{
	"id": "a9c81d15-1934-433a-81db-4c33bea0599f",
	"created_at": "2026-04-06T01:32:22.588559Z",
	"updated_at": "2026-04-10T03:24:39.644741Z",
	"deleted_at": null,
	"sha1_hash": "f318c92759a9d1dba3646e044de01130e881b6eb",
	"title": "Geofenced NetWire Campaigns | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 912438,
	"plain_text": "Geofenced NetWire Campaigns | Proofpoint US\r\nBy December 02, 2020 Proofpoint Threat Research Team\r\nPublished: 2020-12-02 · Archived: 2026-04-06 00:46:00 UTC\r\nIn November 2019 Proofpoint researchers uncovered email campaigns distributing NetWire, a widely used\r\nRAT. The campaigns used Bulgarian language lures, narrow geo targeting, geofencing, and had low message volume. Since\r\nthen, Proofpoint has identified additional campaigns with matching attributes, including:  Bulgarian language email\r\nlures, a NetWire payload, the Command and Control (C2) domain, malware config password, and the Microsoft Word\r\ndocument author \"vps\". NetWire has been a widely employed tool since inception in 2002, offering malware for multiple\r\noperating systems, including Windows, MacOS, and Linux. The RAT is sold in underground\r\nforums for between $40 and $140 dollars. \r\nTargeting and Email Lures \r\nIn October and early November 2020, Proofpoint researchers observed multiple low volume campaigns intended for less\r\nthan 10 companies in the Aerospace, Industrial, Manufacturing, Construction, Energy, Financial Transaction Services, and\r\nBusiness Services verticals. While the spread across sectors in these campaigns is diverse, all companies have business\r\noperations in Bulgaria. Some have a supplier relationship to larger energy projects and aerospace manufacturing\r\ninitiatives. The latest activity diverges in scope and scale from a previously observed NetWire campaign in June which\r\ndelivered approximately 500 messages to about 150 customers across 40 verticals. That campaign was written\r\nin Bulgarian and leveraged themes from the largest national bank, Bulbank.   \r\nThe current campaigns also are localized, in Bulgarian, and claim to include financial information or a notification of\r\nan open enforcement case initiated against the recipient. Two email campaigns later in October impersonated the Sofia Court\r\nHouse based out of Bulgaria. In the latest November campaign, one of the aerospace technology organizations was targeted\r\nagain from October in a single phish and leveraging both spoofed infrastructure and document file name of the Bulgarian\r\nnational Commission for Combating Corruption and Confiscation of Illegally Acquired Property (KPKONPI).  \r\nBelow is an example of message characteristics observed in November 2019:   \r\nFrom: \u003c bulgaria@caciaf[.]bg \u003e  \r\nSubject: Деклариране на финансови активи (\"Declaration of financial assets\") \r\nAttachments: kpkonpi_dv86.doc \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns\r\nPage 1 of 8\n\nFigure 1: Microsoft Word attachment with enable macros message \r\n Below is an example of message characteristics observed in January 2020: \r\nFrom: Пътна полиция МВР \u003copp@mvr[.]bg\u003e (“Road Police MBP pp@mvr[.]bg”) \r\nSubject: Призовка за явяване в КАТ (\"Summons to appear at the Traffic Police\") \r\nAttachments: prizovka_081419.doc \r\nBelow is an example of the email lure and message characteristics spotted in early October 2020:   \r\nFrom: ЧСИ Галин Костов \u003ckostov@gkostov[.]com\u003e (\"Private Enforcement Agent Galin Kostov\") \r\nSubject: Уведомление за образувано дело (\"Notification of initiated case\") \r\nAttachments: Уведомление за  образувано дело DELO20205593.doc (\"Notification of initiated case\r\nDELO20205593.doc\") \r\n \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns\r\nPage 2 of 8\n\nFigure 2: Bulgarian language email lure \r\nMessage body, translated from Bulgarian: \r\nHello, \r\nWith the present and on the basis. Art. 458 of the Civil Procedure Code in connection with Art. 191, para 3 of TPSC, I would\r\nlike to inform you that an enforcement case has been initiated against you, pursuant