Categories: PhishingRansomware

Hackers Delivered a Lockbit Ransomware Through Fake Copyright Claim E-mail

One of the interesting tricks used by LockBit affiliates is disguising their malware as copyright claims in order to trick users into infecting their devices with ransomware.

There is a copyright violation notice sent through email to these users, apparently containing information that they are using media files without permission from the creators. 

It is because of such emails that recipients are urged to remove content that they consider infringing on their websites.

Technical Analysis

Cybersecurity researchers at South Korean security firm, AhnLab identified the emails, but they were unable to determine which files were being unfairly used in the body of the emails. 

The recipient should instead be asked to open and download the attached file in order to view the content deemed infringing. The email attachment sent by the threat actors is a ZIP archive and this ZIP archive is password protected. 

While this ZIP file contains a compressed file that contains a copy of a PDF document which is actually an NSIS installer that is disguised as a PDF document.

This is done for the purpose of evading detection from email security software, which is why there is mandatory wrapping and password protection.

An encrypted file has an extension called .lockbit and has an icon that indicates its encryption status. Furthermore, the folder with the encrypted files has a ransom note named ‘Restore-My-Files.txt’ created inside of it.

Fake Copyright Claims

It is possible for a victim to view what images are being used illegally by simply opening the document intended to be a PDF attached to the email. If they open it, the malware will be loaded and the LockBit 2.0 ransomware will be used to encrypt the device.

In any case, you need not be surprised by LockBit using copyright violations as a tactic for malware distribution. Since it is a common lure that is used nowadays in several malware distribution campaigns.

Publishers of content should seriously consider this issue of copyright claims if they want to avoid legal issues in the future. 

If the notification doesn’t give you any concrete details about the violation or you are required to open attached files in order to view details in the complaint, then it is unlikely that it is a legitimate notice.

Users may run attached files without realizing they have done it, as e-mails distributing malware types like this may contain the name of the actual illustrator, whose work they are viewing. Therefore, users should be very cautious when they are downloading such attachments.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Evertz SDN Vulnerabilities Enable Unauthenticated Arbitrary Command Execution

A newly disclosed critical vulnerability (CVE-2025-4009) in Evertz’s Software Defined Video Network (SDVN) product line…

5 minutes ago

Russian APT28 Hackers Attacking NATO-aligned Organizations to Steal Sensitive Data

Russia’s GRU-backed APT28, widely known as Fancy Bear, has intensified its cyber espionage campaign against…

12 minutes ago

XenServer Windows VM Tools Flaw Enables Attackers to Run Arbitrary Code

Citrix has issued a high-severity security bulletin addressing multiple vulnerabilities—CVE-2025-27462, CVE-2025-27463, and CVE-2025-27464—affecting XenServer VM…

23 minutes ago

Threat Actors Weaponize Fake AI-Themed Websites to Deliver Python-based infostealers

Mandiant Threat Defense has uncovered a malicious campaign orchestrated by the threat group UNC6032, which…

37 minutes ago

Zscaler to Acquire Red Canary, Enhancing AI-Powered Security Operations

Zscaler, Inc. (NASDAQ: ZS), the global leader in cloud security, has announced a definitive agreement…

49 minutes ago

251 Malicious IPs Target Cloud-Based Device Exploiting 75 Exposure Points

On May 8, 2025, cybersecurity researchers at GreyNoise detected a highly orchestrated scanning operation targeting…

1 hour ago