- Fake Boots Emails Reached 8.9 Million Addresses Through Massive Phishing Campaign
- Hackers used a government website to host their fraudulent Boots payment page
- Romanian attackers turned a compromised enterprise server into an email distribution platform
Millions of UK shoppers were exposed to a fake Boots promotion after hackers sent emails offering a free beauty sample pack through a major phishing campaign.
The operation used a fake customer survey to collect personal data while directing victims into a fraudulent payment process requesting confidential information.
Huntress researchers claim that the campaign involved 8,894,920 email addresses and infrastructure connected to Romanian-speaking threat actors.
Fake Boots deal backed by huge phishing operation
The emails appeared to come from Boots and encouraged recipients to complete a short survey in exchange for a beauty sample pack and promotional benefits.
The campaign relied on a familiar brand to make the message appear legitimate while directing users to a cloned website designed to collect information.
The fake page requested details including names, email addresses, dates of birth, phone numbers and home addresses, before reaching payment information.
Huntress discovered that the phishing content was hosted on a compromised Bolivian government website belonging to IPELC, rather than on a domain controlled by the attacker.
They placed the phishing kit inside a hidden directory on the legitimate government domain to benefit from their existing reputation.
The email campaign was sent using Gammadyne Mailer, a legitimate mass mailing application that the attackers installed on a compromised enterprise terminal server in the United Kingdom.
The server was not used to deploy ransomware or steal files from that company, but instead acted as a platform to send fraudulent messages.
The attackers uploaded six recipient lists named milk (1) to milk (6), containing nearly 8.9 million email addresses primed for the campaign.
Huntress recovered a project file called dracii.mmp, which contained details about email delivery settings, phishing links, and campaign settings.
Compromised systems helped send fake messages
Researchers discovered that the attackers accessed the UK enterprise server through an exposed remote access system using stolen credentials before carrying out the phishing operation.
The compromised server then allowed them to send messages directly from the organization’s Internet connection, keeping their own infrastructure hidden from block lists.
Mail was configured for direct delivery to MX, using 666 concurrent threads with no throttling applied to maximize delivery speed.
Huntress subsequently isolated all 25 endpoints connected to the enterprise environment and blocked 29,954 outgoing SMTP connections over a period of 104 seconds.
The company also contacted Bolivia’s national CSIRT after discovering that the government website had been compromised and used to host the phishing material.
The recovered files suggested that the Boots campaign was part of a wider operation involving other UK-focused issues, including messages related to taxes and cryptocurrencies.
The same toolset appeared to have been reused on multiple compromised systems since July 2025.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
