- Fake Boots emails reached 8.9 million addresses through a massive phishing campaign
- Hackers used a government website to host their fraudulent Boots checkout page
- Romanian attackers turned a compromised corporate server into an email distribution platform
Millions of UK shoppers fell victim to a fake Boots promotion after hackers sent emails offering a free beauty trial pack through a major phishing campaign.
The operation used a fake customer survey to collect personal information while directing victims to a fraudulent payment process that requested sensitive information.
Huntress researchers claim that the campaign involved 8,894,920 email addresses and infrastructure associated with Romanian-speaking threat actors.
A bogus Boots offer backed by a major phishing operation
The emails appeared to come from Boots and invited recipients to complete a short survey in exchange for a beauty trial pack and promotional benefits.
The campaign relied on familiar branding to make the message appear legitimate, while directing users to a cloned website designed for information gathering.
The fake site requested details including names, email addresses, dates of birth, phone numbers and home addresses before reaching the payment details.
Huntress found that the phishing content was hosted on a compromised Bolivian government website belonging to IPELC, rather than an attacker-controlled domain.
They placed the phishing kit in a hidden folder on the legitimate government domain to take advantage of its existing reputation.
The email campaign was sent using Gammadyne Mailer, a legitimate bulk email app that attackers installed on a compromised UK corporate terminal server.
The server was not used to deploy ransomware or steal files from that company, but instead served as a platform to send fraudulent messages.
The attackers loaded six recipient lists named milk (1) through milk (6) that contained nearly 8.9 million email addresses prepared for the campaign.
Huntress recovered a project file named dracii.mmp, which contained details about email delivery settings, phishing links, and campaign configuration.
Compromised systems helped deliver the fake messages
Investigators found that attackers accessed the UK company server through an exposed remote access system using stolen credentials before staging the phishing operation.
The compromised server then let them send messages directly from the organization’s Internet connection, keeping their own infrastructure hidden from blocklists.
The mailer was configured for direct-to-MX delivery using 666 concurrent threads with zero throttling applied to maximize send speed.
Huntress later isolated all 25 endpoints connected to the business environment and blocked 29,954 outgoing SMTP connections within a 104-second period.
The company also contacted Bolivia’s national CSIRT after discovering that the government’s website had been compromised and used to host the phishing material.
The recovered files suggested the Boots campaign was part of a wider operation involving other UK-focused themes, including tax and cryptocurrency announcements.
The same toolset appeared to have been reused across multiple compromised systems since July 2025.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
