Email Scam Delivers Malicious Software to Infect Users in Pakistan

AndyC 22 June 2024

June 21, 2024NewsroomPhishing Attack / Email Security

A new phishing attack campaign targeting individuals in Pakistan using a customized backdoor has been uncovered by cybersecurity experts.

Military-themed Email Scam Spreads Malware to Infect Pakistani Users

June 21, 2024NewsroomPhishing Attack / Email Security

Military-themed Email Scam Spreads Malware to Infect Pakistani Users

A new phishing attack campaign targeting individuals in Pakistan using a customized backdoor has been uncovered by cybersecurity experts.

Named PHANTOM#SPIKE by Securonix, the unidentified threat actors have exploited military-themed phishing documents to trigger the infection process.

According to a report shared with The Hacker News by researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov, “ZIP files with a password-protected payload archive contained within” were utilized by the attackers to spread malware.

The attack stands out for its simplicity in tactics and the use of basic payloads to establish remote access to targeted systems.

Cybersecurity

The phishing emails contain a ZIP file that claims to contain minutes of a meeting related to the International Military-Technical Forum Army 2024, an official event hosted by the Ministry of Defense of the Russian Federation. The event is scheduled to take place in Moscow in mid-August 2024.

Inside the ZIP file is a Microsoft Compiled HTML Help (CHM) file along with a hidden executable (“RuntimeIndexer.exe”). The CHM file, upon opening, shows the meeting minutes and a few images but secretly launches the bundled binary when the user interacts with the document.

The executable operates as a backdoor to establish connections with a remote server through TCP to receive commands that are then executed on the compromised machine.

PHANTOM#SPIKE Malware

Aside from collecting system information, it executes commands through cmd.exe, retrieves the operation’s output, and sends it back to the server. This includes running commands like systeminfo, tasklist, curl for extracting the public IP address from ip-api[.]com, and schtasks for establishing persistence.

The researchers noted, “This backdoor operates as a remote access trojan (RAT) with command line capabilities, enabling the attacker to maintain persistent, discreet, and secured access to the compromised system.”

“The remote execution of commands and transmission of results to the C2 server empowers the attacker to manipulate the infected system, pilfer sensitive data, or deploy additional malicious payloads,” they mentioned.

Enjoyed this piece? Stay updated by following us on Twitter and LinkedIn for more exclusive content.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

AndyC 19 December 2025
ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories

ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories

AndyC 19 December 2025

You may have missed

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
The WAF must die – some interesting thoughts – FireTail Blog

The WAF must die – some interesting thoughts – FireTail Blog

AndyC 20 December 2025
The WAF must die – some interesting thoughts – FireTail Blog

The WAF must die – some interesting thoughts – FireTail Blog

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.