That package at the Royal Mail office? It’s malware

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Royal Mail TrojanCybercriminals have spammed out malware, posing as an email from the Royal Mail.

The emails, which claim that a package has been returned to the Royal Mail office, pretend to come from official-sounding addresses such as [email protected] or [email protected].

Opening the attached file could lead to your Windows computer being infected by a Trojan horse.

Here’s a typical example of what is being spammed out:

Malware attack posing as Royal Mail email

Dear customer.

A courier did not deliver the package to your address.
Reason: The package is too large
Information about your package is attached to the letter.
Read all information carefully and come to the “Royal Mail” office to receive your package.

Thank you for your attention.
Royal Mail Service.

The reason given for non-delivery of the parcel can vary. For instance, the email might claim that your address does not exist, or that the parcel is too large.

Sign up to our free newsletter.
Security news, advice, and tips.

Subject lines can vary also. Here are some of the examples we have seen in our traps:

  • Error in the delivery address No30173
  • You should come to the Royal Mail office and receive a package
  • Track your shipment No24127
  • Cancellation of the package delivery
  • Track your parcel No9782
  • A package is available for reception
  • Get your parcel No083
  • Error in the delivery address No40046009
  • Error in the delivery address No0633376
  • You should come to the Royal Mail office and receive a package
  • Delivery Problem
  • Royal Mail Delivery information
  • The dangerous thing, of course, is the attachment. It’s a ZIP file that Sophos’s anti-virus products intercept as Mal/BredoZp-B and Mal/EnckPK-AAT.

    (If you use a security product from another vendor, here is the MD5 hash which you can use to determine if you are protected: 6bd53a62c768f7ce8663310ed404b89c)

    I have to ask myself – why are people believing these emails are from the Royal Mail in the first place? I mean, how do they think the Royal Mail got hold of their email address?

    Malware attacks posing as messages from parcel delivery companies are nothing new of course – but we’re more used to seeing attacks pretending to be from the likes of UPS, FedEx and DHL than the Royal Mail.

    Always think before clicking on unsolicited attachments which arrive unexpectedly in your email. It’s an old trick, but the reason why malicious hackers still use it is because it works.


    Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

    What do you think? Leave a comment

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.