I am truly amazed
·3344 words·16 mins
Table of Contents
Another email with an attachment - this time it is a ZIP file (which contents are a readme.txt and another (but encrypted) ZIP file).
I will structure this post a bit different but I will include the sources of the email at the end because inspecting this new zip file is much more interesting to me than showing again the same(/similar) contents of the plain email.
Starting with the only attachment, a file called webmail_dump.zip.
Analysis #
FYI, I will save this file into $HOME/Downloads/tmp.
First ZIP file (webmail_dump.zip) #
Using tools like
file(1)
and
strings(1)
helps a lot
for inspecting unknown files and/or filetypes (even if they are binary).
$ file webmail_dump.zip
webmail_dump.zip: Zip archive data, made by v2.0 UNIX, extract using at
least v2.0, last modified, last modified Sun, Nov 22 2025 23:36:02,
uncompressed size 1146, method=deflate
$ unzip -t webmail_dump.zip
Archive: webmail_dump.zip
testing: readme.txt OK
testing: dump_22112025.zip OK
No errors detected in compressed data of webmail_dump.zip.
Okay, extracting these files gets me the readme.txt file and another archive.
The text file (readme.txt) #
$ cat readme.txt
[SECURITY DUMP]
═══════════════════════════════════════════════════════════
Email: ***
Hash: SHA-256: 8baca9a00a429e6ed4a28db176ef4f5d3587c33844f7c71dd338599819ba5c5d
Status: INFECTED
Build Date: 2025-11-03 09:20:31
Dump Date: 2025-11-22 23:06:02
[+] Access Level: ROOT
[+] Data Integrity: COMPROMISED
[+] Backup Status: COMPLETE
Vulnerability: CVE-2025-34106
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Device Control:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Webcam: [ACTIVE] ✓
Status: STREAMING LIVE
Frames Captured: 12,847
Last Update: 2025-11-22 23:36:02
[!] Target is currently being monitored
[!] Recording: 1080p @ 30fps
[!] Audio: SYNCED
Microphone: [LISTENING] ✓
Screen Capture: [ENABLED] ✓
Keyboard Logger: [RUNNING] ✓
So it claims it gained access to my systems using CVE-2025-34106. Let me quickly summarize what this vulnerability is about:
A buffer overflow vulnerability exists in PDF Shaper versions 3.5 and 3.6 when converting a crafted PDF file to an image using the ‘Convert PDF to Image’ functionality. An attacker can exploit this vulnerability by tricking a user into opening a maliciously crafted PDF file, leading to arbitrary code execution under the context of the user. This vulnerability has been verified on Windows XP, 7, 8, and 10 platforms using the PDFTools.exe component.
– CVE-2025-34106
Knowing that the only usecase for Windows is on my Hamradio laptop (which I use very, very, very rarely recently) and the fact, that I do not use PDFTools (neither on Windows nor on the Linux machines) underlines the suspicion of reading through a spam mail.
But I guess they wanted to make it look legit – non-tech people might fall for that so it is always good to know a few nerds, right?
The second ZIP file (dump_22112025.zip) #
$ file dump_22112025.zip
dump_22112025.zip: Zip archive data, made by v2.0 UNIX, extract using at
least v2.0, last modified, last modified Sun, Nov 22 2025 23:36:02,
uncompressed size 0, method=AES Encrypted
$ unzip -t dump_22112025.zip
Archive: dump_22112025.zip
skipping: id-passport/identity.pdf unsupported compression method 99
skipping: id-passport/passport.pdf unsupported compression method 99
skipping: cvv-iban/iban_export.json unsupported compression method 99
skipping: cvv-iban/cvv_dump.sql unsupported compression method 99
skipping: logs/keyboard_log.txt unsupported compression method 99
skipping: logs/browser-passwords.dump unsupported compression method 99
skipping: logs/system.log unsupported compression method 99
skipping: screenshots/webcam-face-2.jpg unsupported compression method 99
skipping: screenshots/webcam-face-1.jpg unsupported compression method 99
skipping: screenshots/desk1.png unsupported compression method 99
skipping: screenshots/webcam-face-3.jpg unsupported compression method 99
skipping: video_recording/webcam_08.mp4 unsupported compression method 99
skipping: video_recording/webcam_01.mp4 unsupported compression method 99
skipping: video_recording/webcam_12.mp4 unsupported compression method 99
skipping: video_recording/webcam_02.mp4 unsupported compression method 99
skipping: video_recording/webcam_03.mp4 unsupported compression method 99
skipping: video_recording/webcam_09.mp4 unsupported compression method 99
skipping: video_recording/webcam_05.mp4 unsupported compression method 99
skipping: video_recording/webcam_10.mp4 unsupported compression method 99
skipping: video_recording/webcam_06.mp4 unsupported compression method 99
skipping: video_recording/webcam_11.mp4 unsupported compression method 99
skipping: video_recording/webcam_04.mp4 unsupported compression method 99
skipping: video_recording/webcam_07.mp4 unsupported compression method 99
skipping: contacts/social-network-friends.csv unsupported compression method 99
skipping: contacts/phone_dump.csv unsupported compression method 99
skipping: contacts/contact_types.sql unsupported compression method 99
Caution: zero files tested in dump_22112025.zip.
