Operation Dragon's Toll Update: New Malware Campaign Using Fake Unsubscribe Links
This campaign cleverly bypasses user suspicion by weaponizing the "unsubscribe" link found in the footer of what appear to be generic marketing emails. The primary goal of this campaign seems to be be installing information-stealing malware (infostealers) on the victim's device.
14th Command TeamDecember 10, 2025
Threat Intelligence & Attack ReportsPhishing & Social Engineering
As part of our ongoing Operation Dragon's Toll initiative, we are announcing the discovery of a widespread malware delivery campaign. This campaign cleverly bypasses user suspicion by weaponizing the "unsubscribe" link found in the footer of what appear to be generic marketing emails. The primary goal of this campaign appears to be installing information-stealing malware (infostealers) on the victim's device. Our investigation has traced a significant portion of the campaign's infrastructure to Bangladesh.
This attack is effective because it exploits a common user behavior, the desire to clean up one's inbox, and turns it into the vector for infection.
1. The victim receives a professionally written email that appears to be a standard marketing message for AI platforms, web development services, or even e-commerce products. The attackers impersonate well-known brands like DHL, Amazon, and Microsoft SharePoint to create a veneer of legitimacy. The email content itself is irrelevant though standard; the true weapon is in the footer.
2. At the bottom of the email, a standard "Unsubscribe" or "Stop Receiving Emails" link is present. Annoyed by the unsolicited email, the user clicks this link, believing they are performing a routine action.
3. Our analysis shows the unsubscribe link is a sophisticated redirect. We have observed links pointing to decentralized storage networks (e.g., ...arweave.net/...). This makes the link harder to block, as the domain itself is part of a legitimate, distributed network.
4. Upon clicking, the user is taken to a generic but well-designed landing page. This page often includes logos from legitimate email marketing platforms (like Mailchimp) to appear trustworthy. A CSS-animated checkmark or progress bar appears with the text "Unsubscribing..."
5. While the fake animation plays, giving the user a false sense of security, a malicious file is automatically downloaded in the background. This "drive-by download" is the primary goal of the attack. The page then displays a "You have been unsubscribed successfully" message, and the user closes the window, often completely unaware that their device has just been compromised.
6. The downloaded file is an infostealer, a type of malware designed to silently harvest sensitive data from the victim's computer, including browser passwords, cookies, cryptocurrency wallet files, and financial information.
A significant cluster of the domains and hosting infrastructure used in this campaign has been traced to providers in Bangladesh, with exonhost.com being one of the identified hosts.
Similar to our previous findings, the root domains of the sender addresses are often generic (using dashes and numbers) and may host fake error pages to deter casual investigation, while the malicious scripts remain active.
Who Is At Risk?
This campaign is not targeted at a specific industry but is a wide-net operation. Anyone who receives email is a potential victim. The use of B2B service themes (AI, SEO) and major logistics/e-commerce brands (DHL, Amazon) suggests the attackers are hoping to infect both corporate and personal devices.
Our Recommendations
1. NEVER CLICK UNSUBSCRIBE ON UNTRUSTED EMAILS: If you do not recognize the sender or did not willingly subscribe to the list, do not interact with the email at all. Mark it as spam and delete it. Clicking "unsubscribe" only confirms to attackers that your email is active and vulnerable.
2. Disable Automatic Downloads: Configure your web browser to always ask where to save a file instead of downloading it automatically. This gives you a chance to cancel a malicious "drive-by download."
3. Use an Endpoint Security Solution: Modern antivirus and endpoint detection and response (EDR) tools are essential for detecting and blocking infostealer malware before it can execute.
4. Educate Your Team: This is a perfect example of a threat that bypasses technical filters and relies on social engineering. Share this advisory with your employees to ensure they understand this tactic or even better let us share it with team, book a threat brief here, or send us an email at partner@thebirdling.com.
The Ongoing Mission of Operation Dragon's Toll
This campaign is the second major tactic we've publicly disclosed under Operation Dragon's Toll. It simply shows that threat actors are constantly innovating and are now weaponizing even the most mundane user actions. We will continue our investigations and provide further updates.
Get the detailed technical report at research.thebirdling.com.