- Fake Boots emails reached 8.9 million addresses in massive phishing campaign
- Hackers used a government website to host their fraudulent Boots payment page
- Romanian attackers turned a compromised corporate server into an email delivery platform
Millions of UK shoppers have been exposed to a fake Boots promotion after hackers sent emails offering a pack of free beauty samples via a massive phishing campaign.
The operation used a fake customer survey to collect personal information while directing victims into a fraudulent payment process requesting sensitive information.
Huntress researchers say the campaign involved 8,894,920 email addresses and infrastructure connected to Romanian-speaking threat actors.
A fake Boots offer backed by a vast phishing operation
The emails appeared to be from Boots and encouraged recipients to complete a short survey in exchange for a beauty sample package and promotional benefits.
The campaign relied on familiar branding to make the message appear legitimate while directing users to a cloned website designed for information gathering.
The fake page asked for details including names, email addresses, dates of birth, phone numbers and home addresses before accessing payment information.
Huntress discovered that the phishing content was hosted on a compromised Bolivian government website owned by IPELC, rather than on a domain controlled by an attacker.
They placed the phishing kit in a hidden directory on the legitimate government domain in order to benefit from its existing reputation.
The email campaign was sent using Gammadyne Mailer, a legitimate email application that the attackers installed on a compromised UK business terminal server.
The server was not used to deploy ransomware or steal files from this company, but rather served as a platform for sending fraudulent messages.
The attackers loaded six recipient lists named milk (1) through milk (6), containing almost 8.9 million email addresses prepared for the campaign.
Huntress retrieved a project file named dracii.mmp, which contained details about email delivery settings, phishing links, and campaign configuration.
Compromised systems helped transmit the false messages
Investigators discovered that the attackers accessed the British company’s server through an exposed remote access system using stolen credentials before launching the phishing operation.
The compromised server then allowed them to send messages directly from the organization’s Internet connection, thereby keeping their own infrastructure hidden from blocklists.
The email software has been configured for direct delivery to MX, using 666 simultaneous threads with no throttling applied to maximize sending speed.
Huntress then isolated the 25 endpoints connected to the business environment and blocked 29,954 outgoing SMTP connections over a period of 104 seconds.
The company also contacted Bolivia’s national CSIRT after discovering that the government website had been compromised and used to host phishing material.
The recovered files suggest that the Boots campaign was part of a wider operation involving other UK-focused themes, including messaging related to tax and cryptocurrencies.
The same toolkit appears to have been reused on multiple compromised systems since July 2025.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
