A phishing campaign, ongoing for more than a year, has targeted German companies in the automotive industry. The attackers are trying to infect the systems of targeted users with password-stealing malware.

A year-long campaign

Researchers from Check Point spotted the campaign and provided a technical report with details of their findings. The phishing campaign started around July 2021 and is still active.
  • The targets of the campaign include car manufacturers and dealers in Germany.
  • The attackers registered various lookalike domains (called domain squatting) to use in their operation by cloning genuine sites of multiple organizations.
  • The fake sites are used to spread phishing emails written in German and host malicious payloads. The goals of the campaign seem to be industrial espionage or BE) attacks.
  • Several MaaS info-stealers have been used in this campaign, including AZORult, BitRAT, and Raccoon Stealer. All three malware are available for purchase in darknet forums and cybercrime markets.

More information

  • These attacks are traced back to 14 targeted entities, all German organizations that had some connection to the auto-making industry. However, no specific name of any company is mentioned.
  • The information-stealing payloads are hosted on a site ("bornagroup[.]ir"), registered by an Iranian individual.
  • There is a high chance that Iranian threat actors are orchestrating the campaign, however, there is not enough evidence according to researchers.

Infection process

The infection starts with an email sent to certain targets, including an ISO disk image file that evades most internet security controls.
  • As found in the samples, a phishing email pretended to contain an automobile transfer receipt sent to a targeted car dealer.
  • This archive has an ‘.HTA’ file that includes JavaScript or VBScript code execution using HTML smuggling.
  • While the victim sees a decoy document, malicious code is running in the background to get malware payloads and execute them.


The attackers are reportedly using a vast infrastructure to impersonate existing German auto firms. The industry is suggested to stay vigilant against this ongoing campaign. To remain protected, organizations are recommended to use a strong password, deploy anti-phishing solutions, and provide training to employees on phishing threats.
Cyware Publisher