{
  "name": "The Devil, Eight Million Emails, and a Whole Lot of Milk | Phishing Stager Exposed",
  "slug": "the-devil-eight-million-emails-and-a-whole-lot-of-milk-phishing-stager-exposed",
  "description": "On May 15, 2026, Huntress agents detected an intrusion where threat actors compromised a terminal server to stage a massive phishing campaign rather than deploy ransomware. The attacker used legitimate bulk email software (Gammadyne Mailer) with a project file named 'dracii' (Romanian for 'the devils') and six recipient lists containing 8,894,920 email addresses. Operating from Romanian IP addresses, the actor impersonated UK pharmacy chain Boots through a fake customer satisfaction survey designed to harvest personal and payment card data. The phishing kit was hosted on a compromised Bolivian government website (ipelc.gob.bo), which Huntress reported to Bolivia's national CSIRT. The campaign used direct-to-MX delivery to bypass mail relays, with the mailer configured to send from 666 threads simultaneously. Evidence suggests this Romanian operator has been running multiple UK-targeting campaigns since at least July 2025, rotating between retail, tax, and cryptocurrency themes.",
  "published": "2026-06-15T14:53:04.295000+00:00",
  "created_at": "2026-06-15T17:15:55.712000+00:00",
  "modified_at": "2026-06-15T15:15:55+00:00",
  "created_at_opencti": "2026-06-15T17:15:55.712000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "bulk email abuse",
    "compromised government website",
    "credential theft",
    "payment card harvesting",
    "phishing campaign",
    "rdweb portal",
    "romanian threat actor",
    "terminal server compromise"
  ],
  "tags": [
    "2026-06-15",
    "bulk email abuse",
    "compromised government website",
    "credential-theft",
    "payment card harvesting",
    "phishing campaign",
    "rdweb portal",
    "romanian threat actor",
    "terminal server compromise"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "9ff272b7-030e-4b67-bfe4-b655040a98f6",
        "name": "80.94.95.37"
      },
      {
        "id": "983e04e3-6be6-4b6a-811c-eb7f468a168b",
        "name": "7fda5f10a2bc212daaa467484c56eb8abf3f3681f6405c5c2fac16d4124e44ca"
      },
      {
        "id": "4dbf27cd-48d3-4930-9083-d998a7742aef",
        "name": "5d2ad1795b0dfc4a58424b2fa2f002246f653b119d362954ae270b6998e9d575"
      },
      {
        "id": "c61717fa-f5c0-443c-9512-5d9e31861afd",
        "name": "6c428acbd91be85fedf9cbb334457ddea08ff624d4de88041749578e968d62a8"
      },
      {
        "id": "3da35c6f-c944-48ce-b143-50828c1e6a2d",
        "name": "212.93.152.37"
      },
      {
        "id": "b4c13a5e-dbe4-4ce3-a2a3-2e42e4182c71",
        "name": "375c2c84e2ca022c565507523b75c9c08a455479861ea41fc9b9ff74b3453445"
      },
      {
        "id": "86cadd6e-7fc9-4625-a5cc-8c49ab02737a",
        "name": "216.152.151.168"
      },
      {
        "id": "46b67947-b5c9-4964-b819-32b86509c41f",
        "name": "c5ec55270af084d3c07d2918098d598bc2c5ca42f4189d69cdfcae2c958e5ec7"
      },
      {
        "id": "42440d96-08a6-4e8d-8417-6edaec91d51e",
        "name": "http://ipelc.gob.bo/boots_store/"
      },
      {
        "id": "027fafb5-0071-41a8-947d-26524214dd79",
        "name": "13ac78f8f2ed76a03c85f0cdef07e5463aa64458303c0949090fcd81868ba8ca"
      },
      {
        "id": "be7d1db7-663b-4293-9f6d-0ac34f6cfb19",
        "name": "87.251.64.134"
      },
      {
        "id": "c24afb66-6de9-46e7-b86f-314198964e5f",
        "name": "95fc58dc321b07ecc99d95359bcdee08a5beb519ead8e70e40f33928533a1b14"
      },
      {
        "id": "0f85f595-0c60-4b1b-bf8a-e6c10776edcf",
        "name": "boots-rewards-uk.xyz"
      },
      {
        "id": "def40849-1e8c-4ddd-a212-b95fe9cccd89",
