A small UK business had its server secretly hijacked by cybercriminals who used it to fire off nearly nine million phishing emails impersonating Boots, and security researchers say the attackers went largely undetected because they never touched the victim’s data at all.
The story, uncovered by cybersecurity firm Huntress, offers a striking example of how sophisticated fraudsters operate today: renting other people’s infrastructure rather than building their own, staying under the radar by avoiding the ransomware deployments that typically trigger alarms.
“The Devils” Get To Work
When Huntress installed its monitoring software on a client’s network on 15 May 2026, it had no idea it was stepping into an active intrusion. By the early hours of the following morning, analysts spotted an RDP login from Romania and started pulling on threads.
What they found was an attacker who had quietly set up shop on the company’s Windows terminal server, the machine staff used to remotely log in to work systems. The server’s web-based login portal had been left open to the internet, and after bombardment by automated login tools, the attacker had found working credentials for one account. That was all they needed.
Inside the staging directory, Huntress found a project file called dracii.mmp, Romanian for “the devils”, alongside Gammadyne Mailer, an off-the-shelf bulk email application, and six lists of email addresses totalling 8,894,920 entries. The files had names containing the word “milk.”
Boots Customers In The Crosshairs
The campaign itself was a classic fake reward scam. Targets received emails purportedly from Boots, offering a free gift in return for completing a survey.
Click through, and victims were taken to a convincing phishing page, hosted not on the attacker’s own servers but on a Bolivian government website that had itself been compromised. The page was designed to harvest personal details and card numbers.
Huntress tipped off Bolivia’s national cybersecurity authority, which moved to take the malicious content down.
More from Cybersecurity
- Who Is Responsible When Children Use VPNs To Access Banned Platforms?
- SpyCloud Report Finds Phishing Attacks Surge As Employee Data Is Exposed At 86% Of Fortune 100 Companies
- Meta Confirmed About 20,000 Instagram Accounts May Have Been Hacked
- FIFA World Cup 2026: Why Have Big Sporting Events Become A Target For Cyber Criminals?
- The AI That Embarrassed Microsoft’s Security Team Is About To Be Available To Everyone
- How AI Agent Adoption Is Creating A New Cybersecurity Challenge
- 74% Of UK Businesses Have Had At Least 3 Identity Breaches This Past Year – Why Aren’t More Of Them Protected?
- Cycode Wants To Secure The Agentic Era – And It’s Just Launched The Product To Prove It
What This Means For Startups And SMEs
The victim here was a small organisation, just 25 machines, and the attackers showed no interest in its data whatsoever. That is the uncomfortable truth this case highlights: small businesses can be attractive targets not because of what they hold, but because of what their systems can do. A server with a decent internet connection and a poorly secured login page is a launchpad.
For any business running remote desktop services, the message from Huntress is blunt: put multi-factor authentication in place, stop exposing RDWeb portals directly to the internet, and consider whether your monitoring would catch an intruder who never makes a loud noise.
The full research can be read here: https://www.huntress.com/blog/terminal-server-phishing-stager-exposed
