habits and security software. First and foremost, you should always have a reliable and tested backup\r\nof your data that can be restored in the case of an emergency, such as a ransomware attack.\r\nhttps://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/\r\nPage 5 of 7\n\nYou should also have security software that incorporates behavioral detections to combat ransomware and not just signature\r\ndetections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral\r\ndetection that can prevent many, if not most, ransomware infections from encrypting a computer.\r\nLast, but not least, make sure you practice the following security habits, which in many cases are the most important steps of\r\nall:\r\nBackup, Backup, Backup!\r\nDo not open attachments if you do not know who sent them.\r\nDo not open attachments until you confirm that the person actually sent you them.\r\nEnable the showing of file extensions. \r\nIf an attachment ends with .js, .vbs, .exe, .scr, or .bat, do not open them for any reason.\r\nScan attachments with tools like VirusTotal.\r\nMake sure all Windows updates are installed as soon as they come out! Also make sure you update all programs,\r\nespecially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly\r\nexploited by malware distributors. Therefore it is important to keep them updated.\r\nMake sure you use have some sort of security software installed that uses behavioral detections or white list\r\ntechnology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.\r\nUse hard passwords and never reuse the same password at multiple sites.\r\nFor a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against\r\nRansomware article.\r\nA big thanks to Eric Taylor of IT-Simplified for pointing out the malspam campaign.\r\nIOCs\r\nDoc GlobeImposter Variant Hashes:\r\nSHA256: 15e8c986c4602c61a474b51d250e03d5bb178eabc8c5a82a242c1a0fa2227704\r\nDoc GlobeImposter Variant Associated Files:\r\nRead___ME.html\r\nDoc GlobeImposter Variant Network Connections:\r\nhttp://n224ezvhg4sgyamb.onion/sup.php\r\nDoc GlobeImposter Variant Email addresses:\r\nserver5@mailfence.com\r\nDoc GlobeImposter Variant Ransom Note:\r\nYour files are Encrypted!\r\nFor data recovery needs decryptor.\r\nIf you want to buy a decryptor click \"Buy Decryptor\"\r\nBuy Decryptor\r\nIf not working, click again.\r\nhttps://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/\r\nPage 6 of 7\n\nFree decryption as guarantee.\r\nBefore paying you can send us 1 file for free decryption.\r\nIf you can not contact, follow these two steps:\r\n1. Install the TOP Browser from this link: torproject.org\r\n2. Open this link in the TOP browser: http://n224ezvhg4sgyamb.onion/sup.php\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/\r\nhttps://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/"
	],
	"report_names": [
		"new-doc-globeimposter-ransomware-variant-malspam-campaign-underway"
	],
	"threat_actors": [],
	"ts_created_at": 1775434469,
	"ts_updated_at": 1775791207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/efc97d955fbda40e5dda790fdb7654c50fef50a6.pdf",
		"text": "https://archive.orkl.eu/efc97d955fbda40e5dda790fdb7654c50fef50a6.txt",
		"img": "https://archive.orkl.eu/efc97d955fbda40e5dda790fdb7654c50fef50a6.jpg"
	}
}