On May 15, 2026, Huntress agents identified an intrusion involving the compromise of a terminal server used to stage a massive phishing campaign rather than ransomware deployment. The attacker utilized Gammadyne Mailer with a project file named 'dracii' and six recipient lists totaling 8,894,920 email addresses. Operating from Romanian IPs, the actor impersonated the UK pharmacy chain Boots via a fake customer satisfaction survey designed to steal personal and payment card information. The phishing kit was hosted on a compromised Bolivian government website (ipelc.gob.bo), which was reported to Bolivia's national CSIRT. The campaign used direct-to-MX delivery with 666 concurrent sending threads to bypass mail relays. Evidence indicates this Romanian operator has been conducting multiple UK-targeted campaigns since at least July 2025, rotating themes between retail, tax, and cryptocurrency.

The campaign aims to steal personal and payment card data from recipients by impersonating a trusted UK pharmacy chain. The use of a compromised government website for hosting and direct-to-MX delivery techniques increases the likelihood of successful phishing email delivery and victim interaction. The large scale of nearly 9 million targeted email addresses indicates significant potential exposure and data theft risk for affected individuals.

No official patch or fix applies as this is a phishing campaign leveraging compromised infrastructure and social engineering. Organizations should monitor for indicators of compromise such as the listed IP addresses, URLs, and domains. Users should be educated to recognize phishing attempts impersonating Boots or similar brands and avoid interacting with suspicious emails or links. The compromised Bolivian government website has been reported to the national CSIRT for remediation. Network defenses should consider blocking or scrutinizing traffic to the identified malicious infrastructure.