- Fake Boots emails reached 8.9 million addresses through a massive phishing campaign
- Hackers used a government website to host their fraudulent Boots checkout page
- Romanian attackers turned a compromised business server into an email distribution platform
Millions of UK shoppers were exposed to a fake Boots promotion after hackers sent emails offering a free beauty sample pack through a large phishing campaign.
The operation used a fake customer survey to collect personal details while directing victims toward a fraudulent checkout process requesting sensitive information.
Researchers from Huntress claim, the campaign involved 8,894,920 email addresses and infrastructure connected to Romanian-speaking threat actors.
A fake Boots offer backed by a large phishing operation
The emails appeared to come from Boots and encouraged recipients to complete a short survey in exchange for a beauty sample package and promotional benefits.
The campaign relied on familiar branding to make the message appear legitimate while directing users to a cloned website designed for information collection.
The fake page requested details including names, email addresses, dates of birth, phone numbers, and home addresses, before reaching payment information.
Huntress found that the phishing content was hosted on a compromised Bolivian government website belonging to IPELC, rather than an attacker-controlled domain.
They placed the phishing kit inside a hidden directory on the legitimate government domain to benefit from its existing reputation.
The email campaign was sent using Gammadyne Mailer, a legitimate bulk mailing app that attackers installed on a compromised UK business terminal server.
The server was not used to deploy ransomware or steal files from that business, but instead acted as a platform for sending fraudulent messages.
The attackers loaded six recipient lists named milk (1) through milk (6), containing almost 8.9 million email addresses prepared for the campaign.
Huntress recovered a project file named dracii.mmp, which contained details about the email delivery settings, phishing links, and campaign configuration.
Compromised systems helped deliver the fake messages
Investigators found that attackers accessed the UK business server through an exposed remote access system using stolen credentials before staging the phishing operation.
The compromised server then let them send messages directly from the organisation’s internet connection, keeping their own infrastructure hidden from blocklists.
The mailer was configured for direct-to-MX delivery, using 666 simultaneous threads with zero throttling applied to maximize sending speed.
Huntress later isolated all 25 endpoints connected to the business environment and blocked 29,954 outbound SMTP connections within a 104-second period.
The company also contacted Bolivia’s national CSIRT after discovering that the government website had been compromised and used to host the phishing material.
The recovered files suggested that the Boots campaign was part of a broader operation involving other UK-focused themes including tax-related and cryptocurrency messages.
The same toolkit appeared to have been reused across multiple compromised systems since July 2025.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
