{"id":78198,"date":"2025-07-02T14:13:25","date_gmt":"2025-07-02T11:13:25","guid":{"rendered":"https:\/\/gulftech-news.com\/en\/?p=78198"},"modified":"2025-07-02T14:13:26","modified_gmt":"2025-07-02T11:13:26","slug":"the-domain-of-deception-attackers-deploy-spyware-under-the-guise-of-legal-threats","status":"publish","type":"post","link":"https:\/\/gulftech-news.com\/en\/2025\/07\/02\/the-domain-of-deception-attackers-deploy-spyware-under-the-guise-of-legal-threats\/","title":{"rendered":"The domain of deception: Attackers deploy spyware under the guise of legal threats"},"content":{"rendered":"\n

Kaspersky has detected a rapidly escalating malicious campaign that has targeted over 1,100 corporate users since June 2025. The attackers pose as a legal firm and in their emails threaten recipients with lawsuits over alleged domain name patent violations, aiming to deploy malware. <\/a><\/p>\n\n\n\n

Victims who opened and launched the attached files \u2013 that mimicked legal documents \u2013 had a Trojan installed on their devices, and the attackers could spy on the content of their screens. Organizations across healthcare, finance, and education sectors have been targeted.<\/a><\/p>\n\n\n\n

The campaign began with 95 emails on June 11 and has since continued to escalate. Apart from claiming that the recipient\u2019s domain name violates patented combinations of a major brand and threatening litigation, in the email the fake legal bureau also expresses the patent holders\u2019 interest in acquiring the domain and offers getting acquainted with the details of the alleged violations by opening the attached archive with \u201cdocuments\u201d. <\/a><\/p>\n\n\n\n

It is worth noting that the attackers, likely to avoid detection, attach an archive that is not password protected, and inside it includes another archive that is<\/em> password protected and a file containing the password along with it.<\/a><\/p>\n\n\n\n

After the user entered the archive password and clicked on the alleged legal document inside, a Trojan was installed on the device. The user saw a message displayed that read, \u201cThis document cannot be opened on this device. <\/p>\n\n\n\n

Try opening it on another windows device,\u201d and simultaneously the Tor Browser was covertly downloaded and installed in the background. Through it, the malware regularly sent snapshots of the user\u2019s screen to the attackers over the Tor network. The malware also autostarts whenever the computer is restarted.<\/p>\n\n\n\n

\u201cThis campaign is a sophisticated blend of psychological manipulation and technical deception, leveraging fear of legal action to coerce businesses into executing harmful files hidd\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 en in attached archives. <\/p>\n\n\n\n

Its rapid growth since June 11 underscores the urgency for organizations to bolster defenses. Victims face the risk of losing their private data. Robust email security, employee training, and swift incident reporting are essential to counter this evolving threat,\u201d comments Anna Lazaricheva, spam analyst at Kaspersky.<\/p>\n\n\n\n

Kaspersky recommends corporate and individual users:<\/p>\n\n\n\n