A massive wave of phishing emails allegedly from bailiffs has hit dozens of companies and citizens in the Russian Federation, cybersecurity experts told Izvestia. This information was confirmed by the FSSP. The attackers disguise malicious emails as official notifications from the Moscow Interdistrict bailiff Department, and inside each message there is an archive, after opening which the Trojan virus penetrates both the corporate network and the personal one. It imperceptibly captures every keystroke on the victim's device, allowing access to passwords and bank data. About what other schemes are used by scammers, see the Izvestia article.
How to attack under the guise of bailiffs
Cybersecurity experts have recorded a new powerful wave of phishing against Russian companies using the DarkWatchman RAT remote access Trojan virus. Malicious emails disguised as official notifications from the Moscow Interdistrict bailiff department were received by several dozen organizations from different regions, experts from the Solar 4RAYS cyber Threat Research center of the Solar Group of Companies told Izvestia.
The surge was recorded at the end of February using a network of sensors and honeypots (vulnerable systems): The number of requests to the DarkWatchman management server has increased dramatically — almost fivefold. The current phishing wave with this malware is the most powerful since the beginning of the year.
The Federal Bailiff Service also announced an increase in the number of attempts to deceive fraudsters who pose as bailiffs.
"In their criminal activities, they use fake notifications and electronic mailing of phishing emails. The FSSP of Russia draws attention to the fact that bailiffs do not call through messenger applications, do not send SMS messages and do not use e-mail for official notifications," the press service of the department told Izvestia.
Russian companies encountered the DarkWatchman RAT malware in 2021. Since then, attackers have periodically conducted similar campaigns, changing the legend and letter templates, while improving the virus. Recent changes make the program more resistant to detection by antivirus tools and complicate its analysis.
"Despite their apparent simplicity, such malware poses a serious threat to corporate and personal cybersecurity," said Ivan Timkov, an expert at the center.
For example, this time the Reflective DLL Loading technique was used, which does not leave traces on the disk of the attacked computer and thus makes it difficult for security agents to detect the infection.
In the new newsletter, the attackers disguised their letter as official notifications from the Interdistrict Bailiff Department for the Enforcement of decisions of the Moscow city tax Authorities. All emails were sent from a fake email address. Inside each message was an archive with the name "Writ of Execution No. 27186421-25 from <date>.zip". And this archive contained an executable file that, at startup, installed the DarkWatchman RAT virus on the victim's host.
"The main function of this Trojan is a keylogger, which imperceptibly captures every keystroke on the victim's keyboard, allowing attackers to gain access to passwords, bank data and other sensitive information," the expert added. "DarkWatchman also has backdoor capabilities — it allows cybercriminals to remotely manage infected systems, download new files and execute various commands.
The attacks were also confirmed by Kaspersky GReAT expert Georgy Kucherin. Such letters were sent to about a hundred organizations in February and March 2025.
"We have been seeing similar letters from bailiffs distributing DarkWatchman RAT for several years now," he said. — At least since 2022: the letters discovered a few years ago used the same bailiff's name as in 2025.
What schemes are used by scammers?
In the coordination center of the .RU/ domains.The Russian Federation reported that such attacks are not recorded in the Runet zone — "scammers probably use e-mail addresses of domains in other zones for it."
They recalled that this malware has been repeatedly used to attack Russian citizens and companies: in 2023, the DarkWatchman RAT Trojan was distributed through phishing emails under the guise of mobilization orders, and last year it was issued as a request for accounting or tax documents.
Watch Wolf has become one of the groups distributing this malware, the head of BI told Izvestia.ZONE Threat Intelligence Oleg Skulkin. These are commercially motivated attackers, whose goal is to gain access to the financial assets of a compromised organization.
—Watch Wolf actively uses phishing mailings to deliver malware," the expert said. — At the same time, the attackers use relevant headings in the letters: "Change of email address", "Life insurance contract", "Notice of the end of the free storage period", "Writ of Execution", etc.
In addition to mailing lists, the group uses poisoning of search results. Criminals redirect employees of organizations to phishing sites, for example, with accounting documents: instead of the necessary files, the victim downloads malware.
Despite an overall decrease in the number of abuses on the Runet, phishing remains the main cyber threat, said Evgeny Pankov, a data analyst at the coordination center. Within the framework of the Domain Patrol project, it accounts for about 80% of requests from competent organizations to registrars.
— Currently, the most popular schemes aimed at hacking accounts in Telegram and WhatsApp (owned by Meta, recognized as extremist and banned in Russia. — Ed.), — he noted. — Scammers create phishing pages that mimic the forms of authorization in the messenger, and under various pretexts convince the user to enter a username and password.
After gaining access to the account, they send messages to their contact list, for example, asking them to borrow money or receive supposedly required payments from the state.
In addition to letters allegedly coming from bailiffs, the attackers distributing DarkWatchman RAT also sent letters in February – March 2025 containing alleged settlement requests, added Georgy Kucherin. The text of such a letter indicates that the application comes from a company operating in the defense industry.
— An archive with a password is attached to this email. Example of the name: "Doc-you're on the bill ФЕВРАЛЬ-МАРТ.гаг "as indicated in the text of the letter," the expert warned. — The archive itself contains an executable file, which installs DarkWatchman RAT on the infected computer.
How to interact with bailiffs
To prevent infection and further development of the DarkWatchman RAT attack and similar malware, experts recommend regular cybersecurity trainings for company employees, as well as using email protection solutions that prevent the delivery of phishing emails to the end user.
The FSSP recommended to be vigilant when receiving such electronic messages, not to click on links, not to download unknown files, not to transfer your personal personal data to fraudsters, including information about bank cards and accounts, and not to comply with the requirements for conducting any financial transactions on them.
"In order to avoid fraudulent actions, it is necessary to check letters that contain calls for action, for example: open, read, get acquainted, as well as topics related to debts, finances and banks," the department said. — For safe work with e-mail, the FSSP does not recommend following links if they are long or created using link shortening services: bit.ly , tinyurl.com and the like. Users should not click on links from the letter if they are replaced with words, and also not hover over them with the mouse and view the full address of the sites."
In addition, you should carefully study the addresses of the official websites of the FSSP of Russia and its territorial bodies in order to avoid using fake websites offering to find out about the presence of debts. Fake websites can copy the design of the official website of the department and the interface of the service "Database of enforcement proceedings".
"Discrepancies between the official and fake addresses may be minimal and may differ by one character," the press service stressed. — Notification of the initiation of enforcement proceedings is sent to citizens by mail or to their personal account on the public services portal.
It is possible to obtain reliable information about the presence of debt using the "Database of Enforcement proceedings" on the official website or in the FSSP application, as well as through the portal of public services, the department recalled. It is possible to pay off the existing debt only through the portal or by generating a receipt for debt payment from any credit institution.
Переведено сервисом «Яндекс Переводчик»
