Wildberries, Russia’s largest online marketplace, in collaboration with Russ, has successfully disrupted a sophisticated fraud operation involving malware-laden attachments distributed via messaging platforms. The scheme, which targeted unsuspecting users with fake photo archives, enabled attackers to hijack devices and make unauthorized purchases on Wildberries accounts. Security teams blocked 99.9% of fraudulent transactions, preventing losses exceeding 15 million RUB (≈$163,000).1, 2
TL;DR: Key Findings
- Attack Vector: Malicious .APK/.ZIP files disguised as photos (“Is this you?”) sent via Telegram/WhatsApp.
- Malware Function: Remote Access Trojans (RATs) enabling unauthorized Wildberries purchases.
- Impact: ~2,000 potential victims; 15M RUB theft prevented by AI filters.3
- New Trends: Fraudsters now use fake death notices and insurance scams to distribute malware.4
Technical Analysis of the Attack Chain
The attackers employed a multi-stage infection process. Victims received messages containing archives (e.g., “photos.zip”) with executable payloads. Once opened, the malware—identified as a variant of the Mamont trojan—granted attackers:
| Capability | Impact |
|---|---|
| Remote device control | Enabled fraudulent Wildberries purchases via compromised sessions |
| SMS interception | Bypassed 2FA by capturing OTP codes |
| Contact list access | Propagated malware to new victims via Telegram |
Wildberries’ AI systems detected anomalous purchase patterns, including rapid bulk orders of high-value electronics. Igor Somov, Head of Trust & Safety at Wildberries, stated:
“The malware specifically targeted devices with weak lock-screen security, allowing attackers to manipulate active sessions.”
Broader Threat Landscape
Parallel campaigns were observed using:
- Fake death notices: APK files labeled “Last_Photos.apk” containing spyware.4
- Insurance scams: Urgent messages prompting downloads of fraudulent “policy renewal” apps.
The Russian Ministry of Internal Affairs issued warnings about file extension mismatches, noting:
“Legitimate photos/videos never use .APK or .EXE extensions.”
Mitigation Strategies
For organizations handling Russian e-commerce traffic:
- Transaction monitoring: Implement AI to flag bulk purchases from new devices.
- User education: Train staff to recognize social engineering lures in Russian-language messages.
- Device binding: Enforce hardware-based session validation for high-risk transactions.
Wildberries’ success in blocking 99.9% of fraudulent transactions demonstrates the effectiveness of machine learning in real-time fraud detection. However, the attackers’ shift toward emotionally manipulative lures (e.g., death hoaxes) indicates evolving social engineering tactics that require updated defensive measures.
References
- “Wildberries и Russ пресекла мошенническую схему с рассылкой вредоносных вложений,” Forbes Russia, 2025.
- “Wildberries предотвратила хищения на 15 млн рублей через блокировку вредоносных файлов,” TASS, 2025.
- “Атаки на Wildberries сократились вдвое после внедрения новых фильтров,” RIA Novosti, 2025.
- “Мошенники рассылают фальшивые некрологи с вирусами,” RBC Life, 2025.
- “МВД предупредило о новых схемах с поддельными видео в Telegram,” RBC Life, 2025.
