By: Cofense Intelligence
Subject customization is a widely utilized tactic in targeted malware-delivery phishing campaigns, designed to deceive recipients by making emails appear more authentic and trustworthy. Like credential-phishing attempts, attackers craft personalized subject lines, attachment names, and embedded links to create a sense of familiarity or urgency, increasing the likelihood that the recipient engages within the email. This strategy is not limited to the subject line; it is often extended to the email attachments, links, and message body. By including customized elements attackers aim to increase the likelihood of a successful compromise. Subject redaction is Cofense Intelligence’s way of removing any personal information (PII) from the email before publishing the IOCs to the ThreatHQ platform. This allows the IOCs to be shared without risking publishing any PII. With data pulled from Q3 of 2023 to Q3 of 2024, we’ve identified the top targeted themes, connections between malware types and download file redaction, and any attachment trends that we see within the email themes, including subject customization and subject-redacted samples.
Figure 1: Finance-themed email with subject customization using the recipient's company which delivers ConnectWise RAT via an embedded URL
Key Points
- Subject customization is widely used in targeted malware phishing campaigns to make the email appear more authentic and increase the chances of the malicious payload being run.
- When combined with Remote Access Trojans (RATs) or Information Stealers, threat actors can easily obtain remote access or credentials to be sold as brokered access to ransomware operators, causing larger damage within an organization.
- Travel Assistance, Response, Finance, Taxes, and Notification-themed emails are the most commonly used email campaign themes that use subject customization tactics.
- When jRAT or Remcos RAT is delivered, and the downloaded file name has been customized, the emails will almost always be Finance-themed.
- Remcos RAT was the malware family most frequently associated with emails that had customized subjects or attachments.
Top Five Malware-Delivery Themes Utilized by Threat Actors
Cofense Intelligence has uncovered the most prevalent themes associated with malware-delivery emails where subject customization was included. These themes include categories such as Travel Assistance, Response, Finance, Taxes, and Notification.
Figure 2: Top five utilized themes for malware delivery emails with customized subjects.
Travel Assistance
Travel Assistance-themed emails are the most common type of email theme that contains subject customization. In fact, 36.78% of all malware delivery emails that required information to be redacted from the subject fell under this theme. Given the typical nature of Travel Assistance emails, it’s common for recipients to expect personalized messages related to upcoming reservations. Travel Assistance-themed emails that contain subject customization most commonly include Vidar Stealer. Vidar Stealer is an Information Stealer that Cofense first saw in significant volumes around 2019, which can collect a range of personal data such as login credentials, banking information, crypto wallet information, and even browser cookies and data. Vidar Stealers can also download and execute additional malware. This theme saw the highest number of subjects requiring subject redaction in Q4 of 2023 and the lowest volume in Q3 of 2024. This is possibly a result of the increase in traveling that occurs in Q4 due to the numerous holidays that occur from October to December.
Table 1: Examples of customized subjects under the Travel Assistance theme.
Selected Subject | Active Threat Report |
Reservations For <recipient name or identifiable information> | |
Re: A sua estadia no Hotel <recipient name or identifiable information> Lisboa // 4288287283 | |
Re: Greetings from <recipient name or identifiable information> Seoul! 39854103 | |
<recipient name or identifiable information> Stay |
Response
Response-themed emails are defined as emails that are a direct reply to another email. Response is a top-targeted theme when it comes to the inclusion of personally identifiable information within the subject of an email. We noticed that 30.58% of the malware delivery emails where information in the subject needed to be redacted were classified under the Response-theme. The common subjects requiring redaction were based on Equipment/Uniform Orders and Meeting Cancellations. Cofense Intelligence has identified that Response-themed emails most frequently contain PikaBot. PikaBot is a malware family that was first noticed in high numbers in 2023, it delivers additional malware while containing multiple techniques to avoid sandboxes and virtual machines. The Response-themed emails with subject redaction saw its peaks in Q4 of 2023 and declines down into Q1.
Table 2: Examples of customized subjects under the Response theme.
Selected Subjects | Active Threat Report |
Re: <recipient name or identifiable information> 2012 Coaches: Uniforms | |
RE: [EXTERNAL] RE: 01.01.2022 - INTL - <recipient name or identifiable information> - Class GG2C - $15M | |
Re: Canceled: <recipient name or identifiable information> Staffing Construction coordination call | |
Re: <recipient name or identifiable information> Meeting - Tuesday 11th No |
Finance
Finance is the third most commonly seen theme when it comes to the inclusion of PII within the subject of emails. Cofense Intelligence has seen that 21.90% of all malware delivery emails where subject redaction took place the theme of the email was Finance. This tactic fits the common layout of Finance themed emails as it is typical for these emails to include PII within contracts, agreements, and any communication around orders. jRAT is the most common malware family for the Finance-theme subject redacted emails, jRAT is a cross-platform Remote Access Trojan (RAT) that is written in Java which allows threat actors to run on different operation systems, this allows attackers to carry out a wide range of attacks. 9.43% of all Finance themed malware delivery emails where subject redaction was required included a PDF as an attachment. These subject customized emails have seen a volume increase in Q1 of 2024 steadily rising through Q3 of 2024. The lowest volume points for this theme were in Q4 of 2023.
Table 3: Examples of customized subjects under the Finance-theme.
Selected Subjects | Active Threat Report |
<recipient name or identifiable information> Energy -PO- 216238068 | |
<recipient name or identifiable information> Tender: AEME-19-2023 - <recipient name or identifiable information> Industrial Area Fit-Out Project | |
OFFER <recipient name or identifiable information> | |
<recipient name or identifiable information>_DOC#024_ |
Taxes
Taxes are a targeted theme for malware emails that need information redacted from the subject. 3.72% of all malware emails where subject customization took place fell under the theme of Taxes. This fits the normal layout of tax-related emails as they tend to contain some type of personal information within the subject of the email that relates to the designated recipient. Remcos RAT is the most common malware associated with this theme. Remcos RAT is a RAT that is usually seen hosted on a file sharing platform that contains password protected downloadable archives. The use of password protection on the archive is to increase the chance of Secure Email Gateway (SEG) bypass, Remcos RAT will generally run keyloggers, exfiltrate files, or run other malware. Tax-themed emails started rising in volume in Q2 of 2024 and remained consistent in Q3 of 2024 as well. The lowest volume points were observed in Q3 of 2023.
Table 4: Examples of customized subjects under the Taxes theme.
Selected Subjects | Active Threat Report |
<recipient name or identifiable information> - Tax Invoice_21926247-1 | |
Fwd: –ö–µ—Ä—ñ–≤–Ω–∏–∫—É: <recipient name or identifiable information> –£–∫—Ä–∞–∏–Ω–∞, –ü–ò–ò, –û–û–û –≤—ñ–¥: –î–ü–Ü —É –°–æ–ª–æ–º'—è–Ω—Å—å–∫–æ–º—É —Ä–∞–π–æ–Ω—ñ –ì–£ –î–ü–° —É –º. –ö–∏—î–≤—ñ | |
<recipient name or identifiable information> | |
税 务 通 知:<recipient name or identifiable information>(天津)石油有限公司 |
Notification
Notification is another targeted theme that included malware-delivery emails that needed information redacted from the subject. 3.72% of all malware emails where subject customization took place fell under the theme of Notification. The identified samples include “Urgent requests” and “ticket updates”. Notification-themed emails did not have one malware type that was more common than others as the top two were WSH RAT and jRAT. 22% of all Notification themed subject redacted emails contained an HTML file that included an embedded link that then downloaded malware, in these cases it was WSH RAT. Notification-themed subject redacted emails noticed a high volume in Q2 of 2024 and a downturn in Q3 of 2024.
Table 5: Examples of customized subjects under the Notification theme.
Selected Subjects | Active Threat Report |
Notification - <recipient name or identifiable information> | |
IMPORTANTE_CITYLAB_GROUP, C.A. <recipient name or identifiable information> | |
S/REF: C-230170, <recipient name or identifiable information>: 0000316/2024; J.3 Monitor | 368694 |
Ticket <recipient name or identifiable information>/345490 |
Connection Between Malware Type and Download Name Redaction
Cofense Intelligence has observed the connection between malware type and redaction in the names of the downloaded files. There is a correlation that whenever jRAT or Remcos RAT is the malware type and the downloaded file name has a redacted name, the emails will almost always be Finance-themed. jRAT accounts for 20% of the emails where it included PII in the downloaded file name. This is one of the only malware types where redaction took place in the downloaded file names. All of the jRAT malware delivery emails where redaction was needed had PII in the downloaded file name. An example of this would be ATR 373515, which mentions a Finance-based theme, but the downloaded file names contained PII and mentioned a payment summary PDF. This correlation confirms that when threat actors use jRAT in malware-delivery emails, part of their tactic is to personalize the downloaded file's name to increase success.
Remcos RAT accounts for 26.7% of the malware-delivery emails with information redacted from the downloaded file name. Similar to jRAT, these finance-themed emails will also include PII within the subject. An example of this occurring is ATR 370454, in this example, both the subject and file name required redaction of PII. These emails are mainly part of two themes, Finance followed by Taxes, and contain download file names such as “<recipient name or identifiable information> TAX DOCUMENTS.zip” and “BOQ_47864594_<recipient name or identifiable information> Project_2024_05_13.cmd”.
Predictions
While customized subject lines are not used in all malware email samples, it is a strong tactic to make the recipient feel a higher sense of urgency that may lead to a successful infection. Particularly targeted emails delivering RATs or Information Stealers can be notable for potentially providing remote access or login credentials that can be brokered to ransomware threat actors. Coveware’s recent ransomware attack vectors trend analysis showed that the vast majority of ransomware threats in Q2 2025 had initial access from either remote access compromise or phishing. While there are ongoing international law enforcement actions disrupting ransomware and other malware threat actor groups, brokered initial access remains an important part of the attack chain that cannot be disrupted as easily.