26 files skipped because of unsupported compression or encoding.
Okay, we can see the filenames here – that would also be possible with
strings(1)
, but would have looked not so pretty.
$ zip2john dump_22112025.zip > hash.txt
$ cat hash.txt
dump_22112025.zip/id-passport/identity.pdf:$zip2$*0*3*0*748fdbda1e647ba74601770024472d3d*1e18*2*dea4*6c0eb810be6b1e102c34*$/zip2$:id-passport/identity.pdf:dump_22112025.zip:dump_22112025.zip
Modify the hash.txt file that only the hash is left on a single line.
$zip2$*0*3*0*748fdbda1e647ba74601770024472d3d*1e18*2*dea4*6c0eb810be6b1e102c34*$/zip2$
After visiting the hashcat wiki I got an idea of what type the has could be. Searching for zip2 reveals it is much likely a WinZip hash, I can use the mode 13600 in hashcat to try cracking it.
$ hashcat -m 13600 -a 3 -w 3 --increment --increment-min=4 --increment-max=8 hash.txt "?d?d?d?d?d?d?d?d"
No luck with all-digits from 4 to 8 digits (0000-99999999). So I will try a few common wordlists – just for fun (not that there would be something interesting in those files, but hey, low-hanging fruits, you know!).
I stopped the cracking after an hour or two as it seems the password is in none of my used lists. Nonetheless I doubt the encrypted files are even legit files but probably random files with superduper valid looking names.
So let’s dive deeper into the “normal” email things that I usually present over here.
The usual things #
Mail headers #
Return-Path: <photipinkback1977@gmx.com>
Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42])
by slotpi15m48 (Cyrus 3.13.0-alpha0-1481-gc2518cb30-fm-20251113.001-gc2518cb3) with LMTPA;
Sat, 22 Nov 2025 18:36:07 -0500
X-Cyrus-Session-Id: slotpi15m48-1763854567-762439-2-15922790326409576325
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no
X-Spam-sender-reputation: 666 (domain)
X-Spam-score: 35.3
X-Spam-hits: BAYES_00 -1.9, BITCOIN_EXTORT_01 3.634, DCC_CHECK 1.1, DCC_REPUT_70_89 0.1,
FREEMAIL_ENVFROM_END_DIGIT 0.25, FREEMAIL_FROM 0.001, FSL_BULK_SIG 0.001,
GB_HASHBL_BTC 4.463, HTML_MESSAGE 0.001, ME_SC_NH -0.001,
ME_SENDERREP_NEUTRAL 0.001, ME_VADESCAM 3, MIME_HTML_ONLY 0.1,
PDS_BTC_ID 0.5, RCVD_IN_PBL 0.001, RCVD_IN_SBL 6,
RCVD_IN_ZEN_LASTEXTERNAL 8, SH_HBL_CW_BTC 10, SPF_HELO_PASS -0.001,
SPF_PASS -0.001, TRACKER_ID 0.1, LANGUAGES en, BAYES_USED user,
SA_VERSION 4.0.1
X-Spam-source: IP='82.165.159.12', Host='mout-xforward.gmx.net', Country='DE',
FromHeader='com', MailFrom='com'
X-Spam-charsets: subject='UTF-8', html='UTF-8'
X-Attached: webmail_dump.zip
X-Resolved-to: ***
X-Delivered-to: ***
X-Mail-from: photipinkback1977@gmx.com
Received: from phl-mx-04 ([10.202.2.203])
by phl-compute-02.internal (LMTPProxy); Sat, 22 Nov 2025 18:36:07 -0500
Received: from phl-mx-04.messagingengine.com (localhost [127.0.0.1])
by mailmx.phl.internal (Postfix) with ESMTP id AF1981380100
for <***>; Sat, 22 Nov 2025 18:36:06 -0500 (EST)
Received: from mailmx.phl.internal (localhost [127.0.0.1])
by phl-mx-04.messagingengine.com (Authentication Milter) with ESMTP
id AA98FA47845.E73F21380111;
Sat, 22 Nov 2025 18:36:06 -0500
Received: from mout-xforward.gmx.net (mout-xforward.gmx.net [82.165.159.12])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by phl-mx-04.messagingengine.com (Postfix) with ESMTPS id E73F21380111
for <***>; Sat, 22 Nov 2025 18:36:05 -0500 (EST)
Received: from [177.37.137.49] ([177.37.137.49]) by web-mail.gmx.net
(3c-app-mailcom-bs06.server.lan [172.19.170.174]) (via HTTP); Sun, 23 Nov
2025 00:36:03 +0100
MIME-Version: 1.0
Message-ID: <trinity-2e2ea689-c385-4da6-9783-b8e8b37efede-1763854563549@3c-app-mailcom-bs06>
From: Melissa Powell <photipinkback1977@gmx.com>
To: ***
Subject: =?UTF-8?Q?=F0=9F=8D=93_Finish_the_payment_before_?=
=?UTF-8?Q?I_trigger_the_distribution_=F0=9F=A4=A3?=
