{ "Event": { "analysis": "1", "date": "2026-04-28", "extends_uuid": "", "info": "[Threat Intel] Inside a Fake DHL Campaign Built to Steal Credentials", "protected": false, "publish_timestamp": "1779545820", "published": true, "threat_level_id": "3", "timestamp": "1777689992", "uuid": "dc4264f7-7dd5-49b8-bf4b-212087ff2125", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#59847a", "local": false, "name": "misp-galaxy:producer=\"Forcepoint\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460430", "to_ids": false, "type": "link", "uuid": "5dc27c51-c286-4445-88c1-057fd2d4c4a2", "value": "https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777460430", "to_ids": false, "type": "text", "uuid": "9d0e2141-e767-4ae9-9887-c28adf199dc2", "value": "A consumer-targeted credential theft operation uses DHL brand impersonation combined with a fake OTP verification mechanism to harvest passwords from victims. The attack employs an 11-step chain beginning with spoofed shipment notification emails, leading victims through a client-side generated OTP page that creates false trust, then directing them to a DHL-branded credential harvesting portal. The kit captures passwords alongside victim telemetry including IP address, device details, browser fingerprinting, and geolocation data. Exfiltration occurs through EmailJS, a legitimate client-side email service, sending stolen credentials to an attacker-controlled Tutamail address. The campaign concludes by redirecting victims to the legitimate DHL website to avoid suspicion, demonstrating how familiar workflows and brand trust can be weaponized without technical sophistication." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777460430", "to_ids": false, "type": "text", "uuid": "03ef4936-3e79-4f2e-a083-1f153f60952c", "value": "Name: Inside a Fake DHL Campaign Built to Steal Credentials\nAuthor: AlienVault\nAdversary: \nTags: [\"social engineering\", \"phishing campaign\", \"client-side theft\", \"emailjs exfiltration\", \"credential harvesting\", \"brand impersonation\", \"fake otp\", \"dhl impersonation\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: []\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689211", "to_ids": true, "type": "domain", "uuid": "8fd3fd9d-1c06-4c36-844f-3c75451599d5", "value": "perfectgoc.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689233", "to_ids": true, "type": "url", "uuid": "7df55380-6262-4c57-bddb-736ae3d80cc0", "value": "http://biotechgroup.net/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689254", "to_ids": true, "type": "domain", "uuid": "43615c90-98f5-4463-ba18-5e7c9158c8fd", "value": "biotechgroup.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777686236", "to_ids": true, "type": "email-src", "uuid": "1ed4d1a8-5862-419b-9d50-7858654545df", "value": "info@cupelva.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777686236", "to_ids": true, "type": "email-src", "uuid": "0d56231d-9f58-49e2-86bc-3b7e1b84f86b", "value": "slatty077@tutamail.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689275", "to_ids": true, "type": "url", "uuid": "1cae8809-1d5c-4230-9ed3-74de23eeae23", "value": "https://perfectgoc.com/aacggh/OTPWITCALLER.html?email=", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689296", "to_ids": true, "type": "url", "uuid": "4a264af0-4c19-4c73-b256-4294f0502801", "value": "http://biotechgroup.net/aaaavbvvb/newengDHL.html?email=", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ] } }