to the Civil Procedure Code, in view of\r\nyour outstanding liabilities to Telecom Group AD. In the attached document, you can get acquainted with the writ of\r\nexecution issued by the Sofia City Court, as well as with the terms for enforcement, which will start running. \r\nWith respect, \r\nGalin Kostov \r\nPrivate bailiff reg. №854 \r\nArea of operation \r\nSofia City Court \r\nTel. [redacted] \r\n \r\n \r\nFigure 3: Microsoft Word attachment with enable macros message \r\nBelow is an example of the email lure and message characteristics spotted a few days later in October 2020. \r\nFrom: ЧСИ Галин Костов \u003c kostov@gkostov[.]com \u003e (\"Private Enforcement Agent Galin Kostov\") \r\nSubject: Уведомление за образувано дело (\"Notification of initiated case\") \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns\r\nPage 3 of 8\n\nAttachments: DELO20205593.doc \r\n \r\n \r\nFigure 4: Bulgarian language email lure \r\nMessage body, translated from Bulgarian: \r\nHello, \r\nWith the present and on the basis. Art. 458 of the Civil Procedure Code in connection with Art. 191, para 3 of TPSC, I would\r\nlike to inform you that an enforcement case has been initiated against you, pursuant to the Civil Procedure Code, in view of\r\nyour outstanding liabilities to Telecom Group AD. In the attached document, you can get acquainted with the writ of\r\nexecution issued by the Sofia City Court, as well as with the terms for enforcement, which will start running. \r\nWith respect, \r\nGalin Kostov \r\nPrivate bailiff reg. №854 \r\nArea of operation \r\nSofia City Court \r\nTel. [redacted] \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns\r\nPage 4 of 8\n\nFigure 5: Microsoft Word attachment with enable macros message \r\nEach of the email lures observed contained Microsoft Word documents with macros. Additionally, the Microsoft Word\r\ndocuments included the same text box describing the Office document as protected, along with instructions on how to enable\r\nediting and enable content for viewing.  \r\nInstallation and Payload \r\nAnalysis of the Microsoft Word attachments shows that the macros, if enabled, conditionally load NetWire. Geofencing, or\r\nrestricting access to content based on the user’s location, was observed in these campaigns. Specifically, the execution and\r\ndownload of NetWire occurs only if the user’s IP address is based in Bulgaria, otherwise, a 403 error will be displayed.   \r\nInterestingly, the Microsoft Word documents shared the same “author” and “last saved by” value, which was “vps”. \r\nWhen the attachment is opened and macros enabled, the VBA macro within the Microsoft Word attachment will execute the\r\nbuilt-in Microsoft tool certutil to download the NetWire payload.  The Microsoft tool certutil can be used with\r\nthe urlcache and split flags to download and save a file to a specified directory.  \r\nSample certutil downloading commands: \r\n \r\nMalware Configuration and Persistence \r\nNetWire is a multi-platform remote access tool (RAT) developed by World Wired Labs since 2012. NetWire gives threat\r\nactors several features, including: \r\nFile Manager (download, upload, and search for files) \r\nSystem Manager (process and application manager) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns\r\nPage 5 of 8\n\nPassword recovery (Firefox, IE, Chrome, Opera, Netscape, Seamonkey, Pidgin, Windows Live, Mozilla Thunderbird,\r\nMicrosoft Outlook) \r\nKeylogger \r\nScreen Capture (takes a JPEG image on demand or at specified intervals) \r\nRemote Shell (cmd.exe or /bin/sh) \r\nReverse Proxy (hybrid SOCKS4/5 server that works with NAT) \r\nProxifier \r\nHTTP Downloader (supports custom save location and name) \r\nThe NetWire payloads in all observed campaigns included nearly identical configurations. Specifically, the C2 domain\r\nclients[.]enigmasolutions[.]xyz  and the password were the same.  \r\nExample configuration listed below:  \r\nC2List: clients[.]enigmasolutions[.]xyz:54578; \r\nRC4_Key: c476b8e7afc13f4444cc71011019f21a \r\nHostID: Cleint-SYeym4 \r\nPassword: [redacted] \r\nStartupKey: ruj \r\nKeylogPath: C:\\Users\\\u003c user \u003e\\AppData\\Roaming\\msr\\ \r\nLocalPath: %AppData%\\Microsoft\\MMC\\ruj.exe \r\nProxyType: None \r\nConnectInterval: 30 \r\nCopyToLocalPath: Yes \r\nDeleteOriginalFile: No \r\nLockExecutable: No \r\nAllowMultipleInstances: No \r\nOfflineKeyloger: Yes \r\n \r\nThe malware will establish persistence by adding an entry to the registry. For example, the NetWire malware value under the\r\nMicrosoft Run registry “ruj” points to the NetWire payload in the AppData directory.   \r\nKey: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ruj \r\nData: C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\MMC\\ruj.exe \r\nConclusion \r\nOn balance, the fall campaigns diverged from Bulgarian themed NetWire campaigns in the early summer in scope and\r\nscale. About half of the current recipients converged with and were included in the broader distribution observed earlier this\r\nsummer. These campaigns distributed NetWire variants which used Bulgarian email lures, leveraged geofencing, and\r\ndownloading EXEs through certutils. The low volume and tailored email lures suggest the actor put in effort to evade\r\ndetection. The NetWire malware has been around since at least 2002 and has been consistently in use by various actors\r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns\r\nPage 6 of 8\n\nacross the threat landscape. This analysis shows groupings of similar campaigns distributing NetWire based on message\r\nattributes, email lures and language, Office document metadata, VBA Macro code, and malware configuration.   \r\nIndicators of Compromise (IOCs) \r\nIOC \r\nIOC\r\nType \r\nDescription  TimeFrame \r\nclients[.]enigmasolutions[.]xyz  Domain \r\nNetWire Command\r\nand Control (C2) \r\nNovember, 201\r\nand October, 2\r\n445324f6ea6c97a73152306e7c184564be87f8279bd986487311567551535be3  sha256  NetWire  October, 2020 \r\n081d2ae69aef65f892ba6c52662f707bc5b8193d591f6d797b4f8cef04f2bbc6   sha256 \r\nMicrosoft Word\r\nAttachment -\r\nkpkonpi_dv86.doc \r\nNovember, 201\r\nfa740b0be24c1ebb829f7dbbd3cb6a02e9e8fc1f55df75376376a29cd2469169  sha256 \r\nMicrosoft Word\r\nAttachment -\r\ndelo20205593.doc \r\nOctober, 2020 \r\n3d762bb49c4c23ee73024acffc5dff2f46a6f8a854a67814c9933d03291f21d1  sha256 \r\nMicrosoft Word\r\nAttachment -\r\ndelo20205593.doc \r\nOctober, 2020 \r\nb65e6b99c90ee7a2fc90562cbe3eddb2c9fc9677f8a8790661849bf7a41b5b39  sha256 \r\nMicrosoft Word\r\nAttachment -\r\ndelo20205593.doc \r\nOctober, 2020 \r\n1113da20724231a3df784dbc30d931a4f3653e1a5efbae9d6b0f32b5612aa43b  sha256 \r\nMicrosoft Word\r\nAttachment -\r\ndelo20205593.doc \r\nOctober, 2020 \r\nc946fd9638e0bd00be4deef9a1f8767751b38343fb566c572a6c7715ff9d46d5  sha256  NetWire  October, 2020 \r\nhxxp[://]one[.]oziriss[.]club/fo/1s[.]exe  URL  NetWire  October, 2020 \r\nhxxp[://]one[.]oziriss[.]club/fo/4s[.]exe  URL  NetWire  October, 2020 \r\nhxxp[://]one[.]oziriss[.]club/fo/3s[.]exe  URL  NetWire  October, 2020 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns\r\nPage 7 of 8\n\nhxxp[://]one[.]oziriss[.]club/fo/2s[.]exe  URL  NetWire  October, 2020 \r\nhxxp[://]one[.]oziriss[.]club/fo/3s[.]exe  URL  NetWire  October, 2020 \r\nhxxp[://]one[.]oziriss[.]club/ben/3s[.]exe  URL  NetWire  October, 2020 \r\nhxxp[://]def[.]nime[.]xyz:2095/sling/rwcore[.]exe  URL  NetWire  November, 201\r\nEmerging Threats and Emerging Threats PRO Signatures \r\n2829988 - ETPRO POLICY Observed MS Certutil User-Agent in HTTP Request \r\n2830425 - ETPRO CURRENT_EVENTS Likely Evil Certutil Retrieving EXE \r\n2831237 - ETPRO TROJAN Netwire RAT Keep-Alive (Outbound) \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns\r\nhttps://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns"
	],
	"report_names": [
		"geofenced-netwire-campaigns"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439142,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f318c92759a9d1dba3646e044de01130e881b6eb.pdf",
		"text": "https://archive.orkl.eu/f318c92759a9d1dba3646e044de01130e881b6eb.txt",
		"img": "https://archive.orkl.eu/f318c92759a9d1dba3646e044de01130e881b6eb.jpg"
	}
}