CloudSEK says it has spotted a Ramadan-themed malware campaign going after shoppers in the Middle East with fake coupon offers that impersonate familiar retailers. Victims are nudged into opening a booby-trapped Word document and enabling macros; from there, attackers deploy a remote-access trojan that can steal files, take screenshots and run commands — then quietly upload the haul using AWS S3 links that can look like normal cloud traffic.
The report describes a ‘live-off-the-land’ playbook: instead of dropping an obvious malicious executable, the chain relies on legitimate Windows and .NET utilities (compiler and build tools) to assemble and run code on the machine. That’s a useful trick for attackers because many security products are less suspicious of system binaries than random downloads.
CloudSEK says the lure is heavily localized, using Arabic messaging and seasonal shopping behavior to boost clicks. The company also points to indicators defenders can hunt for, like unusual Office-to-compiler process chains and unexpected outbound S3 upload activity from non-browser apps.
Table of Contents
Why this matters
Holiday and seasonal promos are catnip for scammers, and the Middle East’s Ramadan shopping surge is no exception. If you get an unsolicited ‘voucher’ attachment, treat it like a trap: don’t enable macros, don’t override security warnings, and verify offers through official apps or domains.
For retailers, this kind of campaign is brand damage in disguise. The more clearly you communicate where legitimate discounts live — and how you will never send coupon attachments — the less room criminals have to weaponize your logo.
CloudSEK is a cybersecurity company that publishes threat intelligence research and incident analysis.