Content-Type: multipart/mixed;
boundary=trekuen-baee1166-d4f8-4804-ba7a-4e1eda4e14b8
Date: Sun, 23 Nov 2025 00:36:03 +0100
The IP address from which GMX picked up the mail belongs to Brisanet Servicos de Telecomunicacoes — BRISANET SERVICOS DE TELECOMUNICACOES S.A and originates from Brazil.
The person might have used a VPN or proxy server to obscure traces.
The mail body #
Weren't you taught that jerking off is bad?! 😂
Hello!
I'm the Chinese software engineer who hacked into your device OS.
I've been watching you for months now. You've been infected with malware
through the adult website you visited. I have downloaded all
confidential information from your system and I got some more evidence.
I gained access to your smartphone and saw everything you were doing...
well, I got a video of you masturbating in the bathroom (nice interior,
by the way). I've been monitoring your camera for the past 2 weeks - it
was active for 47 hours total, and you never noticed because I disabled
the LED indicator.
I put together footage: on one side of the screen is the video you're
watching at the moment and on the other side is your satisfied face.
With one click, I can send this video to all your contacts.
I've already prepared everything. I have access to your WhatsApp and I
can see all your conversations - with your family, your relatives, your
friends, your colleagues, and even your boss. I've also taken
screenshots of your private chats. The video is queued and ready to
send. One wrong move and I press the button.
I can see your WhatsApp messages, your private chats, your family group
chats, and I can send anything I want from your account. I also have
your work email and I can see all your professional contacts. Imagine
your relatives receiving this video from your WhatsApp number in your
family group chat, or your boss and colleagues receiving it during work
hours. How would you explain that? Your life will be ruined.
All your data is already uploaded to my secure servers. Even if you
delete everything from your device right now, I still have copies. The
email templates are ready. The video is processed and optimized.
Everything is set up. I'm just waiting for the timer to expire.
I'm monitoring this email right now. If you forward it, show it to
someone, or try to contact the police, I'll know instantly and the video
will be sent immediately to your entire contact list, starting with your
relatives and your work contacts. There's no way to stop me once I press
that button.
Do you want to prevent this?
I understand your concern. Especially since the video was quite vulgar,
I can't imagine the embarrassment you will feel when your family,
relatives, colleagues, friends and everyone else see it. Your reputation
will be destroyed forever. You'll never be able to look them in the eye
again.
If you need to delete all of your collected data, just send 0.05 btc
(Bitcoin) to a wallet that was specially generated for your email
address.
bc1q5lukj7heyexw9e3ncnjgs7c4uutgwadaqja5sa
Yes, it's that simple! My script will detect the transaction to this
wallet and will automatically delete all the dirt that was collected on
you from my servers.
You have 48 hours to pay. The countdown started the moment you opened
this email. If you don't pay within 48 hours, the video will be
automatically sent on Monday at 9 AM (your local time) - right when
everyone is at work, checking their messages. Every hour you delay, I'll
send the video to random contacts from your list, starting with your
relatives and work colleagues. After 48 hours, everyone gets it - your
entire WhatsApp contact list, including all your relatives, and I'll
also post it on your social media accounts from your own profile. There
will be no way to undo this.
Timer ID: 1763219944
The timer started automatically after you opened this email. You're
being watched right now. Every second counts.
If you don't have enough money, you can pay half the amount (0.025 btc)
to your wallet in order to extend the timer for another 48 hours.
Do not try to reply to this email, it makes absolutely no sense (the
sender's email address as well as the Bitcoin wallet were generated
automatically especially for you and cannot be traced). I don't make
mistakes. Don't test me.
If I see that you've shared this message with someone else (for example,
if it is opened on a different device than yours), the video will
instantly start being sent out to your contact list. I have monitoring
scripts running 24/7. Your relatives will be the first to receive it in
your family group chats. This is your only warning.
Take it easy. Take it as a little life lesson and be more careful in the
future.
Yes, the internet advice about taping the camera isn't so useless.
Good luck with that. Bye. ❤️
P.S. I've attached an archive containing all the compromising data I've
collected about you - your personal files, passwords, browser history,
webcam recordings, screenshots, and much more. This is just a small
sample of what I have. Everything is encrypted, but I can decrypt it at
any moment. I have 12.3 GB of your data ready to leak if you don't
cooperate.
So to break this down a little bit:
- The chinese hacker…
Sorry, this is the obvious. (may still be true, *lol*) - Someone told him about the LED indicator.
So this must be mentioned to fool people that he can bypass all these hardware lights via software. - My Whatsapp
OK. Let’s be real. I do have a Whatsapp installed. But all the chats that are mentioned don’t even exist. (As Whatsapp is a last resort for people that cannot reach me otherwise) - Work email
I’m a construction worker – I do not have any work related tech devices. - 0.05 BTC? (3764,47 EUR)
Are you crazy? Your greed will someday kill you. - Timer ID
*lol* - taping the camera
I must admit, I’ve done that anyway on almost all devices including the TV switch on which I even removed the soldered mic.
The html body #
--trekuen-baee1166-d4f8-4804-ba7a-4e1eda4e14b8
Content-Type: text/html; charset=UTF-8
<html><head></head><body><div style="font-family: Verdana;font-size:
12.0px;"><div style="display:none; font-size:1px; color:#e5e5e5;
line-height:1px; font-family:Verdana, Helvetica, sans-serif;
max-height:0px; max-width:0px; opacity:0; overflow:hidden;
mso-hide:all;">Weren't you taught that jerking off is bad?!
😂</div>
<div style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe
UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
background-color: #000000; color: #ffffff; padding: 60px 40px;
max-width: 600px; margin: 0 auto; line-height: 1.7;">
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">Hello!</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">I'm the Chinese software engineer who hacked into
your device OS.</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">I've been watching you for months now. You've
been infected with malware through the adult website you visited. I
have downloaded all confidential information from your system and I
got some more evidence.</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;"><strong style="font-weight: 600;">I gained access to
your smartphone and saw everything you were doing...</strong> well,
I got a video of you masturbating in the bathroom (nice interior, by
the way). I've been monitoring your camera for the past 2 weeks -
it was active for 47 hours total, and you never noticed because I
disabled the LED indicator.</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">I put together footage: on one side of the screen is
the video you're watching at the moment and on the other side is
your satisfied face. With one click, I can send this video to all your
contacts.</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;"><strong style="font-weight: 600;">I've already
prepared everything.</strong> I have access to your WhatsApp and I
can see all your conversations - with your family, your relatives,
your friends, your colleagues, and even your boss. I've also taken
screenshots of your private chats. The video is queued and ready to
send. One wrong move and I press the button.</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">I can see your WhatsApp messages, your private chats,
your family group chats, and I can send anything I want from your
account. I also have your work email and I can see all your
professional contacts. Imagine your relatives receiving this video
from your WhatsApp number in your family group chat, or your boss and
colleagues receiving it during work hours. How would you explain that?
