A digital security company has identified a malicious spam campaign created to spread BluStealer, a type of malware designed to steal cryptocurrencies such as Bitcoin, Ethereum, Monero, and Litecoin. Avast Threat Intelligence researchers have discovered a spike in malware activity this month that uses the platform of two major companies, DHL shipping and Mexican company General de Perfiles.

Avast has tracked and subsequently blocked around 12,000 malicious emails that have distributed BluStealer. The countries that have primarily been affected by the malware are Turkey, the US, the UK, Italy, Greece, Spain, the Czech Republic, Romania and Argentina. In the latter, around 720 malicious emails were traced.

The illegal campaign mimics the design of the mail that DHL sends to its clients in order to generate in the potential victim a false sense of security. The email informs the recipient that a package has been presented to the individual’s office since contact with the individual wasn’t possible. That person is asked to fill out an attached form to reschedule the delivery but, when he or she opens the attachment, the BluStealer installation is activated.

In the case of General de Perfiles, the people targeted by the campaign receive information by email that they have paid excess invoices and that a credit has been saved for them that will be charged to their next purchase. Like the DHL campaign, the Profile General message includes the malicious BluStealer attachment.

Completing the installation, even if it is in this case unconsciously, opens the door for the theft of information, data on cryptocurrency wallets, private keys and credentials. It can cause the person to completely lose access to their savings. Users of emails that claim to include shipping invoices or credit notes are advised not to open attachments in unexpected or unreliable messages.