{"id":1593,"date":"2026-02-27T13:05:34","date_gmt":"2026-02-27T13:05:34","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/"},"modified":"2026-02-27T13:05:34","modified_gmt":"2026-02-27T13:05:34","slug":"fake-fedex-email-delivers-donuts-fri-feb-27th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/","title":{"rendered":"Fake Fedex Email Delivers Donuts!, (Fri, Feb 27th)"},"content":{"rendered":"
\n

It\u2019s Friday, let\u2019s have a look at another simple piece of malware to close a busy week! I received a Fedex notification about a delivery. Usually, such emails are simple phishing attacks that redirect you to a fake login page to collect your credentials. Here, it was a bit different:<\/p>\n

\"\"<\/p>\n

Nothing really fancy but it is effective and uses interesting techniques. The attached archive called “fedex_shipping_document.7z” (SHA256: a02d54db4ecd6a02f886b522ee78221406aa9a50b92d30b06efb86b9a15781f5 ) contains a Windows script (.bat file) with the same filename. This script, not really obfuscated and easy to understand, receiveds a low VT score, only 12\/61!<\/p>\n

First, il will generate some environment variables and implement persistence through a Run key:<\/p>\n

\"\"<\/p>\n

The variable name “!contract” contains the path of a script copy in %APPDATA%RailEXPRESSIO.cmd. The threat actor does not use the classic environment variable format \u201c%VAR%\u201d but \u201c!var!\u201d. This is expanded at execution time, meaning it reflects the current value inside loops and blocks[1<\/a>]. It\u2019s enabled via this command<\/p>\n

\nsetlocal enableDelayedExpansion<\/pre>\n
Simple but nice trick to defeat simple search of “%..%”!<\/p>\n
Then a PowerShell one-liner is invoked. The Powershell payload is located in the script (at the end) and Bas64-encoded. A nice trick is that the very first characters of the Base64 payload makes it undetectable by tools like base64dump! PowerShell extracts it through a regular expression:<\/p>\n
Once the payload decoded, it is piped to another PowerShell:<\/p>\n
\"\"<\/p>\n
The PowerShell implements different behaviors. First, it will create a Mutex on the victim\u2019s computer:<\/p>\n
\"\"<\/p>\n
Strange, it seems that some anti-debugging and anti-sandoxing are not completely implemented. By example, the scripts gets the number of CPU cores (a classic) but it\u2019s never tested!<\/p>\n
The script waits for the presence of an \u00ab explorer \u00bb process (which means that a user is logged in) otherwise it exists:<\/p>\n
\"\"<\/p>\n
There is a long Base64-encoded variable that contains a payload that has been AES encrypted. The IV and salt are extracted and the payload decrypted. No time to loose, run the script into the Powershell debugger and dump the decrypted data in a file:
\n\"\"
\nThe decrypted data is the next stage: a shellcode. This one will be injected into the explorer process and a new thread started:<\/p>\n
\"\"<\/p>\n
This behavior is typical to DonutLoader[2<\/a>].<\/p>\n
The shell code connects to the C2 server: 204[.]10[.]160[.]190:7003. It’s a good old XWorm!<\/p>\n
[1]\u00a0https:\/\/ss64.com\/nt\/delayedexpansion.html<\/a>
\n[2]\u00a0https:\/\/medium.com\/@anyrun\/donutloader-malware-overview-00d9e3d79a48<\/a><\/p>\n
Xavier Mertens (@xme)
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
 (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
It\u2019s Friday, let\u2019s have a look at another simple piece of malware to close a busy week! I received a Fedex notification about a delivery. Usually, such emails are simple phishing attacks that redirect you to a fake login page to collect your credentials. Here, it was a bit different: Nothing really fancy but it […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-1593","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nFake Fedex Email Delivers Donuts!, (Fri, Feb 27th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Fake Fedex Email Delivers Donuts!, (Fri, Feb 27th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"It\u2019s Friday, let\u2019s have a look at another simple piece of malware to close a busy week! I received a Fedex notification about a delivery. Usually, such emails are simple phishing attacks that redirect you to a fake login page to collect your credentials. Here, it was a bit different: Nothing really fancy but it […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-27T13:05:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260227-1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Fake Fedex Email Delivers Donuts!, (Fri, Feb 27th)\",\"datePublished\":\"2026-02-27T13:05:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/\"},\"wordCount\":452,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260227-1.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/\",\"name\":\"Fake Fedex Email Delivers Donuts!, (Fri, Feb 27th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260227-1.png\",\"datePublished\":\"2026-02-27T13:05:34+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260227-1.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260227-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Fake Fedex Email Delivers Donuts!, (Fri, Feb 27th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fake Fedex Email Delivers Donuts!, (Fri, Feb 27th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/","og_locale":"en_US","og_type":"article","og_title":"Fake Fedex Email Delivers Donuts!, (Fri, Feb 27th) - Imperative Business Ventures Limited","og_description":"It\u2019s Friday, let\u2019s have a look at another simple piece of malware to close a busy week! I received a Fedex notification about a delivery. Usually, such emails are simple phishing attacks that redirect you to a fake login page to collect your credentials. Here, it was a bit different: Nothing really fancy but it […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-02-27T13:05:34+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260227-1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Fake Fedex Email Delivers Donuts!, (Fri, Feb 27th)","datePublished":"2026-02-27T13:05:34+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/"},"wordCount":452,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260227-1.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/","name":"Fake Fedex Email Delivers Donuts!, (Fri, Feb 27th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260227-1.png","datePublished":"2026-02-27T13:05:34+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260227-1.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260227-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/27\/fake-fedex-email-delivers-donuts-fri-feb-27th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Fake Fedex Email Delivers Donuts!, (Fri, Feb 27th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=1593"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1593\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=1593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=1593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=1593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}