<strong style="font-weight: 600; color: #ff3b30;">Your life will be
ruined.</strong></p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">All your data is already uploaded to my secure
servers. Even if you delete everything from your device right now, I
still have copies. The email templates are ready. The video is
processed and optimized. Everything is set up. I'm just waiting
for the timer to expire.</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;"><strong style="font-weight: 600;">I'm monitoring
this email right now.</strong> If you forward it, show it to
someone, or try to contact the police, I'll know instantly and the
video will be sent immediately to your entire contact list, starting
with your relatives and your work contacts. <strong
style="font-weight: 600; color: #ff3b30;">There's no way to stop
me once I press that button.</strong></p>
<div style="border-top: 1px solid #333333; margin: 40px 0; padding-top:
40px;"></div>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">Do you want to prevent this?</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">I understand your concern. Especially since the video
was quite vulgar, I can't imagine the embarrassment you will feel
when your family, relatives, colleagues, friends and everyone else see
it. Your reputation will be destroyed forever. <strong
style="font-weight: 600; color: #ff3b30;">You'll never be able
to look them in the eye again.</strong></p>
<div style="background-color: #1a1a1a; border: 1px solid #333333;
border-radius: 8px; padding: 30px; margin: 40px 0;"> <p
style="font-size: 16px; color: #ffffff; margin: 0 0 20px 0;
font-weight: 400;">If you need to delete all of your collected data,
just send 0.05 btc (Bitcoin) to a wallet that was specially
generated for your email address.</p> <div style="background-color:
#000000; border: 1px solid #333333; border-radius: 6px; padding:
20px; margin: 20px 0;"> <p style="font-size: 15px; color: #ffffff;
margin: 0; font-weight: 400; font-family: 'SF Mono',
'Monaco', 'Courier New', monospace; word-break:
break-all; letter-spacing:
0.5px;">bc1q5lukj7heyexw9e3ncnjgs7c4uutgwadaqja5sa</p> </div>
</div>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">Yes, it's that simple! My script will detect the
transaction to this wallet and will automatically delete all the dirt
that was collected on you from my servers.</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;"><strong style="font-weight: 600;">You have 48 hours
to pay.</strong> The countdown started the moment you opened this
email. If you don't pay within 48 hours, the video will be
automatically sent on Monday at 9 AM (your local time) - right when
everyone is at work, checking their messages. Every hour you delay,
I'll send the video to random contacts from your list, starting
with your relatives and work colleagues. After 48 hours, everyone gets
it - your entire WhatsApp contact list, including all your relatives,
and I'll also post it on your social media accounts from your own
profile. <strong style="font-weight: 600; color: #ff3b30;">There will
be no way to undo this.</strong></p>
<div style="background-color: #1a1a1a; border: 1px solid #ff3b30;
border-radius: 8px; padding: 25px; margin: 30px 0;"> <p
style="font-size: 15px; color: #ffffff; margin: 0 0 10px 0;
font-weight: 400; font-family: 'SF Mono', 'Monaco',
'Courier New', monospace;">Timer ID: 1763219944</p> <p
style="font-size: 16px; color: #ff3b30; margin: 10px 0 0 0;
font-weight: 600;">The timer started automatically after you opened
this email. You're being watched right now. Every second
counts.</p> </div>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">If you don't have enough money, you can pay half
the amount (0.025 btc) to your wallet in order to extend the timer for
another 48 hours.</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">Do not try to reply to this email, it makes
absolutely no sense (the sender's email address as well as the
Bitcoin wallet were generated automatically especially for you and
cannot be traced). I don't make mistakes. <strong
style="font-weight: 600; color: #ff3b30;">Don't test
me.</strong></p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;"><strong style="font-weight: 600; color: #ff3b30;">If
I see that you've shared this message with someone else (for
example, if it is opened on a different device than yours), the
video will instantly start being sent out to your contact list. I
have monitoring scripts running 24/7. Your relatives will be the
first to receive it in your family group chats. This is your only
warning.</strong></p>
<div style="border-top: 1px solid #333333; margin: 40px 0; padding-top:
40px;"></div>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">Take it easy. Take it as a little life lesson and be
more careful in the future.</p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;"><strong style="font-weight: 600;">Yes, the internet
advice about taping the camera isn't so useless.</strong></p>
<p style="font-size: 17px; color: #ffffff; margin: 0 0 30px 0;
font-weight: 400;">Good luck with that. Bye. ❤️</p>
<div style="border-top: 1px solid #333333; margin: 40px 0; padding-top:
40px;"></div>
<p style="font-size: 17px; color: #ffffff; margin: 0; font-weight:
400;"><strong style="font-weight: 600;">P.S.</strong> I've
attached an archive containing all the compromising data I've
collected about you - your personal files, passwords, browser history,
webcam recordings, screenshots, and much more. This is just a small
sample of what I have. Everything is encrypted, but I can decrypt it
at any moment. <strong style="font-weight: 600; color: #ff3b30;">I
have 12.3 GB of your data ready to leak if you don't
cooperate.</strong></p>