Huntress researchers uncover a Romania-linked threat actor using a compromised UK business server as a phishing launchpad, with payload infrastructure hosted on a hacked Bolivian government site.
Cybersecurity firm Huntress has published a detailed incident response report exposing a sophisticated phishing operation in which threat actors hijacked a compromised terminal server to send nearly nine million fraudulent emails impersonating UK pharmacy chain Boots.
How the Attack Unfolded
The intrusion was discovered on 16 May 2026, just hours after a Huntress partner installed the company’s endpoint detection and response (EDR) agent on a small 25-endpoint client mid-incident. Within hours, Huntress’s 24/7 Security Operations Centre flagged a critical authentication alert tied to an RDP login originating from a Romanian IP address (212.93.152[.]37).
The victim organisation ran a Remote Desktop Session Host server, commonly called a terminal server, with its RDWeb Access portal exposed directly to the public internet. Analysis of IIS logs revealed the portal had been subjected to sustained credential-stuffing attacks: over 206,000 HTTP POST requests from more than 8,000 distinct IP addresses were recorded across a four-day window. Of those, just four login attempts succeeded, each tied to the same compromised domain account.
Phishing Infrastructure Revealed
Rather than deploying ransomware or exfiltrating the victim’s own data, the attacker repurposed the compromised server as a phishing launchpad. Huntress recovered the full staging directory, which contained a legitimate bulk email application called Gammadyne Mailer, a project file named dracii.mmp, Romanian for “the devils,” and six target lists collectively holding 8,894,920 email addresses. The list of filenames all contained the word “milk.”
The phishing emails impersonated Boots with a fake “free gift” survey lure, designed to harvest victims’ personal details and payment card data. The malicious payload was not hosted on the actor’s own infrastructure but on a compromised Bolivian government website – ipelc.gob[.]bo – serving a Boots-branded phishing kit from a directory labelled /boots_store/.
Coordinated Disclosure
Following its investigation, Huntress notified Bolivia’s national computer security incident response team, the Centro de Gestión de Incidentes Informáticos (CGII), which operates under the Bolivian state ICT agency AGETIC, alerting them that the government domain had been hijacked as a payload host.
Security Implications
The case illustrates a growing trend in which threat actors deliberately avoid deploying noisy ransomware, instead monetising access by leveraging compromised infrastructure for large-scale phishing. The use of legitimate bulk email software, a government-hosted payload, and a well-known UK brand as a lure demonstrates a multi-layered approach designed to evade detection at multiple stages.
Security professionals are advised to avoid exposing RDWeb portals directly to the internet without additional controls such as multi-factor authentication, VPN gating, or IP allowlisting.
