Email “photo image message” from Vodafone contains trojan

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “photo message image 7U5JOYUXYZ” – note that the letter and number combination varies.

The email is send from the spoofed address “”, or similar with “vodafone” in the domain, and has an empty body.

The attached ZIP file has the name and contains the 98 kB large file photo.image.id_7LK096Y5TD.jpg.exe (note that the letter and number combination varies).

The trojan is known as Trojan/Win32.Inject, TR/Injector.hotj, Win32/TrojanDownloader.Wauchos.K, Trojan.Agent.BAAG, Win32.Heur.KVMF9.hy.(kcloud), Trojan-Ransom.Win32.Blocker.byxx or TSPY_ZBOT.LSJ.

At the time of writing, 17 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 08725bbbe998004f9c44da3bdbaa922e88e8e3a439a1b01dfaff43e906fdee2e.