“Hello, stranger:” romance emails snare German victims in a malware trap

Published: 28 July 2025
email tab, red light, german flags, black background
By Cybernews.

Think it’s love? Flirty emails in German are luring victims into downloading malware dressed up as a surprise suitable only for adults.

German speakers have been targeted in a recent cyberattack campaign. Romantic emails offering video and images that shared more than would normally meet the eye turned out to be malicious.

This romance scam used a traffic distribution system (TDS) called Keitaro TDS to redirect victims to malicious domains. As seen from a Sublime report, these emails included language that suggested a reveal of explicit content, once the recipient clicked where they were instructed to.

ADVERTISEMENT

“Hello, stranger. I'm not the one who gives herself completely right away. But sometimes, there's the desire to be intensely felt,” an email would start.

“I've prepared a little package just for you,” would lead to a video preview page.

black background, white and pink letters, words in German
Source: Sublime Security

Normally, this would be the exact case – German speakers receive emails that contain two malicious links. One was embedded in the video preview image, and the other pointed to an archive file.

When the potential victim clicks either one of them, the system first checks if their location is in Germany. Once it confirms that the person is indeed in Germany, a 300MB ISO file (that acts like a malicious payload) is secretly downloaded from a Russia-based server in the background.

This system made it possible for scammers to target victims located in specific regions, like, in this instance, Germany. It even determined if future victims were in Germany’s territory at a specific time. This allowed the criminals to carry out a more successful scam as they created sufficient conditions to target their specific audience.

justinasv vilius adi Gintaras Radauskas
Stay informed and get our latest stories on Google News
Google News Follow us

The downloaded ISO file hid its true purpose, and it wasn't about romance or love. When opened, it created a drive containing a program called “lovely_photos.exe” and a text file with a password. Running the program required entering this password, which was “love,” as shown in the image above. After that, a hidden script launched a tool called AutoIt.

ADVERTISEMENT

In this case, it was used to run a malicious script that tried to avoid antivirus checks and set up a scheduled task called DragonMapper. This ensured the malware would run every time the computer started.

The report did not disclose why scammers decided to target German speakers specifically. As these attacks are still ongoing, the report also did not include information on how many people have fallen victim or how much money the scammers have earned.

Share
Post
Share
Share
Share
Deutsch English Português (BR) Español Français Niederländisch Italian (IT)
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT