Fake “HMRC Employer Alerts & Verification” email contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “HMRC Employer Alerts & Verification”.

This email is send from the spoofed address “HMRC <employers@alerts.hmrc.gov.uk>” and has the following body:

Thank you for your registration details which have been recorded for email alerts purposes only.

We expect to send you three email alerts a year – February, May and December.
These will give you the links to the latest Employer Bulletin and HMRC PAYE Tools (previously the Employer CD-ROM).

Please complete all relevant sections of the attached application form and attach the appropriate documents to confirm your identity.

** Do not reply to this email as this mailbox is unmonitored for incoming mail.

The attached ZIP file has the name HMRC_35F218F904.zip and contains the 95 kB large file HMRC Employer Alerts & Verification_00FF8024957__randon_numbers__5324.pdf.

The trojan is known as

At the time of writing, 5 of the 49 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 0a69b4f91f7d4009f6ddc1fab07a0140b21badb80e778fede4fac91d3ca3de2c

6 thoughts on “Fake “HMRC Employer Alerts & Verification” email contains trojan

  1. For info- the email I received had slightly different wording:- “Reply to this email as this mailbox is monitored for incoming mail.” Otherwise all other details were as you advise. Thank you for publishing this-my anti virus wouldn’t let me open it anyway-but i it was still a relief that I didn’t have to waste time and energy trying to find out if it was important.

  2. Thank you for posting this. I did think that the email was suspicious, but I wasn’t certain. I just wanted confirmation that the email was indeed unsafe. Thank you.

  3. I received this and did not open the attachments. I did, however, foolishly reply to the email asking what it was about and why I had been sent this. Do you think I will now be at risk?

Comments are closed.