        "name": "https://ipelc.gob.bo/boots_store/"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e",
        "name": "T1185"
      },
      {
        "id": "7ec3a60f-8eaa-4766-ab47-1a220616a29c",
        "name": "T1584.004"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "415f839d-5ae7-41fb-92c3-090f3226055d",
        "name": "T1586.002"
      },
      {
        "id": "c10eac8a-a5d7-465a-b557-8a1f7fc6ef99",
        "name": "T1598.003"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "385899dc-961e-47ac-afdd-cced19228f7f",
        "name": "T1535"
      },
      {
        "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc",
        "name": "T1114"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6",
        "name": "T1189"
      },
      {
        "id": "e948db36-930d-4013-99ed-fdf14b65907e",
        "name": "T1589.002"
      },
      {
        "id": "5e6e1a36-257a-44cf-91f7-e35961f1e12a",
        "name": "T1071.003"
      }
    ],
    "observables": [
      {
        "id": "d9cc56d8-6012-49fa-8ff6-eaa988784b42",
        "name": "boots-rewards-uk.xyz"
      },
      {
        "id": "794d1d17-c194-448d-95af-7b111176aec4",
        "name": "87.251.64.134"
      },
      {
        "id": "7b9ad3a6-5e84-4ed5-84d8-10bda8fa522d",
        "name": "80.94.95.37"
      },
      {
        "id": "ced12850-c249-4362-a059-8866f86a5b8f",
        "name": "216.152.151.168"
      },
      {
        "id": "b5f921e6-d00f-400b-9dc1-b4a66500219b",
        "name": "212.93.152.37"
      },
      {
        "id": "e9ace068-8afb-4db5-b334-2900056ab1f3",
        "name": "http://ipelc.gob.bo/boots_store/"
      },
      {
        "id": "89fca9ca-6f66-4f59-85c1-a6ae408c477e",
        "name": "https://ipelc.gob.bo/boots_store/"
      },
      {
        "id": "",
        "name": "7fda5f10a2bc212daaa467484c56eb8abf3f3681f6405c5c2fac16d4124e44ca"
      },
      {
        "id": "",
        "name": "5d2ad1795b0dfc4a58424b2fa2f002246f653b119d362954ae270b6998e9d575"
      },
      {
        "id": "",
        "name": "6c428acbd91be85fedf9cbb334457ddea08ff624d4de88041749578e968d62a8"
      },
      {
        "id": "",
        "name": "375c2c84e2ca022c565507523b75c9c08a455479861ea41fc9b9ff74b3453445"
      },
      {
        "id": "",
        "name": "c5ec55270af084d3c07d2918098d598bc2c5ca42f4189d69cdfcae2c958e5ec7"
      },
      {
        "id": "",
        "name": "13ac78f8f2ed76a03c85f0cdef07e5463aa64458303c0949090fcd81868ba8ca"
      },
      {
        "id": "",
        "name": "95fc58dc321b07ecc99d95359bcdee08a5beb519ead8e70e40f33928533a1b14"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "United Kingdom of Great Britain and Northern Ireland"
      },
      {
        "id": "",
        "name": "Bolivia, Plurinational State of"
      },
      {
        "id": "",
        "name": "Retail"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "boots-rewards-uk.xyz"
      }
    ]
  },
  "external_refs": [
    {
      "id": "2f4a0eb5-f086-46ef-adfb-db1f23007116",
      "standard_id": "external-reference--5ae39d96-d1b3-5f97-99f3-1bdd6be1b31b",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.huntress.com/blog/terminal-server-phishing-stager-exposed",
      "hash": null,
      "external_id": null,
      "created": "2026-06-15T17:15:55.642Z",
      "modified": "2026-06-15T17:15:55.642Z",
      "createdById": null
    },
    {
      "id": "d49970c6-7d4a-4c32-9b59-155e213c8584",
      "standard_id": "external-reference--9ad52f2c-2989-54a3-9e13-39554c655143",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a3011d0c31292cdb59fd70b",
      "hash": null,
      "external_id": "6a3011d0c31292cdb59fd70b",
      "created": "2026-06-15T17:15:55.612Z",
      "modified": "2026-06-15T17:15:55.612Z",
      "createdById": null
    }
  ]
}