Outbreak: Post Express Service malware attack spammed out

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Be on your guard against the latest “undelivered package” malware attack that cybercriminals are spamming out right now.

Regular readers of Naked Security will be all too familiar with emails claiming to come from the likes of FedEx, UPS and DHL which pretend to be about a parcel that wasn’t delivered properly (and all you have to do is click on the attachment to learn more become infected.)

Now we’re seeing malicious emails which pretend to come from “Post Express Service”. Here’s a typical example:

Malicious email

Sign up to our free newsletter.
Security news, advice, and tips.

Subject: Post Express Service. Get the parcel NR<random number>

Message body:
Dear client.

Your package has been returned to the Post Express office.
The reason of the return is "Error in the delivery address"

Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.

Thank you.
Post Express Support

Attached file: Post_Express_Label_<random number>.zip

Other subject lines used in the attack include:

Post Express Service. Number of your parcel <random number>
Post Express Service. Package is available for pickup! NR<random number>
Post Express Service. Delivery refuse! NR<random number>

Hopefully you and the users inside your company won’t be so excited about the thought of an unexpected parcel that they open the attached file, as doing so will infect your Windows computer with malware.

Sophos detects the ZIP file as Troj/BredoZp-BT and the enclosed malware as Troj/Spyeye-R.

Remember, there’s only one reason why cybercriminals keep using this type of social engineering to fool users into running malware – it works.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.