The domain of deception: Attackers deploy spyware under the guise of legal threats

Kaspersky has detected a rapidly escalating malicious campaign that has targeted over 1,100 corporate users since June 2025. The attackers pose as a legal firm and in their emails threaten recipients with lawsuits over alleged domain name patent violations, aiming to deploy malware.

Victims who opened and launched the attached files – that mimicked legal documents – had a Trojan installed on their devices, and the attackers could spy on the content of their screens. Organizations across healthcare, finance, and education sectors have been targeted.

The campaign began with 95 emails on June 11 and has since continued to escalate. Apart from claiming that the recipient’s domain name violates patented combinations of a major brand and threatening litigation, in the email the fake legal bureau also expresses the patent holders’ interest in acquiring the domain and offers getting acquainted with the details of the alleged violations by opening the attached archive with “documents”.

It is worth noting that the attackers, likely to avoid detection, attach an archive that is not password protected, and inside it includes another archive that is password protected and a file containing the password along with it.

After the user entered the archive password and clicked on the alleged legal document inside, a Trojan was installed on the device. The user saw a message displayed that read, “This document cannot be opened on this device.

Try opening it on another windows device,” and simultaneously the Tor Browser was covertly downloaded and installed in the background. Through it, the malware regularly sent snapshots of the user’s screen to the attackers over the Tor network. The malware also autostarts whenever the computer is restarted.

“This campaign is a sophisticated blend of psychological manipulation and technical deception, leveraging fear of legal action to coerce businesses into executing harmful files hidd       en in attached archives.

Its rapid growth since June 11 underscores the urgency for organizations to bolster defenses. Victims face the risk of losing their private data. Robust email security, employee training, and swift incident reporting are essential to counter this evolving threat,” comments Anna Lazaricheva, spam analyst at Kaspersky.

Kaspersky recommends corporate and individual users:

• Be careful when interacting with attachments. Do not open any attached archives (including those that are password-protected) that look suspicious. Do not run executable files, as they may deploy malware.
• Try to verify sender authenticity, confirm the legitimacy of any legal claims or entities mentioned in unsolicited emails.
• Implement endpoint protection to detect and block attack attempts.
• Educate staff on recognizing attack tactics.
• Immediately notify IT or cybersecurity teams if any files that have been attached to suspected phishing emails have been opened.