ESET reported that the TorrentLocker ransomware campaign expanded from Australia into the United Kingdom by sending spam emails that directed recipients to fake Royal Mail parcel-tracking pages. Those sites served a ZIP archive containing the malware to visitors with UK IP addresses, while users outside the UK were redirected to Google, indicating deliberate geographic targeting. Researchers identified three newly registered domains tied to the operation and said the campaign had begun only recently.
Once launched, TorrentLocker encrypted victims’ documents and demanded 350 GBP within 72 hours, rising to 700 GBP after the deadline, with payment required in Bitcoin through Tor-hosted infrastructure exposed via Tor2Web links. ESET said it traced payments from campaign-specific Bitcoin wallets to another wallet previously linked to scams including wallet theft and fake mining hardware sales, suggesting overlap with broader criminal activity. The company said its products detect the malware as Win32/Filecoder.NCC or Win32/Injector.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
ESET documented three newly registered domains hosting the fake Royal Mail pages and reported that the campaign had started very recently. The researchers also traced campaign Bitcoin wallets to another wallet previously linked to scams including wallet theft and fake mining hardware sales.
A TorrentLocker ransomware campaign began targeting UK users using spam emails themed as Royal Mail package-tracking notices. The operation used fake Royal Mail webpages that served a ZIP archive containing the malware only to visitors with UK IP addresses, while redirecting others to Google.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.