Kaspersky has detected a rapidly escalating malicious campaign that has targeted over 1 100 corporate users since June 2025.
The attackers pose as a legal firm and in their emails threaten recipients with lawsuits over alleged domain name patent violations, aiming to deploy malware.
Victims who opened and launched the attached files – that mimicked legal documents – had a Trojan installed on their devices, and the attackers could spy on the content of their screens.
Organisations across healthcare, finance, and education sectors have been targeted.
The campaign began with 95 emails on June 11 and has since continued to escalate. Apart from claiming that the recipient’s domain name violates patented combinations of a major brand and threatening litigation, in the email the fake legal bureau also expresses the patent holders’ interest in acquiring the domain and offers getting acquainted with the details of the alleged violations by opening the attached archive with “documents”.
It is worth noting that the attackers, likely to avoid detection, attach an archive that is not password protected, and inside it includes another archive that is password protected and a file containing the password along with it.
After the user enters the archive password and clicks on the alleged legal document inside, a Trojan is installed on the device. The sees saw a message displayed that reads: “This document cannot be opened on this device. Try opening it on another windows device”, and simultaneously the Tor Browser is covertly downloaded and installed in the background.
Through it, the malware regularly sends snapshots of the user’s screen to the attackers over the Tor network. The malware also autostarts whenever the computer is restarted.
“This campaign is a sophisticated blend of psychological manipulation and technical deception, leveraging fear of legal action to coerce businesses into executing harmful files hidden in attached archives,” comments Anna Lazaricheva, spam analyst at Kaspersky. “Its rapid growth since June 11 underscores the urgency for organisations to bolster defenses. Victims face the risk of losing their private data. Robust email security, employee training, and swift incident reporting are essential to counter this evolving threat.”