A fake email pretending to be a receipt from Avast tricked users into downloading malware. Once installed, it gave attackers full remote access to victims' computers.

Who was behind the attack?

While not confirmed, the tactics closely resemble those used by a known group called MuddyWater, which has previously targeted organizations in the Middle East, including Israel.

What was the goal of the attack?

The attackers aimed to gain long-term access to computers for spying, data theft, and control. They used trusted tools to avoid detection.

How many people or companies were affected?

The campaign is still being investigated, but at least three phishing emails were identified in one week, indicating multiple targeted individuals or businesses.

The campaign appears focused on Israeli users—both individuals and organizations—especially in industries like real estate and commercial sectors.

How did the attack work?

Victims received realistic-looking emails about a fake antivirus purchase. Clicking the link downloaded malware disguised as a legitimate program. Once installed, it secretly gave hackers control of the system.

Why would someone target Israel?

Israel is a frequent target for cyber espionage due to its advanced technology sector and geopolitical significance. This attack likely had strategic motives.

What should people do to protect themselves?

Always verify suspicious emails, especially involving payments or security software. Use antivirus tools, update your systems regularly, and avoid installing remote access tools without IT approval.

Is this a widespread threat or a focused one?

This appears to be a targeted campaign, not a global outbreak. The attackers were deliberate in choosing Israeli targets and tailored their approach accordingly.

Threats Feed|MuddyWater|Last Updated 02/05/2025|AuthorCertfa Radar|Publish Date28/04/2025

Avast-Themed Phishing Campaign Targets Israeli Businesses with ScreenConnect RAT

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Dropper,RAT,Phishing,Spear Phishing
Attack Complexity: Medium
Threat Risk: Unknown

Threat Overview

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

Reference and Credit: Maor Dayan - April 2025

Unmasking Avast-Themed Malware Operation

Detected Targets

Type	Description	Confidence
Sector	Real Estate	High
Region	Israel	Verified

Extracted IOCs

8objp.bemobtrk[.]com
links.ravsend.co[.]il
screen.nadlan[.]center
screen.solandalucia-carcosmetics[.]com
notification-emails.avast.com@oosthoutnetwork[.]nl
receipt@avast-billing[.]com
0b23ac3dc2b9c49944ce7c9c405ed501
14b3201e37d5af8cbc6dbf810855f6c8
1db8b9fa0bdcbfaab807f715c288c19a
5adcb5ae1a1690be69fd22bdf3c2db60
752d5cdda2a1d93d27e38f98a5d23fc2
7ee2543520d72fd54827f3d11a21ef8d
94216eb90ca53fbb175f0ee6adbfb663
9562334dd9a47ec1239a8667ddc1f01c
a81497b417d4f67ea6cab399bd3a71f8
4c9d0de6a87f9d46cc475c572ff890d4f81bb242
5e2071a1da17233d69b0eb03d16f18b91d222a2e
2ba3b56e91b74eec4908a234ce652d50615b52b527430ad0be35cb53acc6eaf4
5f8ac3ecc4f610e26e3805196f43322f60875b6983bebc513a82a0f570db9d32
79[.]127.221.55
82[.]165.164.194
hxxps://8objp.bemobtrk[.]com/go/aa19f9ca-80da-4651-a132-bffe291ed419
hxxps://links.ravsend.co[.]il/?lid=38192499&sid=633243153

download

Tip: 23 related IOCs (2 IP, 4 domain, 2 URL, 2 email, 13 file hash) to this threat have been found.

FAQs

Understanding the Avast-Themed Malware Campaign

: A fake email pretending to be a receipt from Avast tricked users into downloading malware. Once installed, it gave attackers full remote access to victims' computers.
: While not confirmed, the tactics closely resemble those used by a known group called MuddyWater, which has previously targeted organizations in the Middle East, including Israel.
: The attackers aimed to gain long-term access to computers for spying, data theft, and control. They used trusted tools to avoid detection.
: The campaign is still being investigated, but at least three phishing emails were identified in one week, indicating multiple targeted individuals or businesses.
: The campaign appears focused on Israeli users—both individuals and organizations—especially in industries like real estate and commercial sectors.
: Victims received realistic-looking emails about a fake antivirus purchase. Clicking the link downloaded malware disguised as a legitimate program. Once installed, it secretly gave hackers control of the system.
: Israel is a frequent target for cyber espionage due to its advanced technology sector and geopolitical significance. This attack likely had strategic motives.
: Always verify suspicious emails, especially involving payments or security software. Use antivirus tools, update your systems regularly, and avoid installing remote access tools without IT approval.
: This appears to be a targeted campaign, not a global outbreak. The attackers were deliberate in choosing Israeli targets and tailored their approach accordingly.

About Affiliation

MuddyWater

Associate threats