“Love You” Email Malspam Campaign

An Incident Storm Center (ISC) Handler published an in-depth analysis of a malspam email campaign that he encountered. The emails had subject lines about love letters and had a zip attachment with a name starting with “Love_You_”. The zip file, when uncompressed, contained a JavaScript file that, upon execution, performed several HTTP requests to download additional malicious executables.

These executables were a Monero cryptocurrency miner, Phorpiex spambot malware, and GandCrab ransomware. The Phorpiex spambot malware caused the victim host to be joined to a botnet and begin emailing out copies of the malicious zip file to additional targets. Meanwhile the victim host was infected with ransomware and leveraged to mine cryptocurrency.

Indicators of Compromise


  • slpsrgpsrhojifdij.ru
  • osheoufhusheoghuesd.ru
  • suieiusiueiuiuushgf.ru
  • www.2mmotorsport.biz
  • www.haargenau.biz
  • www.bizziniinfissi.com
  • www.holzbock.biz
  • www.fliptray.biz
  • gandcrabmfe6mnef.onion



Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: